What to Choose HSM, Tokenization Appliance, or both?
It is important to understand, that hardware security modules (or HSM) and tokenization appliances represent two types of devices which work together, but cannot replace each other.
Tokenization appliance
A tokenization appliance is intended for implementation of vault functionality. However, some functions related to encryption and decryption of cardholder data, are “delegated” to the HSM. In order to communicate with a hardware security module, a tokenization appliance has a respective API. As PCI compliance requires encryption keys to be changed approximately once a month, a tokenization appliance has in-built key rotation functionality (which an HSM doesn’t have).
HSM
An HSM is, basically, intended for encryption and decryption of card numbers, verification of PINs and EMV cryptograms. However, without a tokenization appliance an HSM is unable to decrypt the data.
Tokenization appliance and HSM together
Together tokenization appliance and HSM enable you to implement a variety of cardholder data protection functions. These include not only tokenization, but point-to-point encryption (P2PE), processing of PINs, as well as card issuance.
In order to implement vault functionality, it is not necessary to purchase a tokenization appliance. The other two options are licensing of vault software, compatible with your HSM, or developing it yourself.
More information on tokenization appliances and HSM is available in the respective article on #Paylosophy.