How encryption is performed in the bank

[Brother]

If a bank issues cards, then it should have an interesting device like this - HSM (Hardware Security Module), or sometimes they are called crypto computers.
In order to process card transactions, many cryptographic operations have to be performed: encryption, decryption, calculation of an electronic signature, verification of an electronic signature, generation of keys (secrets) for all these algorithms, storage and protection of all these keys ... And a number of other functions ...
Imagine a situation: somewhere in a bank a key is stored with which important data is signed. If you get hold of this key, then you can sign arbitrary data, passing it off as real transactions. You can easily ruin both the bank and its clients. So in order to store all these keys in a safe place, HSM is used. This is a special computer (for example - in the photo), which has a lot of all kinds of protections. For example, if he discovers that someone is trying to break into his case - he physically destroys the hard drives inside himself so as not to get to the enemy!

All the most important keys needed for processing work are stored in it. And not a single key leaves the HSM in cleartext. The only time the keys can leave the HSM is during a backup. But even in this case, they are first encrypted with another, transport key, and only then, in encrypted form, they can leave this evil box. But then how to perform all these encryption-decryptions?

And so. HSM itself does them. It is a very powerful computer designed for such tasks. It is clear that if it slows down, all these calculations on the cards will automatically start to slow down, so the performance requirements for it - oh, hoo! Considering that many of these calculations are quite resource-intensive ...
In short, the piece of iron is so super-protected and super-productive. The card service program (front office) over the network sends an encrypted message to this HSM and asks to decrypt it using the key number such and such. A decrypted message comes back. Do you want to encrypt? You send the HSM clear text, you name the key number to be used, and you get an encrypted message back. And so with everything else. It is clear that in order for HSM to answer you, you need to trust it. It also has encryption, passwords, hardware firewalls, etc.

The price of this HSM varies greatly, but is comparable to the price of a good apartment. In Moscow. And the bank always needs them in duplicate. One worker, the other backup. At least two. If you still release the cards yourself, then two more. And if you still support Internet payments - two more ... Expensive. Therefore, there are organizations - "processing centers", which are not banks themselves, but only sell processing services. For small banks - just that!