Although an increasing number of payment companies are transitioning their workloads to the cloud, the use of manual, on-premises payment hardware security modules (HSMs) — physical computing devices designed to strengthen authentication — to beef up data encryption continues to create challenges for businesses.
These hardware devices, also known as on-prem HSMs, perform cryptographic operations such as encryption and decryption of data encryption, key management and key exchange between payment service providers (PSPs). But according to Ken Beer, general manager, AWS Key Management Service at Amazon Web Services, the manual process employed is complex and prone to errors, resulting in high compliance and infrastructure costs for businesses.
“The reality is that anybody who wants to play in this space is left with buying bespoke hardware and trying to acquire expertise on how to deploy that inside a network,” Beer told PYMNTS in an interview, adding that even companies that have installed and deployed hardware are still saddled with high costs when attempting to expand internationally.
These challenges, per Beer, have led to a growing demand for solutions that can manage encryption keys and perform cryptographic functions in the cloud, enabling firms to end their reliance on on-prem HSMs all while remaining compliant with various payment card industry (PCI) security standards.
Beer said this is where the value of an elastic service like AWS’ Payment Cryptography, which does the “undifferentiated heavy lifting” for customers by fully managing HSMs and automating key exchange processes, could help fill in the gap.
For cloud native startups or card issuers already using AWS’ native APIs, he added that the new solution will require zero infrastructure to deploy, enabling payment and financial service providers to begin development within minutes, while reducing latency by operating the entire payment application in the cloud.
“All they have to do is to find a way to connect to our endpoint over the internet, which is straightforward and easy,” he explained. Merchants and acquirers will also have the option to pick and choose parts of the cryptographic capabilities that best meet their needs, all in a compliant manner.
For now, the AWS Payment Cryptography service, which uses HSMs with PCI PTS HSM device approval, is available in the U.S. East and U.S. West AWS Regions on a pay-per-use basis based on the number of active keys and API calls each month.
Over the years, migrating from legacy hardware and legacy software to cloud-based systems has been a challenge across the payments industry, particularly among large financial institutions, Beer said.
As a result, meeting various PCI security standards and complying with issuer and acquirer rules remains a challenge, creating barriers to entry for new appliance and software providers in the general cryptography space.
To redress that balance, Beer said AWS has spent the past two years building the technology stack and working with large acquirer and issuer companies — some of whom are now coming to terms with the need for cloud migration for payments processing — to get to the required level of compliance.
Building partnerships and collaborations with existing vendors of HSMs in the general cryptography space will also be key, he added, to educate them on the need to provide more cloud-friendly versions of their productions.
Finally, Beer argued that acquirers will need to embrace the cloud to stay competitive and provide their customers with the best possible payment experience while also reducing costs.
“The more processing of data that can happen in a centralized cloud provider’s network before it then goes back to the point-of-sale device and is verified – that’s winning,” he said.