At the recent re:Inforce conference, AWS announced Payment Cryptography, a new service to manage payment cryptography operations. The new elastic option simplifies key management for payment processing applications, helping customers meet PCI security requirements.
Payment Cryptography can be used to replace the payments-specific cryptography and key management functions that are usually provided by on-premises payment hardware security modules (HSMs). Developers can encrypt and decrypt payment-related data, managing sensitive data such as cardholder pins, without exposing the clear text.
With the new managed service, it is possible to manage symmetric and asymmetric keys, including TDES, AES, and RSA keys. Payment Cryptography stores them in HSMs, enforcing key separation between use cases, and supports lists and tags for identification and access control. Danilo Poccia, chief evangelist of EMEA at AWS, explains:
Applications using payments HSMs have challenging requirements because payment processing is complex, time-sensitive, and highly regulated and requires the interaction of multiple financial service providers and payment networks. Every time you make a payment, data is exchanged between two or more financial service providers and must be decrypted, transformed, encrypted, or validated at each step.
According to AWS, the new service helps payment facilitators, processors, and banks minimize dependencies on dedicated HSMs deployed in external data centers or colocation facilities. Poccia adds:
To provide its elastic cryptographic capabilities in a compliant manner, AWS Payment Cryptography uses HSMs with PCI PTS HSM device approval. These capabilities include encryption and decryption of card data, key creation, and pin translation. AWS Payment Cryptography is also designed in accordance with PCI security standards such as PCI DSS, PCI PIN, and PCI P2PE, and it provides evidence and reporting to help meet your compliance needs.
Payment Cryptography is not the first product offered by AWS for cryptographic operations: Key Management Service (KMS) is a service to manage encryption keys, while AWS CloudHSM provides dedicated single-tenant HSMs and requires customers to actively manage the clusters.
The new service has no upfront commitment and the pricing is based on two components: charges per API call initiated (starting at $2.00 per 10k API calls) and the number of active keys ($1.00 per active key). Jonathan Conway, director at Deep Thinking, tweets:
This had me at ease of automation, but the pricing always makes it really palatable for early-stage Fintechs.
The new service is currently available only in the US East and US West regions.