Protect payment workloads through AWS Marketplace with Futurex’s cloud payment HSMs

Payment data security architecture is undergoing a tremendous evolution. Increasing volumes of payments are moving to mobile devices, FinTechs and neobanks are growing in prominence, and many FSIs are taking a cloud-first approach to serving their customers. This post details how AWS and Futurex have worked together to offer a streamlined method for organizations to move their payment processing to the cloud.

Hardware security modules (HSMs) are a critical component underpinning the security of global financial transaction. HSMs perform encryption and key management tasks inside of a physically secure boundary. This protects them from complex physical and logical attack vectors. When used in payment environments, HSMs must be certified under rigorous standards, including NIST’s Federal Information Processing Standard (FIPS) or the PCI Security Standards Council’s PCI HSM requirements.

In the financial services industry, HSMs designed specifically for payments, such as Futurex’s Excrypt SSP Enterprise v.2, are used to fulfill a range of use cases:

• Payment transaction acquiring
  • PIN, CVV, and EMV management (generation, translation, or verification)
  • Message Authentication Code (MAC) generation and validation
  • Mobile payment acceptance
  • Point-to-Point Encryption (P2PE) and tokenization
  • Payment key management
• Card and mobile issuance
  • PIN, offset, and CVV generation
  • Online and mobile PIN management
  • EMV key generation and derivation
  • Mobile payment issuance
  • Point of Sale and ATM remote key loading

Payment HSMs were traditionally deployed on-premises, principally due to regulatory standards such as PCI DSS, PCI PIN, and PCI P2PE that govern the secure processing of sensitive cardholder data. When Futurex introduced its VirtuCrypt cloud payment HSM service and made it available through AWS Marketplace, it allowed organizations to move away from their on-premises payment HSMs to the cloud. Many organizations have since moved their payment applications to AWS, in conjunction with Futurex’s cloud payment HSMs, to increase scalability and redundancy, as well as reduce internal IT operations so that they can focus on their core competencies.

Cloud payment HSMs offer the same cryptographic functionality as on-premises payment HSMs. This means compliance requirements are met and end-to-end security is maintained, while the implementation and maintenance burden on IT and security staff is reduced.

Cloud payment HSM Service components

The following service components are involved when integrating AWS environments with Futurex’s VirtuCrypt cloud payment HSMs:

AWS

• AWS Marketplace
• Amazon Virtual Private Cloud (VPC)
• VPC Endpoints

FUTUREX

• VirtuCrypt Intelligence Portal account
• Cryptoverse
• CryptoTunnel
• VirtuCrypt Access Point (VAP)

VIRTUCRYPT INTELLIGENCE PORTAL (VIP) ACCOUNT

The VirtuCrypt Intelligence Portal is how users manage their cloud payment HSM service. The VIP allows for the management and monitoring of cloud payment HSMs. This includes provisioning and de-provisioning cloud payment HSMs across worldwide data centers, assigning them to load balancing clusters, and establishing TLS tunnels for payment applications running inside of AWS.

CRYPTOVERSE

Using a PKI managed by Futurex, a Cryptoverse isolates the services to which a user’s AWS applications have access. A Cryptoverse makes sure of mutual authentication and strong encryption with all endpoints. Services are isolated by their Cryptoverse, and users must download TLS certificates for remote applications to authenticate to different services.

CRYPTOTUNNEL

A CryptoTunnel defines the connection parameters to VirtuCrypt. It consists of a name, the Cryptoverse used to authenticate incoming clients, the service to which the tunnel will be routed (the cloud payment HSM), the incoming connection from AWS, the AWS region that the payment application workload will be operated within, and any information that must be allow-listed.

VIRTUCRYPT ACCESS POINT

A VAP is a Futurex-administered VPC that enables access to cloud payment HSMs from AWS in a secure manner without transiting the public Internet. Although optional, VAPs greatly simplify the connection process, add security for data in transit, and reduce latency when a user’s AWS Regions are geographically distanced from Futurex’s data centers.

