Thales leaves Russian banks to fend for themselves
Banks are already changing foreign equipment to domestic, but this may take a long time The French company Thales, which produces hardware security modules (hardware security modules, HSM) payment systems, has announced the termination of work in the Russian market. Forbes was told about this by a company representative.
According to her, the company curtailed all digital security operations in the Russian banking sector: before, the group served 20 Russian banks.
Thales Group is an international company that creates high-tech products and services in several areas: digital identity and security, military, aerospace and transportation industries. In Russia, Thales supplied payShield 9000 modules, devices designed for ATMs that protect and encrypt user data, an employee of the Thales distribution company told Forbes. This module provides protection for operations such as PIN verification, payment transactions, payment card issuance, and encryption key management, according to the website of the official distributor Thales DNA Distribution. The distributor also points out that payShield 9000 is the world’s most popular payment system security module, handling more than 80% of the world’s payment card transactions.
Thales solutions are an international standard for cryptographic protection of bank card information, which, when using a card, checks the PIN code, CVV code and other data, Andrey Golov, CEO of Security Code, explains to Forbes. So, with the help of this solution at the international level, cards of American issuing banks are also accepted in other countries, the source gives an example.
The names of the banks that worked with Thales, the company representative refused to disclose. However, according to data on the public procurement website, from 2014 to 2021 tenders for the supply and license of Thales modules and software were announced by Sberbank, VTB, Rosselkhozbank, the All-Russian Regional Development Bank (RRDB) and the West Siberian Commercial Bank. Thales itself also reported on its website about cooperation with Alfa-Bank.
The Thales representative stressed that the company is not the only one involved in providing security in the Russian banking sector. The American company Entrust has a similar module, which last year bought the French Antelop Solutions and wanted to start delivering its products to Russia before the “special operation” *, said a source in the distribution company Thales.
Similar solutions were developed by Russian companies – Infotex and CryptoPro, said Alexey Lukatsky, an independent expert in the field of information security. According to the expert, there is no critical problem in the withdrawal of Thales from Russia, because while the solutions already sold are still working, banks will have time to switch to Russian counterparts. With an operational transition, this may take about six months, he believes.
According to Kommersant, in mid-April, at a meeting of the Central Bank with banks and Russian manufacturers of HSM modules, a decision was made to promptly replace foreign equipment with Russian. In addition, in 2018 the law on the security of critical information infrastructure (CII) came into force, according to which banks, telecom operators, fuel and energy companies, government agencies and transport companies must switch to Russian software and equipment. Initially, banks were supposed to switch to domestic hardware in 2022, but then the Ministry of Digital Development proposed to postpone the transition until 2025. According to the March presidential decree, from 2022 CII subjects will not be able to purchase foreign software, including as part of software and hardware systems, and from 2025 they will not be able to use it.
Dmitry Gusev, Deputy General Director of Infotex, is not as positive as Lukatsky. “Unfortunately, we do not know in advance how this or that foreign vendor will behave and what mechanisms for limiting performance are embedded in the products of this vendor,” says Gusev. He assumes that in the best case, Thales products will work in full until the end of the warranty and technical support period and not reduce the security level of end systems, and in the worst case, there is a possibility that the HSM modules will stop working during the next software update.
“As far as we know, banks are making efforts to prevent the second situation. But if this does happen, then there are risks of stopping the operation of the entire processing system of the bank, since HSM is involved in all operations with bank cards, from linking a card to a specific individual to verifying all operations with a bank card account: replenishment, withdrawal, etc. etc.,” concludes Gusev. A VTB representative told Forbes that the bank is successfully replacing foreign crypto-encryption solutions as part of a bank-wide import substitution program. A representative of Alfa-Bank assured that the withdrawal of Thales from the Russian market will not affect the availability and security of payments. “Everything is working as usual. Thales equipment is not unique both in Russia and abroad. It will be possible to replace it with a similar one in terms of characteristics and properties from Russian and foreign suppliers. Testing and implementation of alternative solutions are already underway,” a bank representative said. According to him, the transition is individual for each process – from two weeks to several months. Sberbank, Rosselkhozbank and RRDB did not respond to Forbes inquiries.
Gusev also notes that, despite recommendations from the Payment Card Industry Security Standards Council (PCI SSC), each major bank adapts software elements for itself, so it is impossible to create a universal cryptoprotection module.
Another problem with import substitution is the inability to quickly produce such a number of modules to cover the needs of all banks, Lukatsky points out. In addition, it is still unknown whether domestic solutions will work with such a load that Thales coped with, he adds. Gusev says that the tests necessary to verify the operation of the modules have already begun. On the part of the Infotex Group of Companies, the Practical Security Systems company with its SPB HSM PS takes part in these works. Forbes sent a request to CryptoPro.
According to Gusev’s forecast, a full transition to domestic modules for banks with support for Russian cryptography may take several years, since it is necessary not only to produce the required number of modules, but also to support Russian cryptography at payment terminals and ATMs and produce the required volume of bank cards themselves, which also support Russian cryptography.
