Cloud Payment Processing with AWS Payment Cryptography - Cryptographic Key Management and PIN Verification

Learn how Payment Cryptography manages payment cryptographic keys, encrypts and decrypts PIN blocks, and achieves PCI DSS compliance.

Overview of Payment Cryptography

Payment Cryptography is a service that provides cloud-based cryptographic key management and encryption operations for payment processing, compliant with PCI PIN Security and PCI P2PE. Traditionally, payment encryption required on-premises HSMs (such as Thales payShield or Futurex), but Payment Cryptography enables migration to the cloud. PCI PIN Security Requirements ensure secure PIN processing, and PCI P2PE ensures end-to-end encryption from terminal to processing center. The service HSMs run on FIPS 140-2 Level 3 certified hardware, and keys never leave the HSM in plaintext. The service is separated into two APIs: Control Plane (key creation and management) and Data Plane (encryption operation execution). By granting least privilege through IAM policies, you can clearly separate roles that can create keys from roles that can only execute encryption operations.

Payment Encryption Operations

The Control Plane API manages the creation, import, and export of AES-128/256, TDES, and RSA-2048/4096 cryptographic keys, while the Data Plane API executes encryption operations. PIN Translation re-encrypts a PIN block encrypted with the acquirer's key using the issuer's key, and is used in payment network switching. CVV generation and verification are used during card issuance and payment authorization, computing a cryptographic verification value from the card number and expiration date. Keys can be imported and exported in TR-31 key block format, enabling key exchange with other HSMs and payment networks. MAC (Message Authentication Code) generation and verification are used for tamper detection of transaction data, supporting ISO 9797-1 Algorithm 1 and Algorithm 3. ARQC (Authorization Request Cryptogram) verification is used in EMV chip card authentication, cryptographically achieving mutual authentication between the card and issuer.

Key Management and Payment Network Integration

Payment Cryptography supports payment-specific key types such as BDK (Base Derivation Key), IPEK (Initial PIN Encryption Key), and KEK (Key Encryption Key). Keys are imported and exported in TR-31 key block format to ensure interoperability with existing payment infrastructure. DUKPT (Derived Unique Key Per Transaction) derives a unique key for each transaction, minimizing the risk of key compromise. Encryption operations required by Visa, Mastercard, and American Express payment networks (PIN block conversion, MAC generation and verification) can be performed in the cloud. For a comprehensive guide to Payment Cryptography best practices, check out related books on Amazon.

Use Cases and Adoption Patterns

There are three typical use cases. First, issuer PIN verification: when a cardholder enters a PIN at an ATM, the VerifyPinData API compares the PIN block received over the network with the PIN data registered at issuance. Second, payment processor switching: the TranslatePinData API converts a PIN block received from the acquirer for the issuer, routing transactions between international brand payment networks. Third, CVV/CVC generation during card issuance: the GenerateCardValidationData API cryptographically generates a verification value from the card number and expiration date to determine the value printed on the card. The typical adoption pattern is phased migration running in parallel with existing on-premises HSMs. By exporting keys from existing HSMs in TR-31 key block format and importing them into Payment Cryptography, you can migrate only the backend cryptographic infrastructure to the cloud without changing existing transaction flows.

Comparison with CloudHSM and KMS

AWS has three cryptographic key management services with different purposes. KMS is for general-purpose data encryption (S3 encryption, EBS volume encryption, Envelope Encryption) and does not support payment-specific operations (PIN Translation, DUKPT key derivation). CloudHSM provides general-purpose HSMs in the cloud but lacks payment-specific command sets, requiring you to implement libraries yourself. Payment Cryptography specializes in payment processing, provides PCI PIN Security/P2PE compliance attestation, and offers payment-specific operations (TR-31 key blocks, DUKPT, PIN Translation, ARQC verification) as APIs. CloudHSM is FIPS 140-2 Level 3 with dedicated-tenant HSMs, making it suitable for non-payment use cases (PKI, TLS offload, custom cryptographic protocols). Payment Cryptography is multi-tenant but offers easier adoption for payment use cases since it provides a pre-certified PCI-compliant environment. Cost-wise, CloudHSM charges hourly (approximately $1.50/hour per HSM) with high fixed costs, while Payment Cryptography uses per-key and per-operation pricing that is more cost-efficient for low-volume usage.

Payment Cryptography Pricing

Payment Cryptography pricing consists of key management (approximately $1 per key per month) and encryption operations (approximately $0.85 per 10,000 operations). Compared to on-premises HSMs (hardware purchase, data center installation, maintenance contracts), there is no upfront investment and pay-as-you-go pricing enables cost management based on transaction volume. PCI DSS compliance maintenance costs (annual audits, penetration testing) can also be reduced through cloud migration. For low transaction volumes, the fixed cost of key management becomes the primary cost factor. As a key lifecycle management practice, regularly auditing and deleting unused keys is recommended to optimize costs.

Summary

Payment Cryptography is a service that provides cloud-based cryptographic key management and encryption operations for payment processing. It supports DUKPT and TR-31 key blocks in a PCI-compliant environment, and performs PIN block conversion and MAC generation/verification. It eliminates the need to purchase, install, and maintain on-premises HSMs, and enables cost management based on transaction volume through pay-as-you-go pricing. The separation of Control Plane and Data Plane for least-privilege design, combined with TR-31 format for phased migration from existing infrastructure, is key to successful adoption.