Onboarding and initial setup steps

1. Sign up for a cloud payment HSM service on AWS Marketplace.
2. Create a VirtuCrypt Intelligence Portal account.
3. Provision cloud payment HSMs and assign them to load balancing clusters.
4. Create CryptoTunnels and download Cryptoverse PKI certificates for application authentication.
5. Create an endpoint connection from the user’s AWS VPC to the VAP.
6. Test the connection with an ECHO command to confirm connectivity.

These steps are described in detail as follows:

1. The deployment process begins by signing up for a cloud payment HSM service on AWS Marketplace. Cloud payment HSMs are licensed through an online subscription and rely on Futurex’s external data center environments, thus they fall under the Software-as-a-Service (SaaS) category.
2. After signing up, users register on the VirtuCrypt Intelligence Portal. Once there, they either create a new VIP account or sign into an existing account. Then, Futurex associates the service with the account, thus placing the service status into a pending state while customer identities are verified and connected. Once the service has been successfully connected, the user can provision their cloud payment HSMs.

3. Cloud payment HSMs can be provisioned and deprovisioned by the end user within the VIP. At the time of provisioning, the user selects the Futurex global regions where their cloud payment HSMs will be deployed. After the cloud payment HSMs are deployed, the user also has the option of cloning them. This can be useful when setting up a multi-region high availability environment.
4. After provisioning cloud payment HSMs and assigning them to load balancing clusters for high availability, CryptoTunnels must be created. CryptoTunnels create a TLS tunnel between payment applications running inside of the user’s AWS environment and their cloud payment HSMs. CryptoTunnels can be used for Futurex’s Excrypt API in either a socket-based or RESTful format, as well as in compatibility modes to replace alternate or legacy HSM vendors without making any payment application code changes.
5. Once the CryptoTunnel has been established, a VAP (details are further explained in the following section), if one is being used, then it can be connected. Futurex offers VAPs from all of the AWS Regions worldwide, with most regions also offering a special high-speed (direct connect) VAP. A site-to-site VPN can be established to connect the VAP to the CryptoTunnel.
6. To test the connection, a simple ECHO command can be sent. If migrating from an alternate payment HSM vendor, then one of Futurex’s compatibility mode APIs can be used, as can Futurex’s native Excrypt API:

[AOECHO;AGI just provisioned my first cloud payment HSM;]

AWS Connectivity to Futurex’s VirtuCrypt Cloud Payment HSMs – Reference Architecture

Key management for cloud payment HSMs

Managing cryptographic keys for cloud payment HSMs can be a complex process involving dual control, split knowledge, and multi-party key escrow. For this, Futurex offers two key management methods to simplify the process. When selecting a key management methodology, organizations should consider their key management team’s maturity, as many customers don’t have a dedicated key management team, so offloading key management could benefit them.

BRING YOUR OWN KEYS (BYOK) – CUSTOMER-CONTROLLED CRYPTOGRAPHIC KEYS

Organizations wanting to manage their own keys can use the Excrypt Touch – Futurex’s FIPS 140-2 Level 3 and PCI HSM validated tablet – remotely from anywhere in the world. The Excrypt Touch lets administrators establish a remote TLS connection with mutual authentication and load clear keys to VirtuCrypt cloud payment HSMs.

Loading keys with the Excrypt Touch uses double encipherment for key components. Double encipherment provides additional security by encrypting components using two separate keys. Therefore, to decrypt the data, the double encipherment process is reversed, again using two entirely separate key pairs. The keys used for this purpose are further protected by being ephemeral. Ephemeral keys are temporary, can only be used once, and never leave the HSMs in the clear. As soon as the ephemeral keys have been used to encrypt or decrypt the data, they are destroyed.

KEY AGENT SERVICES

For organizations desiring key management assistance, Futurex’s key agent team can compliantly load keys into VirtuCrypt cloud payment HSMs. This service lets VirtuCrypt handle the handling, loading, and storing of key components. However, key ownership remains with the customer. The policies and procedures surrounding the key agent service option are reviewed as part of Futurex’s PCI PIN audit process.
This method is used most frequently by financial services customers. When using the key agent services, certain compliance requirements must be fulfilled that relate specifically to the secure shipment of components. As part of the onboarding and key loading process, customers are provided with detailed instructions.

