Simplifying Payment Processing with AWS Payment Cryptography

The News: Amazon Web Services (AWS) announces a new service focused on the enhanced requirements of the payment card industry. For the full announcement details, click here.

Simplifying Payment Processing with AWS Payment Cryptography

Analyst Take: Cryptography plays a vital role in securing our digital lives, and it is ubiquitous in our daily activities. From browsing the web to conducting online transactions, encryption is crucial for protecting sensitive information. As AWS looks to expand its footprint, launching services focused on enhanced cryptography makes perfect sense. The significance of cryptography, and how it underpins various services to help businesses manage keys and encryption effectively, is crucial for mission-critical workloads, the majority of which still reside on-premises.

Payment processing involves intricate procedures that are time-sensitive, highly regulated, and require coordination among multiple financial service providers and payment networks. Each payment transaction requires data to be decrypted, transformed, and encrypted again using unique keys at each step. Managing these cryptographic operations and keys can be challenging, especially considering the high volume of keys involved and the need to comply with corporate, contractual, and regulatory requirements. For these reasons, many applications that have enhanced security have remained on-premises and have not yet migrated to the cloud.

Key global standards that any bank, payment processor must adhere to is the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards established by major credit card companies to ensure the protection of cardholder data during payment transactions. PCI DSS compliance is crucial for businesses that handle payment card information because it helps prevent data breaches, fraud, and identity theft. Adhering to PCI DSS requirements ensures that organizations have implemented robust security measures, such as encryption, secure network architecture, access controls, regular system monitoring, and vulnerability management.

Compliance with PCI DSS not only helps protect sensitive customer information but also fosters trust between businesses and their customers, ultimately safeguarding the integrity of the payment card ecosystem. While PCI DSS governs overall protection of cardholder data, it does not include standards for HSMs. PCI PIN Security establishes security requirements for the HSM physical and logical security and encryption keys for card-present PIN/Debit transactions and PCI P2PE for card-present credit transactions. For AWS Payment Cryptography and its customers these standards – PCI P2PE and PCI PIN – are equally important.

Hardware Security Modules

Hardware Security Modules (HSMs) are physical devices that provide robust protection for cryptographic operations and the keys essential for those operations. By employing HSMs, organizations can effectively meet corporate, contractual, or regulatory compliance requirements related to data security.

AWS offers a comprehensive solution called CloudHSM, which provides access to general-purpose HSMs.  To differentiate from. AWS CloudHSM service which only offers access to dedicated instances exclusively for general purpose cryptography and not for payment cryptography they AWS Payment Cryptography service is a payment specific AWS native service offering fully-managed cryptography operations for payment processing use cases.

Most discussion of HSM security tends to focus on the FIPS 140-2 standard and moving to the newer FIPS 140-3, which is a government standard that defines security requirements for cryptographic modules, including HSMs. HSMs undergo rigorous testing and certification to meet the FIPS 140-2 or 140-3 standards, ensuring that they provide robust protection for cryptographic operations and key management, making them a trusted choice for securing sensitive data. From the launch material it is unclear what level the service operates, although I would expect it to be level 3 rather than the more stringent level 4 certification.

FIPS 140-2/3 is a US federal government standard governing HSMs. Payment HSMs are certified by the global PCI PTS HSM standard. This standard is based on FIPS 140-2 Level 3 (in the current version of PCI PTS HSM), but adds additional support for payment cryptographic functions. PCI PTS HSM is the more encompassing HSM certification for the payment industry. PCI PTS HSM testing is equally stringent as FIPS 140-2/3 testing.

AWS Payment Cryptography

AWS Payment Cryptography looks to simplify the implementation of cryptographic functions and key management for secure payment processing in accordance with various payment card industry (PCI) standards. This service eliminates the need for on-premises payment HSMs and offers tools to streamline key exchange processes. HSMs on premises are costly and key management is complex to manage at scale.

From the announcement blog and corresponding launch materials, the benefits of AWS Payment Cryptography include:

Simplified Development: Payment and financial service providers can start development within minutes using AWS Payment Cryptography. The service enables electronic key exchange, eliminating manual and error-prone processes associated with traditional payment HSMs.

Compliance and Security: AWS Payment Cryptography is designed to comply with PCI security standards, including PCI DSS, PCI PIN, and PCI P2PE. The service utilizes HSMs with PCI PTS HSM device approval, providing encryption and decryption capabilities for card data, key creation, and PIN translation. It also offers evidence and reporting features to meet compliance requirements.

Seamless Integration: Existing card payment applications can leverage AWS Payment Cryptography through AWS software development kits (SDKs). This approach allows developers to use their preferred programming languages, such as Java or Python, instead of relying on vendor-specific interfaces.

Key Management: The service facilitates the import and export of symmetric keys between AWS Payment Cryptography and on-premises HSMs using industry-standard protocols like ANSI X9 TR-31 and TR-34. This enables secure key exchange and integration with other systems and devices.

