AWS Payment Cryptography FAQs

AWS Payment Cryptography is a managed service that can be used to replace the payments-specific cryptography and key management functions that are usually provided by on-premises payment hardware security modules (HSMs). This elastic, pay-as-you-go AWS API service allows credit, debit, and payment processing applications to move to the cloud without the need for dedicated payment HSMs.

If you are a payments service provider or processor that processes credit, debit, and stored-value card payments, you can use AWS Payment Cryptography.

With AWS Payment Cryptography, you can move your payment cryptography operations to AWS and focus on evolving payment experiences, customer requirements, and business innovation without worrying about infrastructure management. AWS Payment Cryptography helps you simplify key exchange processes, including paper-based key exchange through Physical Key Exchange for partners or vendors that do not support electronic key exchange. AWS Payment Cryptography can help you reduce your compliance and audit overhead as well as infrastructure and operations costs. AWS Payment Cryptography helps reduce your operational costs by managing the entire HSM lifecycle and your key management requirements.

You can start using AWS Payment Cryptography through the AWS SDK, where you begin by importing or generating the keys your application needs for cryptographic processing. Once keys are available in the service, you can integrate your payment applications with AWS Payment Cryptography and start encrypting, decrypting, and translating payment messages through the AWS SDK or AWS CLI instead of your on-premises payment HSMs.

AWS Payment Cryptography has similarities to AWS Key Management Service (AWS KMS) and AWS CloudHSM. AWS Payment Cryptography is like AWS KMS in that it is a managed service that helps you create and control the keys used for cryptographic operations. However, AWS Payment Cryptography provides payment-specific key management and cryptographic functions backed by AWS managed, third-party payment HSMs that meet PCI and EMVCo standards. Also similar to AWS KMS, keys are secured by the service and managed as AWS resources. This provides immediate availability to HSMs for performance and can help you meet PCI key management requirements. AWS CloudHSM provides dedicated single-tenant HSMs that are intended for general-purpose cryptographic operations and requires customers to actively manage dedicated HSM clusters.

Yes. AWS Payment Cryptography supports both electronic and physical key exchange. Electronic key exchange is the preferred method — keys are exchanged using industry-standard symmetric (ANSI TR-31) and asymmetric (ANSI TR-34, RSA, ECDH) cryptographic techniques and securely loaded without manual procedures. If your partners or vendors do not support electronic key exchange, Physical Key Exchange is also available. To learn more, open an AWS support case or contact your AWS account team.

Physical Key Exchange enables customers to securely exchange cryptographic key components using paper-based key ceremonies. Trained AWS key custodians perform secure key ceremonies in AWS-operated facilities meeting PCI PIN and P2PE physical and logical security requirements. Once loaded into AWS Payment Cryptography, keys are charged at standard rates and can be used across all AWS Regions using Multi-Region Keys. To get started, open an AWS support case or contact your AWS account team.

AWS operates under a shared responsibility model. AWS has responsibility for HSM hardware security from when it leaves the manufacturer to ongoing operation and through when it is retired from the service and is destroyed. AWS also has responsibility for creation and management of HSM main keys. AWS Payment Cryptography APIs enforce the use of PIN blocks. Because the service stores all customer keys, the service is responsible for secure storage in key blocks and use of keys according to the ANSI TR-31 attributes. You are responsible for management of any key material before import or after export from the service and for correctly defining key attributes upon key import or creation. The service might return cardholder data or sensitive authentication data to your applications, which can impact the application's PCI Data Security Standard (DSS) scope.

AWS Payment Cryptography is designed to meet PCI PIN Security, Point-to-Point Encryption (P2PE), DSS, and PCI 3-D Secure (3DS) compliance standards.

Yes, AWS Payment Cryptography performs all cryptography on payment HSMs that meet PCI PIN Transaction Security (PTS) HSM standards.

AWS Payment Cryptography is designed so that no one, including AWS employees, can retrieve your plaintext payment keys from the service. AWS Payment Cryptography uses HSMs that have been validated under PCI PTS HSM to protect the confidentiality and integrity of your keys. Your plaintext payment keys never leave the HSMs, are never written to disk, and are only ever used in the volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. Secure handling of HSMs for the service with dual control and integrity validation is maintained from manufacture through service integration, operation, and decommissioning. Service main keys can only be loaded onto these validated HSM within designated areas with AWS data centers. Updates to software on the service hosts and to the HSM firmware is controlled by multiparty access control that is audited and reviewed by an independent group within Amazon and a PCI-certified lab in compliance with PCI PTS HSM. All security, HSM management, and key management processes are regularly assessed by internal Amazon teams and third-party assessors.

With AWS Payment Cryptography, you pay only for what you use; there is no minimum fee. There are no setup fees or commitments to begin using the service. At the end of the month, you will be charged for that month’s usage.

AWS Payment Cryptography is priced by API call, with tiered pricing, and a monthly cost per key.

For current pricing information, visit the AWS Payment Cryptography Pricing page.

No, the AWS Free Tier is not available for AWS Payment Cryptography.