AWS Payment Cryptography

A managed service providing cloud-based cryptographic key generation and management plus cryptographic operations such as PIN verification and card authentication for payment processing

Overview

AWS Payment Cryptography is a fully managed service that executes cryptographic processing required for credit and debit card payments in the cloud. Operations previously performed on on-premises HSMs (Hardware Security Modules) - PIN block generation and verification, card verification value (CVV/CVC) generation and verification, and MAC (Message Authentication Code) calculation - are available via API. Key management is performed in an environment compliant with PCI DSS and PCI PIN Security requirements, significantly reducing the burden on payment operators to build and operate their own HSM infrastructure. Key lifecycle management (generation, rotation, destruction) can also be automated, reducing compliance audit response effort.

Payment Cryptographic Key Management and Lifecycle

Payment Cryptography key management supports payment industry-specific key hierarchies. Keys are securely imported and exported encrypted under KEKs (Key Encrypting Keys), supporting TR-31/TR-34 formats compliant with card network (Visa, Mastercard) key exchange protocols. Managed key types include PIN Encrypting Keys (PEK), PIN Verification Keys (PVK), Card Verification Keys (CVK), MAC keys, and other dedicated keys used at each stage of payment processing. Key rotation is managed through expiration settings and automatic rotation policies, with configurable grace periods for parallel decryption with old keys and encryption with new keys. All key usage is recorded in CloudTrail, serving as audit trails for PCI DSS Requirement 3 (protect stored cardholder data). The key alias feature enables transparent key rotation without application code changes.

PIN Processing and Card Authentication Cryptographic Operations

Payment Cryptography's Data Plane API executes cryptographic operations needed in payment transactions in real time. It covers the entire card payment lifecycle: PIN block translation (re-encrypting PIN blocks received from ATMs with the issuer's key), PIN verification (matching using IBM 3624 or Visa PVV methods), CVV/CVC generation and verification, and ARQC (Authorization Request Cryptogram) verification. API latency is in the single-digit milliseconds, providing sufficient performance for real-time authorization processing. Payment systems books on Amazon systematically cover card payment cryptographic processing. EMV chip card cryptographic processing is also supported, executing cryptographic operations needed for mutual authentication with ICCs (Integrated Circuit Cards).

Compliance and Migration from On-Premises HSMs

Payment Cryptography holds PCI DSS Level 1, PCI PIN Security, and PCI P2PE certifications, enabling payment operators to leverage AWS shared responsibility model controls in their compliance assessments (QSA audits). For migration from on-premises HSMs, the standard procedure is exporting existing keys in TR-31 format and importing them into Payment Cryptography. During the migration period, parallel operation (processing on both on-premises HSM and Payment Cryptography) with gradual traffic migration minimizes risk. Cost-wise, on-premises HSM purchase costs (millions of yen per unit), maintenance contracts, data center costs, and operational personnel costs are eliminated, transitioning to pay-per-use pricing based on API call volume. Cost savings of tens of millions of yen annually have been reported for payment operators processing millions of monthly transactions. High availability is automatically ensured through multi-AZ configuration, eliminating the need for users to design HSM redundancy.

ShareXB!