Simplifying Payment Processing with AWS Payment Cryptography

The News: Amazon Web Services (AWS) announces a new service focused on the enhanced requirements of the payment card industry. For the full announcement details, click here.

Simplifying Payment Processing with AWS Payment Cryptography

Analyst Take: Cryptography plays a vital role in securing our digital lives, and it is ubiquitous in our daily activities. From browsing the web to conducting online transactions, encryption is crucial for protecting sensitive information. As AWS looks to expand its footprint, launching services focused on enhanced cryptography makes perfect sense. The significance of cryptography, and how it underpins various services to help businesses manage keys and encryption effectively, is crucial for mission-critical workloads, the majority of which still reside on-premises.

Payment processing involves intricate procedures that are time-sensitive, highly regulated, and require coordination among multiple financial service providers and payment networks. Each payment transaction requires data to be decrypted, transformed, and encrypted again using unique keys at each step. Managing these cryptographic operations and keys can be challenging, especially considering the high volume of keys involved and the need to comply with corporate, contractual, and regulatory requirements. For these reasons, many applications that have enhanced security have remained on-premises and have not yet migrated to the cloud.

Key global standards that any bank, payment processor must adhere to is the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards established by major credit card companies to ensure the protection of cardholder data during payment transactions. PCI DSS compliance is crucial for businesses that handle payment card information because it helps prevent data breaches, fraud, and identity theft. Adhering to PCI DSS requirements ensures that organizations have implemented robust security measures, such as encryption, secure network architecture, access controls, regular system monitoring, and vulnerability management.

Compliance with PCI DSS not only helps protect sensitive customer information but also fosters trust between businesses and their customers, ultimately safeguarding the integrity of the payment card ecosystem. While PCI DSS governs overall protection of cardholder data, it does not include standards for HSMs. PCI PIN Security establishes security requirements for the HSM physical and logical security and encryption keys for card-present PIN/Debit transactions and PCI P2PE for card-present credit transactions. For AWS Payment Cryptography and its customers these standards – PCI P2PE and PCI PIN – are equally important.

Hardware Security Modules

Hardware Security Modules (HSMs) are physical devices that provide robust protection for cryptographic operations and the keys essential for those operations. By employing HSMs, organizations can effectively meet corporate, contractual, or regulatory compliance requirements related to data security.

AWS offers a comprehensive solution called CloudHSM, which provides access to general-purpose HSMs.  To differentiate from. AWS CloudHSM service which only offers access to dedicated instances exclusively for general purpose cryptography and not for payment cryptography they AWS Payment Cryptography service is a payment specific AWS native service offering fully-managed cryptography operations for payment processing use cases.

Most discussion of HSM security tends to focus on the FIPS 140-2 standard and moving to the newer FIPS 140-3, which is a government standard that defines security requirements for cryptographic modules, including HSMs. HSMs undergo rigorous testing and certification to meet the FIPS 140-2 or 140-3 standards, ensuring that they provide robust protection for cryptographic operations and key management, making them a trusted choice for securing sensitive data. From the launch material it is unclear what level the service operates, although I would expect it to be level 3 rather than the more stringent level 4 certification.

FIPS 140-2/3 is a US federal government standard governing HSMs. Payment HSMs are certified by the global PCI PTS HSM standard. This standard is based on FIPS 140-2 Level 3 (in the current version of PCI PTS HSM), but adds additional support for payment cryptographic functions. PCI PTS HSM is the more encompassing HSM certification for the payment industry. PCI PTS HSM testing is equally stringent as FIPS 140-2/3 testing.

AWS Payment Cryptography

AWS Payment Cryptography looks to simplify the implementation of cryptographic functions and key management for secure payment processing in accordance with various payment card industry (PCI) standards. This service eliminates the need for on-premises payment HSMs and offers tools to streamline key exchange processes. HSMs on premises are costly and key management is complex to manage at scale.

From the announcement blog and corresponding launch materials, the benefits of AWS Payment Cryptography include:

Simplified Development: Payment and financial service providers can start development within minutes using AWS Payment Cryptography. The service enables electronic key exchange, eliminating manual and error-prone processes associated with traditional payment HSMs.

Compliance and Security: AWS Payment Cryptography is designed to comply with PCI security standards, including PCI DSS, PCI PIN, and PCI P2PE. The service utilizes HSMs with PCI PTS HSM device approval, providing encryption and decryption capabilities for card data, key creation, and PIN translation. It also offers evidence and reporting features to meet compliance requirements.

Seamless Integration: Existing card payment applications can leverage AWS Payment Cryptography through AWS software development kits (SDKs). This approach allows developers to use their preferred programming languages, such as Java or Python, instead of relying on vendor-specific interfaces.