Selecting a Cloud Payment HSM from AWS Marketplace

When deciding which options to select from Futurex’s cloud payment HSM page on AWS Marketplace, a number of factors must be considered.

In addition, many organizations choose to work with Futurex to help craft a cloud payment HSM environment suited to their current and anticipated future needs. Once this environment is designed, an AWS Marketplace private offer can be created. This bundles all of the solution components together into a single package for ease of deployment, billing, and management.

FUNCTIONALITY (SELECTED THROUGH AWS MARKETPLACE)

The first question that an organization must ask when selecting a cloud payment HSM is whether or not it relates to their payment application’s functionality. Futurex offers three categories of cloud payment HSMs: transaction acquiring, card and mobile issuance, and development/UAT environment to test the HSM functionality.

SPEED (SELECTED THROUGH AWS MARKETPLACE)

Futurex’s VirtuCrypt cloud payment HSMs are offered in multiple tiers of speed that are measured in transactions per second (TPS). These range from 50 TPS for the most basic option, to 250 and 1000 TPS options at the mid-range, all the way to tens of thousands of TPS and beyond.

The best way to determine the required throughput is to review existing application metrics. Analyzing peak periods, such as during holiday purchasing seasons, can help determine the required throughput. Furthermore, as an organization’s needs grow, speed can easily be increased by adding cloud payment HSMs or by upgrading existing instances.

VAP (SELECTED THROUGH AWS MARKETPLACE)

VAPs enable direct connection between payment applications running inside a user’s AWS environment and their cloud payment HSMs. They are optional, and the alternative is to connect directly over the public Internet.

The necessary quantity of VAPs is determined by the number of AWS Regions where the user’s payment application will be running, as well as the number of VirtuCrypt data centers in use. For example, if a user is running their payment application in redundant VPCs split between AWS eu-central-1 and eu-west-3, and they would like redundant cloud payment HSMs in Futurex’s Frankfurt and Amsterdam data centers, then they would use four VAPs.

For environments that demand low latency, high-speed VAPs are also offered that use direct connections between Futurex data centers and AWS Regions.

SERVICE LEVEL AGREEMENTS (SELECTED THROUGH AWS MARKETPLACE PRIVATE OFFERS)

Futurex offers a range of Service Level Agreements (SLA) to provide additional assurance that uptime requirements will be met. SLA options of 99.9%, 99.99%, and 99.999%+ are offered, based on the number of cloud payment HSMs in use.

DISASTER RECOVERY AND HIGH AVAILABILITY (SELECTED THROUGH AWS MARKETPLACE PRIVATE OFFERS)

Although many organizations rely on their SLA selection to guide their disaster recovery strategy, some prefer to specify the quantity and location of their cloud payment HSMs. Cloud payment HSMs can be clustered across multiple data centers for geographic redundancy, in addition to active-active redundancy within a single data center.

BARE METAL DEDICATED HARDWARE (SELECTED THROUGH AWS MARKETPLACE PRIVATE OFFERS)

Enterprise organizations often prefer to use dedicated hardware HSM for themselves, which is an option Futurex offers. Bare metal provides organizations with dedicated physical HSMs within Futurex’s data centers, as well as individual cloud payment HSMs that can be provisioned on that hardware.

Conclusion

Migrating payment applications to AWS is a fast-growing trend among financial services providers. Furthermore, making the same leap with payment HSMs takes careful thought and consideration.

Whether exploring a migration from a legacy HSM provider, deploying a hybrid environment paired with existing on-premises Futurex HSMs, or fully transitioning to the cloud, cloud payment HSMs can provide significant operational and cost advantages.

When developing a cloud strategy for payments, the topics outlined in this post are important to consider. Above all, it’s vital that organizations work closely with their account managers and solutions architects at AWS and Futurex to design an environment that will meet both their current and future needs.

For More Information

• Futurex’s VirtuCrypt cloud payment HSMs – AWS Marketplace
• Service overview whitepaper – cloud payment HSMs
• Additional VirtuCrypt cloud payment HSM information