Access Control and Monitoring: Access to AWS Payment Cryptography can be authorized using AWS Identity and Access Management (IAM) identity-based policies. The service supports comprehensive monitoring through Amazon CloudWatch, AWS CloudTrail, and Amazon EventBridge, enabling businesses to track and respond to payment processing events effectively.

Competitive Landscape: AWS is not alone in offering highly-secure key management in the cloud. Numerous competitors operate in this space, the relevant alternatives are Microsoft Azure Payment HSM service and HSM-as-a-Service providers like MYHSM, and Virtucrypt, all of which require customers to procure fixed capacity upfront and manage devices and compliance to a variable degree.

The current alternatives and on-premise options require large step-based capital expenditure (CapEx) and operating expenditure (OpEx)–buying large amounts of hardware to cover transaction peaks and high availability requirements, typically planned out with a 5-year horizon, making it hard to start a new product or expand globally without large upfront costs. AWS Payment Cryptography service is fully elastic and enterprises simply consume the service as they need it and pay for what they use. No need to sign upfront contracts or commit to certain resources (physical or virtual).

IBM also offers Hyper Protect Crypto Services as a single-tenant, hybrid cloud key management service that enables enterprises to control their own encryption keys and orchestrate across multi-cloud environments from a single point of control. Hyper Protect Crypto Services is built on FIPS 140-2 Level 4 certified hardware, which is the highest level in the industry. I am confirming PCI DSS compliance but given the focus IBM has on financial services in its cloud offering I am expecting this to be covered.

As I get further briefed on the new AWS offering, a key evaluation point for me will be the underlying HSM level of certification as it relates to the FIPS 140-2 level.

Looking Ahead

As more mission-critical applications are looking to evolve and migrate to the cloud, the need for advanced encryption is paramount. When you couple this with the relatively slower migration of banking and payments to the public cloud, the launch of this service by AWS makes sense.

Whether or not the AWS Payment Cryptography service is a game-changer for payment processing applications in the cloud is still too early to say. However, by simplifying cryptographic functions and key management, this elastic service will empower businesses to securely process payments while meeting PCI compliance requirements in a public cloud model. With the elimination of on-premises HSMs and manual key exchange processes, organizations should be able to enjoy improved efficiency, scalability, and security in their payment processing workflows.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Amazon Fire Max 11 – A Faster, Richer Content Experience for Smart Home Users

Amazon Introduces New Amazon Echo Devices

AWS’s Amazon Aurora I/O-Optimized Cluster Configuration Goes GA, Focused on Delivering on Cost Savings

Author Information

Regarded as a luminary at the intersection of technology and business transformation, Steven Dickens is the Vice President and Practice Leader for Hybrid Cloud, Infrastructure, and Operations at The Futurum Group. With a distinguished track record as a Forbes contributor and a ranking among the Top 10 Analysts by ARInsights, Steven's unique vantage point enables him to chart the nexus between emergent technologies and disruptive innovation, offering unparalleled insights for global enterprises.

Steven's expertise spans a broad spectrum of technologies that drive modern enterprises. Notable among these are open source, hybrid cloud, mission-critical infrastructure, cryptocurrencies, blockchain, and FinTech innovation. His work is foundational in aligning the strategic imperatives of C-suite executives with the practical needs of end users and technology practitioners, serving as a catalyst for optimizing the return on technology investments.

Over the years, Steven has been an integral part of industry behemoths including Broadcom, Hewlett Packard Enterprise (HPE), and IBM. His exceptional ability to pioneer multi-hundred-million-dollar products and to lead global sales teams with revenues in the same echelon has consistently demonstrated his capability for high-impact leadership.

Steven serves as a thought leader in various technology consortiums. He was a founding board member and former Chairperson of the Open Mainframe Project, under the aegis of the Linux Foundation. His role as a Board Advisor continues to shape the advocacy for open source implementations of mainframe technologies.

SHARE:

Latest Insights:

Commvault Addresses the Rise of Identity-Based Attacks With Automated Active Directory Recovery, and the Ability to Protect Active Directory Alongside Entra ID
Krista Case, Research Director at The Futurum Group, shares her insights on Commvault’s automated recovery of Active Directory forests.
Marvell Spotlights How Incorporation of Its CPO Technology Capabilities Can Accelerate XPU Architecture Innovation
Futurum’s Ron Westfall explores how Marvell’s CPO portfolio can play an integral role in further demystifying applying customization in the XPU architecture design process, incentivizing hyperscalers to develop custom XPUs that increase the density and performance of their AI servers.
Dr. Howard Rubin, CEO at Rubin Worldwide, joins Greg Lotko and Daniel Newman to reveal how strategic technology investments drive superior economic results.
On this episode of The Six Five Webcast, hosts Patrick Moorhead and Daniel Newman discuss Meta, Qualcomm, Nvidia and more.

Thank you, we received your request, a member of our team will be in contact with you.