Key Management: The service facilitates the import and export of symmetric keys between AWS Payment Cryptography and on-premises HSMs using industry-standard protocols like ANSI X9 TR-31 and TR-34. This enables secure key exchange and integration with other systems and devices.

Access Control and Monitoring: Access to AWS Payment Cryptography can be authorized using AWS Identity and Access Management (IAM) identity-based policies. The service supports comprehensive monitoring through Amazon CloudWatch, AWS CloudTrail, and Amazon EventBridge, enabling businesses to track and respond to payment processing events effectively.

Competitive Landscape: AWS is not alone in offering highly-secure key management in the cloud. Numerous competitors operate in this space, the relevant alternatives are Microsoft Azure Payment HSM service and HSM-as-a-Service providers like MYHSM, and Virtucrypt, all of which require customers to procure fixed capacity upfront and manage devices and compliance to a variable degree.

The current alternatives and on-premise options require large step-based capital expenditure (CapEx) and operating expenditure (OpEx)–buying large amounts of hardware to cover transaction peaks and high availability requirements, typically planned out with a 5-year horizon, making it hard to start a new product or expand globally without large upfront costs. AWS Payment Cryptography service is fully elastic and enterprises simply consume the service as they need it and pay for what they use. No need to sign upfront contracts or commit to certain resources (physical or virtual).

IBM also offers Hyper Protect Crypto Services as a single-tenant, hybrid cloud key management service that enables enterprises to control their own encryption keys and orchestrate across multi-cloud environments from a single point of control. Hyper Protect Crypto Services is built on FIPS 140-2 Level 4 certified hardware, which is the highest level in the industry. I am confirming PCI DSS compliance but given the focus IBM has on financial services in its cloud offering I am expecting this to be covered.

As I get further briefed on the new AWS offering, a key evaluation point for me will be the underlying HSM level of certification as it relates to the FIPS 140-2 level.

Looking Ahead

As more mission-critical applications are looking to evolve and migrate to the cloud, the need for advanced encryption is paramount. When you couple this with the relatively slower migration of banking and payments to the public cloud, the launch of this service by AWS makes sense.

Whether or not the AWS Payment Cryptography service is a game-changer for payment processing applications in the cloud is still too early to say. However, by simplifying cryptographic functions and key management, this elastic service will empower businesses to securely process payments while meeting PCI compliance requirements in a public cloud model. With the elimination of on-premises HSMs and manual key exchange processes, organizations should be able to enjoy improved efficiency, scalability, and security in their payment processing workflows.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Amazon Fire Max 11 – A Faster, Richer Content Experience for Smart Home Users

Amazon Introduces New Amazon Echo Devices

AWS’s Amazon Aurora I/O-Optimized Cluster Configuration Goes GA, Focused on Delivering on Cost Savings

Author Information

Steven engages with the world’s largest technology brands to explore new operating models and how they drive innovation and competitive edge.

Related Insights
Selling Agent Provenance to the CIO: Entire Changes Who Signs
July 14, 2026

Selling Agent Provenance to the CIO: Entire Changes Who Signs

Futurum stakes a position on Entire's distributed Git launch: agent provenance is the control point, the mirror network is the wedge, and the decision moves to the CIO. The analysis...
SAP's Flexible Support Overhaul Raises the Stakes for Enterprise Software Loyalty
July 10, 2026

SAP’s Flexible Support Overhaul Raises the Stakes for Enterprise Software Loyalty

Keith Kirkpatrick, Vice President & Research Director, Enterprise Software & Di at Futurum, SAP's flexible support model and customer-centric approach help compete for enterprise loyalty as 74% of enterprises consider...
Can Anthropic's GRAM 'Off Switch' Make Dual-Use AI Safer Without Killing Utility?
July 10, 2026

Can Anthropic’s GRAM ‘Off Switch’ Make Dual-Use AI Safer Without Killing Utility?

Anthropic and AE Studio introduced GRAM, enabling selective removal of sensitive AI capabilities without retraining, potentially addressing privacy and security concerns for organizations adopting generative AI....
Zoom's Platform-Agnostic AI Receptionist Reshapes Telephony Competition
July 10, 2026

Zoom’s Platform-Agnostic AI Receptionist Reshapes Telephony Competition

Keith Kirkpatrick, Vice President & Research Director, Enterprise Software & Di at Futurum, Zoom's Virtual Agent Receptionist disrupts legacy phone systems and accelerates enterprise adoption of GenAI-powered customer service solutions....
Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?
July 10, 2026

Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?

Exprivia announced partnership with ABI's WeSec summit as Main Partner, aligning with surging demand for cybersecurity and AI solutions across Italian banking. The move positions the company to capitalize on...
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.