Security

Cloud Payment Processing with AWS Payment Cryptography - Cryptographic Key Management and PIN Verification

Learn how Payment Cryptography manages payment cryptographic keys, encrypts and decrypts PIN blocks, and achieves PCI DSS compliance.

約 3 分で読めます

Overview of Payment Cryptography

Payment Cryptography is a service that provides cloud-based cryptographic key management and encryption operations for payment processing, compliant with PCI PIN Security and PCI P2PE. Traditionally, payment encryption required on-premises HSMs (such as Thales payShield or Futurex), but Payment Cryptography enables migration to the cloud. It is compliant with PCI PIN Security Requirements and PCI P2PE.

Payment Encryption Operations

The Control Plane API manages the creation, import, and export of AES-128/256, TDES, and RSA-2048/4096 cryptographic keys, while the Data Plane API executes encryption operations. PIN Translation re-encrypts a PIN block encrypted with the acquirer's key using the issuer's key, and is used in payment network switching. CVV generation and verification are used during card issuance and payment authorization, computing a cryptographic verification value from the card number and expiration date. Keys can be imported and exported in TR-31 key block format, enabling key exchange with other HSMs and payment networks.

Key Management and Payment Network Integration

Payment Cryptography supports payment-specific key types such as BDK (Base Derivation Key), IPEK (Initial PIN Encryption Key), and KEK (Key Encryption Key). Keys are imported and exported in TR-31 key block format to ensure interoperability with existing payment infrastructure. DUKPT (Derived Unique Key Per Transaction) derives a unique key for each transaction, minimizing the risk of key compromise. Encryption operations required by Visa, Mastercard, and American Express payment networks (PIN block conversion, MAC generation and verification) can be performed in the cloud. For a comprehensive guide to Payment Cryptography best practices, check out related books on Amazon.

Payment Cryptography Pricing

Payment Cryptography pricing consists of key management (approximately $1 per key per month) and encryption operations (approximately $0.85 per 10,000 operations). Compared to on-premises HSMs (hardware purchase, data center installation, maintenance contracts), there is no upfront investment and pay-as-you-go pricing enables cost management based on transaction volume. PCI DSS compliance maintenance costs (annual audits, penetration testing) can also be reduced through cloud migration. For low transaction volumes, the fixed cost of key management becomes the primary cost factor.

Summary

Payment Cryptography is a service that provides cloud-based cryptographic key management and encryption operations for payment processing. It supports DUKPT and TR-31 key blocks in a PCI-compliant environment, and performs PIN block conversion and MAC generation/verification. It eliminates the need to purchase, install, and maintain on-premises HSMs, and enables cost management based on transaction volume through pay-as-you-go pricing.

Related Services

AWS Payment CryptographyA managed service providing cryptographic key management and operations for payment processingAWS CloudHSMA service for managing encryption keys using dedicated hardware security modulesAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt data

Related Articles

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.Running MongoDB Workloads as a Managed Service with Amazon DocumentDB - Document Model and Query DesignManage document data with a MongoDB-compatible API, and achieve read scaling and disaster recovery with up to 15 read replicas and global clusters. This article also covers sharding with Elastic Clusters.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

HSM Architecture of AWS Payment Cryptography - A Deep Dive into PCI DSS Compliant Payment EncryptionAWS Payment Cryptography is a managed HSM service purpose-built for the payment industry, providing PCI DSS compliant encryption and tokenization in a serverless model. This article takes a deep dive into the technical mechanisms of payment encryption, including PIN block generation, DUKPT key management, and how it differs from CloudHSM.Where Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.AWS KMSA fully managed key management service for centrally creating, managing, and rotating encryption keys, integrated with over 100 AWS servicesHardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.