HadeSec Solutions
An enterprise-grade desktop application for cryptographic key lifecycle management in card payment processing environments using Thales PayShield 10K transaction HSMs and Thales Luna Network HSM-backed protected storage.
Product
Cerberus replaces manual, error-prone key ceremony procedures with controlled, auditable, and operator-friendly workflows. It helps payment organizations make HSM operations accessible to authorized non-technical users without weakening dual-control, split-knowledge, audit, or PCI DSS expectations.
The product is designed for deployment at card processing companies operating under PCI DSS v4.0.1, where cryptographic key handling must be deliberate, traceable, role-separated, and ready for assessor review.
Target Environment
Card processors supporting Mastercard, Visa, and other payment schemes
Thales PayShield 10K transaction HSM environments
Thales Luna Network HSM used as the storage and KEK protection layer
Windows-based operator workstations inside PCI DSS-scoped networks
Feature Modules
Cerberus organizes payment key management into controlled modules so operators can perform sensitive actions through predictable workflows while administrators retain strict control over policy and access.
Generate Single DES, 3DES, AES, EMV issuer master keys, and derivation keys through PayShield host commands. Import keys under ZMK or KEK with full component ceremony support and operator-level event logging.
Store every key with label, description, intended use, owning scheme, associated system, creation date, operator, status, and rotation schedule so non-HSM experts can safely identify the right key.
Export keys under ZMK for third-party exchange, support split-knowledge component ceremonies, and preserve encrypted export audit trails for compliance review.
Track lifecycle states from Active to Suspended, Compromised, and Destroyed. Schedule expiry warnings for scheme-specific rotation rules, including PEK rotation timelines.
Communicate directly with PayShield 10K over TCP/IP while exposing only curated operationally safe commands. Monitor connection health, failover behavior, and command-level audit events.
Use a PKCS#11-based storage provider abstraction. Luna is the default target, SoftHSM supports dev and test, and Utimaco, Entrust, or AWS CloudHSM can follow the same interface.
Separate Administrator, Key Custodian, Operator, and Auditor responsibilities. Critical operations require two eligible authenticated users, with session timeout and re-authentication controls.
Create immutable, append-only, tamper-evident audit logs with no key material written to logs. Export evidence packs for PCI DSS assessors and ceremony documentation.
Protect sensitive runtime handling with pinned memory, explicit zeroing, code signing, IL obfuscation, anti-debugging hooks, and tamper detection patterns.
Replace manual ceremony steps with guided workflows for key generation, import, export, rotation, and destruction.
Keep key material encrypted under dedicated storage HSM controls while preventing unsafe commands and operator shortcuts.
Produce append-only audit trails, ceremony evidence, lifecycle history, and QSA-ready reports without exposing key material.
Compliance Posture
Cerberus is designed around PCI DSS v4.0.1 requirements for key management, key lifecycle governance, and audit logging, including Requirements 3.6, 3.7, and 10.x.
Dual-control and split-knowledge are enforced in workflow logic, rotation schedules can be aligned to Mastercard, Visa, and scheme-specific rules, and evidence artifacts can be generated for QSA assessment packages.
