BBVA Uses AWS CloudHSM to Enable Fully Compliant NFC Payments

When BBVA decided to bring mobile contactless payment technology to its customers, it knew it was in for a challenge. The global financial services group wanted to enable near-field communication (NFC) payments, or contactless payments made by placing a mobile phone near a payment terminal, in its mobile banking app. However, the solution needed to comply with all international and country-specific standards for its products—and mobile contactless payments are subject to particularly strict rules. Because BBVA operates in 35 countries, the company knew that developing a new, internationally compliant solution could be expensive and time consuming.

To facilitate compliance with global requirements and reduce the scope of certification and audits, BBVA chose to build its NFC feature on Amazon Web Services (AWS). After developing and successfully implementing its GP2 solution, which is fully compliant, BBVA became the first financial institution to launch NFC payments in Peru, Argentina, and Colombia.

Founded in 1857, BBVA is present in 35 countries, including Mexico, Spain, Turkey, and Peru. BBVA’s goal is to provide accessible, simple-to-use financial services solutions to address customers’ needs, and it has been recognized as one of the world’s best investment banks for sustainable finance. Compliance with international and country-specific regulations, such as Payment Card Industry Data Security Standard (PCI DSS) requirements, is an important part of BBVA’s business. “PCI DSS regulations are not the only standards we have to meet,” says Alfredo Sanz San Juan, technical manager of global payments and head of the GP2 platform at BBVA. “Global regulatory bodies have their own certifications and requirements, which are sometimes stricter than those of PCI DSS.”

When developing new financial technologies, BBVA must factor in time for PCI DSS certification and audits, which can lengthen project timelines and hinder innovation. The company often strategizes ways to overcome these barriers. “We look for solutions that reduce the time and cost of required audits and do not put company goals or projects at risk,” says Sanz. To develop a globally compliant NFC payment feature in its mobile app, BBVA turned to AWS.

Since 2018, BBVA has used multiple AWS services to build its mobile NFC solution, comply with multiple regulations across agencies, and provide contactless payment capabilities to its customers around the globe.

To enable NFC payments, BBVA needed a hardware security module (HSM) to manage certain security keys. This requirement created a roadblock for the BBVA team. “The HSM was a challenge for us,” says Sanz. “These types of machines are uncommon and have specific and expensive hardware. It is also difficult to scale these systems on premises.” BBVA confronted this problem by building a solution using AWS CloudHSM—a cloud-based HSM that makes it simple for developers to generate and use their own encryption keys on AWS. “Using AWS CloudHSM, we were able to comply with NFC key management requirements without sacrificing high-quality service,” says Sanz. “On AWS, we can scale to meet high levels of demand by auditing or removing HSM instances based on our current needs.”

After developing this initial project, the BBVA team quickly realized it needed to change course. “We realized our architecture was operating over capacity,” says Sanz. “This fact pushed us to develop a solution that would work for more than one use case at a lower cost.” So BBVA implemented Amazon Elastic Kubernetes Service (Amazon EKS)—which provides the flexibility to start, run, and scale Kubernetes on AWS or on premises—as its core architecture. BBVA uses Amazon EKS to scale dynamically based on real-time demand, reducing its operational costs by 80 percent compared to the first solution it developed.

Many AWS services are PCI DSS certified, including AWS CloudHSM, which made it simpler for BBVA to achieve PCI DSS certification. Additionally, the AWS shared responsibility model—an agreement that shares security and compliance responsibilities between AWS and its customers—saved resources during BBVA’s development process. “Using the AWS shared responsibility model, we considerably reduced the time and scope of the PCI DSS audit,” says Sanz. “All points related to physical security and hardware and even the databases were kept out of the scope of the audit because AWS services are PCI DSS certified.” It took 2 months for the GP2 solution to receive PCI DSS certification, a process that would have taken twice as long with an on-premises solution. “We can fulfill several PCI DSS certification requirements by using AWS,” says Sanz.

Moreover, BBVA can deploy and implement features in several countries simultaneously on AWS. If a feature does not work as expected, the company can turn it off quickly, enabling a more agile and flexible development environment. “We have built solutions that improve the way our customers make payments,” says Sanz. “With this scenario, we are able to adapt more accurately and dynamically to real-time demand. And in all this, of course, we can maintain full PCI DSS compliance.”

Using AWS, BBVA was able to build and implement a PCI DSS–compliant solution. The GP2 solution is now live in several countries within BBVA’s domain and serves hundreds of thousands of users. The company also plans to implement its NFC payment solution in more countries.

“Building this solution on AWS improved our pace of innovation and time to market,” says Sanz. “With a flexible solution, we have more payment functionalities on our road map. Our idea is to keep using and growing the solution to deliver all these new features in a global way.”