Thales leaves Russian banks to fend for themselves
Banks are already switching foreign equipment to domestic, but this might take a long time The French company Thales, which makes hardware security modules (HSM) for payment systems, has announced it will no longer work in the Russian market. A company representative told Forbes about this.
The company has shut down all digital security operations for Russian banks and used to serve 20 Russian banks.
Thales Group is an international company that creates high-tech products and services in various areas: digital identity and security, military, aerospace and transportation industries. Thales supplied payShield 9000 modules, which are devices for ATMs that protect and encrypt user data, to Russia. According to Thales DNA Distribution, this module provides protection for operations such as PIN verification, payment transactions, payment card issuance, and encryption key management. The payShield 9000 is the most popular payment system security module in the world, handling over 80% of the world’s payment card transactions.
Thales solutions are an international standard for protecting bank card information cryptographically. Andrey Golov, CEO of Security Code, explains to Forbes that this solution checks the PIN code, CVV code, and other data when using a card. The source gives an example that with the help of this solution, cards from American issuing banks are also accepted in other countries.
The company representative refused to disclose the names of the banks that worked with Thales. However, data on the public procurement website shows that from 2014 to 2021, tenders for the supply and license of Thales modules and software were announced by several Russian banks. Thales also reported cooperation with Alfa-Bank on its website.
The Thales representative emphasized that the company is not the only one providing security in the Russian banking sector. The American company Entrust has a similar module, which last year acquired the French company Antelop Solutions and planned to start delivering its products to Russia before the “special operation”*, according to a source in the distribution company Thales.
Russian companies like Infotex and CryptoPro have developed similar solutions, says Alexey Lukatsky, an independent expert in information security. According to the expert, the withdrawal of Thales from Russia is not a critical problem because the sold solutions are still functioning, and banks will have time to switch to Russian alternatives, which may take about six months for an operational transition.
According to Kommersant, a decision was made in mid-April at a meeting of the Central Bank with banks and Russian manufacturers of HSM modules to promptly replace foreign equipment with Russian ones. In addition, in 2018, the law on the security of critical information infrastructure (CII) came into force, requiring banks, telecom operators, fuel and energy companies, government agencies, and transport companies to switch to Russian software and equipment. Initially, banks were supposed to switch to domestic hardware in 2022, but then the Ministry of Digital Development proposed to postpone the transition until 2025. According to the March presidential decree, from 2022, CII subjects will not be able to purchase foreign software, including as part of software and hardware systems, and from 2025, they will not be able to use it.
Dmitry Gusev, Deputy General Director of Infotex, is not as optimistic as Lukatsky. They can't predict how foreign vendors will behave before using their products. Gusev assumes that Thales products will work well until the end of the warranty and technical support period, but there's a chance that the HSM modules may stop working during a software update.
Banks are working to avoid the situation of HSM failure, as it could lead to problems in the entire banking processing system. VTB is replacing foreign crypto-encryption solutions as part of an import substitution program. Alfa-Bank assured that Thales' exit from the Russian market won't affect payment availability and security. They are already testing and implementing alternative solutions, which may take from two weeks to several months. Sberbank, Rosselkhozbank, and RRDB did not respond to Forbes inquiries.
Gusev also mentions that each major bank customizes software elements, making it impossible to create a universal cryptoprotection module, despite recommendations from the Payment Card Industry Security Standards Council.
Another issue with import substitution is the challenge of quickly producing enough modules to meet all banks' needs. It's also uncertain whether domestic solutions will handle the same workload as Thales did. Tests to verify the operation of the modules are underway. SPB HSM PS from the Practical Security Systems company, part of the Infotex Group of Companies, is participating in these efforts. Forbes has contacted CryptoPro.
Gusev estimates that a full transition to domestic modules supporting Russian cryptography for banks may take several years. This involves producing the required number of modules, supporting Russian cryptography at payment terminals and ATMs, and manufacturing the necessary volume of bank cards supporting Russian cryptography.
