Why Amazon is pushing more payment functions to the cloud

Amazon Web Services logo and people around it
AWS is among the firms adding payment technology to the cloud.
David Ryder/Bloomberg

A growing number of payments no longer require a card, phone or other type of hardware — even on the back end, where companies like Amazon, IBM and Microsoft are urging businesses to do more in the cloud.

Amazon Web Services this week launched AWS Payment Cryptography, which is designed to simplify deployment of cloud-hosted payments applications. Other cloud providers such as IBM and Microsoft are also offering to streamline parts of payment processing away from the point of sale. These companies are trying to remove friction from payments by dumping as much physical hardware as possible. 

"The more computing devices there are, the more latency there will be or the more chance there will be for the process to break down," said Ken Beer, general manager of AWS Key Management Service. 

AWS will manage payment hardware security modules (HSMs), a key payments tool for merchant acquirers, which will likely make up most of AWS' clients. HSMs are physical devices that perform payment processing functions such as protecting cryptographic keys, or the string of characters that are used to encrypt and decrypt payment information. This includes protecting consumer PINs, the information embedded in EMV chip cards and the data that supports contactless mobile payments. HSMs generally protect payments for all major card brands and are subject to independent certification in multiple countries. 

"Using hardware for this creates a closed network for the technology," Beer said. "The technology is bespoke and it requires work to update it. We're trying to streamline this." 

Amazon argues that HSMs pose challenges to payment service providers due to complexity, and the number of times data is managed behind the scenes when a payment is made. For each payment, data is exchanged between two or more financial services firms and must be decrypted, processed and encrypted again with a cryptographic key at each step. This creates latency risk at a time when payment settlement speeds are supposed to be increasing due to the growth of real-time payment networks.

AWS remotely manages HSMs for purposes such as generating and validating PINs, the security code of a credit or debit card, and other functions tied to validating a payment in flight. AWS is additionally managing key creation and Payment Card Industry security standards compliance.

Beer contends that this will lower overhead for merchant acquirers by cutting the work required to manage HSMs. Much of this work is not customer-facing or apparent to a consumer when making a payment, but it could show up in settlement delays for merchants or processors. As such, HSMs are not a competitive advantage, but an expense and source of IT work that makes it difficult for smaller merchant service providers and payment processors to operate, he said. 

"We're looking at the undifferentiated heavy lifting," Beer said. "Today there are barriers to entry because of the hardware needed for compliance."

AWS is positioning its HSM cloud service as an alternative to business hardware, putting it in competition with most enterprise technology companies that serve financial services clients. Some of these companies also offer cloud-hosted HSM services. 

Microsoft Azure, for example, offers the Azure Payment HSM, which provides infrastructure as a service to manage cryptographic key operations for real-time payment transactions. Another Microsoft product, Azure Key Vault Managed HSM enables key management and compliance. And IBM  offers an HSM cloud service that manages cryptographic keys.

These firms are responding to a general shift in cloud adoption in financial services to the back office and infrastructure. The percentage of cloud workloads for back office work has grown from just more than 20% to more than a quarter in the past four years, according to Gartner. Cloud deployments for infrastructure have grown from less than a quarter to nearly a third for infrastructure, Gartner reports. 

There's also a need to address the growth in non-hardware payment acceptance, which fuels a broader move away from more traditional technology in the payments industry. 

Mobile point of sale systems have driven a migration away from centralized checkout for more than a decade at merchants of all sizes. And newer payment options such as softPOS do not require specialized hardware, and instead rely on existing smartphone technology to act as the point of sale. SoftPOS providers such as Apple and Google are not payment processors, so the technology requires merchant acquirers that are amenable to working in a fast-evolving retail environment without hardware. 

"POS terminals used to be not just static, but dedicated hardware devices, designed to accept payments and do little else," said Zilvinas Bareisis, a senior analyst at Celent. "With mPOS, and especially now, with softPOS, that has been 'democratized.' Anyone with a smartphone or tablet can start accepting payments, as long as they download the app and sign the acceptance contract."

The software that runs on terminals has been moving to the cloud for a while now, although some areas remained managed in local datacenters, like payment HSMs for PIN handling and access points to the payment network, Bareisis said. "That is now finally also starting to change with various providers offering cloud-based HSM solutions and the networks playing their part to virtualize terminals."

For reprint and licensing requests for this article, click here.
Payments
MORE FROM AMERICAN BANKER