Amazon Web Services ブログ
MIXI M achieved PCI 3DS certification using AWS Key Management Service(KMS) instead of traditional HSM
MIXI,Inc.(MIXI) has been providing MIXI M, a platform system & wallet service that offers authentication through payment in a one-stop manner, to consumers. On this occasion, MIXI implemented 3D Secure in MIXI M. 3D Secure is a mechanism that confirms the consumer’s purchase intention through additional authentication, realizing a more secure and safe online payment experience.
The following is an visualization of the payment experience including 3D Secure from the consumer’s perspective.
PCI 3DS (Payment Card Industry Data Security Standard) requires the use of an HSM (Hardware Security Module) certified to FIPS 140-2 Level 3 or higher, or PCI PTS certified for some key management. Therefore, AWS Key Management Service(KMS) could not be used previously, but it became compliant in May 2023 because the internal HSM of AWS KMS was upgraded to FIPS 140-2 Level 3. There were no precedent cases of PCI 3DS compliance using AWS KMS at the customer’s planning stage. Through support from AWS, the design progressed with AWS KMS as the primary option instead of AWS Cloud HSM. The primary reason is that MIXI understand the advantages of utilizing AWS KMS and clear points of conversation with the PCI 3DS QSA (Qualified Security Assessor) became apparent.
- Reduction of compliance workload
In case of using AWS, compliance responsibilities are shared between the user and AWS based on a shared responsibility model. The higher the level of abstraction of services used, such as managed services, the smaller the user’s responsibility scope and the more compliance work that can be offloaded to AWS. It was clear that using AWS KMS would reduce the amount of compliance work required compared to the initial plan to use AWS CloudHSM. This was beneficial as ongoing work is needed to maintain compliance after conforming to PCI 3DS. - Reduction of operation workload
In case of using AWS CloudHSM, the user needs to handle some backups of HSMs and cluster management themselves. With AWS KMS, as it is a managed service, everything can be left to AWS. As the customer actively adopts managed services that allow operation with few people, there was a major benefit to using the more managed AWS KMS compared to AWS CloudHSM. - AWS SDK
In case of using AWS CloudHSM, use of HSM standard SDKs like PKCS #11 or OpenSSL Dynamic Engine was needed for accessing keys. With AWS KMS, keys can be accessed using the familiar AWS SDKs, making development and testing easier. - Ease of access control
PCI 3DS has requirements for physical and logical access protection of keys. Physical access is AWS’ responsibility for both services, but logical access protection requires work from both the user and AWS. With AWS CloudHSM, protection must follow the HSM specifications, while with AWS KMS there was a benefit to being able to use key policies and the familiar AWS Identity and Access Management (AWS IAM) system that had been used previously. - Running costs
AWS CloudHSM uses hourly billing so HSM costs are incurred, meaning a minimum configuration of 2 units would cost around $3,400 per month, and adding extra units one by one is needed for scaling out. On the other hand, AWS KMS incurs costs by request, so payment can be made cost-effectively according to the number of requests. Therefore, it was possible to greatly reduce costs from what was originally estimated.
Architecture
We will introduce the architecture involved in implementing 3D Secure in MIXI M.
The customer has been actively utilizing managed services like Amazon API Gateway in MIXI M previously, and also complies with PCI DSS. Operations that use keys managed by AWS KMS are executed via REST API. As long as it is within the request quota defined by AWS KMS, no additional work is incurred due to increases or decreases in access. VPC Endpoint is utilized to call the API through a private route. Changes to keys managed by AWS KMS and key usage can be checked via AWS CloudTrail. Logical access to AWS KMS is managed by key policies, and IAM users or IAM roles that can access keys can be limited from the key side.
Voice of the Customer
Fumitoshi Taoka (Development Head Office, MIXI M Business Division, MIXI Corporation)
Compliance with PCI 3DS was unprecedented and highly challenging for MIXI. When we consulted our AWS account team, they instantly understood our needs and promptly set up a meeting with a security specialist. In the meeting, they provided a lot of useful information, which ultimately allowed us to respond to PCI 3DS compliance rapidly while ensuring security and reliability.
Kosuke Asami (Development Head Office, MIXI M Business Division, MIXI Corporation)
At MIXI M, a small team does full-stack development and operations, so reducing operation and development costs is always the top priority. By using AWS KMS, we were able to significantly reduce the operation costs required for PCI 3DS and focus on developing the 3D secure system. We fully utilize AWS’s fully managed services, and through that, we have reconfirmed that there are major benefits to reducing development and operation costs.
Summary
Our customer, MIXI, was able to keep operation costs low while achieving implementation of 3D secure and compliance with PCI 3DS by utilizing AWS KMS. Going forward, they aim to continue optimizing their architecture by leveraging the benefits of managed services, and advancing implementation of various features that will lead to improving their services.
Authors
- Shuhei Akiyama (Game Solutions Architect)
- Tomohiro Nakashima (Senior Security Solutions Architect)
- Shogo Matsumoto (Head, Sec Assurance, Japan)