---
title: FinTech Payments & Compliance on AWS (2026): Ledger, Fraud, and PCI Boundary Reference Architecture
description: For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2.4s → 380ms after EventBridge Pipes idempotency fix.
url: https://www.factualminds.com/blog/aws-fintech-payments-compliance-reference-architecture-2026/
datePublished: 2026-07-07T00:00:00.000Z
dateModified: 2026-07-07T00:00:00.000Z
author: palaniappan-p
category: Cloud Architecture
tags: aws, fintech, payments, pci-dss, payment-cryptography, fraud-detection, architecture, compliance
---

# FinTech Payments & Compliance on AWS (2026): Ledger, Fraud, and PCI Boundary Reference Architecture

> For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2.4s → 380ms after EventBridge Pipes idempotency fix.

**AWS Payment Cryptography** achieved **Cartes Bancaires** approval in **February 2026**, adding to PCI PIN, P2PE, 3DS, and DSS-aligned controls on **PCI PTS HSM V3** hardware ([What's New](https://aws.amazon.com/about-aws/whats-new/2026/02/payment-cryptography-cartes-bancaires/)). **Amazon Verified Permissions** runs **Cedar 4.7** for fine-grained authorization decoupled from payment APIs ([AVP docs](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html)).

This post is the **FinTech payments reference architecture** — PCI boundary, ledger, crypto, and fraud lanes. It is **not** [general fintech patterns](/blog/building-fintech-applications-on-aws-architecture-patterns/), **not** the [PCI control checklist](/blog/pci-dss-compliance-aws-architecture-guide-fintech/), and **not** [DORA operational resilience](/blog/dora-compliance-aws-financial-services/) alone.

Artifacts: [PCI boundary matrix](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/pci-boundary-decision-matrix.md), [fraud pipeline checklist](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/fraud-pipeline-checklist.md), [ledger cost worksheet](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/ledger-cost-worksheet.csv).

> **Benchmark pattern (not a cited client)** — **Card-acquiring fintech**, **~12M** authorizations/month, **2** colo payment HSM racks, fraud review **p95 2.4s**. Phase 1: **PCI-scoped account** + **Payment Cryptography** (**HSM lease −$18k/mo** modeled). Phase 2: **EventBridge Pipes** + DynamoDB idempotency (**fraud review p95 2.4s → 380ms**). Ledger on **Aurora PostgreSQL** + `pgaudit` (post-QLDB).

## Four lanes — authorize to settle

| Lane             | Question                  | Default AWS path                                                |
| ---------------- | ------------------------- | --------------------------------------------------------------- |
| **PCI boundary** | Where does CHD/PIN touch? | Dedicated **Payments OU** account + VPC segments                |
| **Crypto**       | P2PE / PIN / keys?        | **AWS Payment Cryptography** APIs                               |
| **Ledger**       | Immutable money movement? | **Aurora** + `pgaudit` or **DynamoDB Streams → S3 Object Lock** |
| **Fraud**        | Real-time scoring?        | **EventBridge** bus → **Pipes** → Lambda → **Step Functions**   |

**Opinionated take:** **Isolate PCI in its own account before optimizing fraud ML.** Teams that tune models while PAN still lives in the general app account usually fail the first QSA walkthrough.

## Reference architecture

```
Terminals / wallets ──► API GW ──► Payment Cryptography (P2PE decrypt, PIN translate)
                              │
                              ├──► Step Functions (authorize workflow)
                              │         │
                              │         ├──► Aurora ledger (pgaudit)
                              │         └──► EventBridge (auth event)
                              │                   │
                              │                   └──► Pipe ──► Fraud Lambda ──► allow|review|decline
                              │
Merchant portal ──► Verified Permissions (Cedar) ──► ops APIs (non-PCI account)
```

### Lane 1 — PCI account boundary

Walk [pci-boundary-decision-matrix.md](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/pci-boundary-decision-matrix.md):

- **Payments OU** with SCP deny on public S3 and unapproved regions
- No shared CMK between PCI and marketing analytics
- CloudTrail organization trail + immutable S3 log bucket

### Lane 2 — Payment Cryptography

Per [Payment Cryptography features](https://aws.amazon.com/payment-cryptography/features/):

- **Elastic** crypto vs dedicated rack HSMs
- **TR-31** key import/export for partner banks
- **CloudTrail** on control plane for PCI evidence

Use **P2PE decrypt** at the edge of the PCI account; never pass clear PAN to the general app tier.

### Lane 3 — Ledger (post-QLDB)

Amazon QLDB ended **July 31, 2025**. For new platforms:

```sql
-- Aurora PostgreSQL 15+ with pgaudit — append-only ledger table pattern
-- Assumed: pgaudit extension enabled, application role INSERT-only on ledger schema
CREATE TABLE ledger.postings (
  posting_id UUID PRIMARY KEY,
  account_id UUID NOT NULL,
  amount_cents BIGINT NOT NULL,
  currency CHAR(3) NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
```

Model monthly cost in [ledger-cost-worksheet.csv](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/ledger-cost-worksheet.csv) — reprice Payment Cryptography ops in your region.

### Lane 4 — Fraud pipe

Follow [fraud-pipeline-checklist.md](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/fraud-pipeline-checklist.md):

- Custom **EventBridge** bus per environment
- **EventBridge Pipes** with DLQ — do not invoke fraud Lambda directly from API Gateway
- Idempotency table on `network_transaction_id`

> **What broke** — Week 6 load test. **12% duplicate declines** on retry storm. Root cause: Pipe retried batch without idempotency key. **Detection:** Step Functions `Declined` count &gt; authorization count. **Fix:** DynamoDB conditional put before decline branch; **p95 review queue 2.4s → 380ms**.

## When NOT to escalate

| Situation                    | Stay lighter                         |
| ---------------------------- | ------------------------------------ |
| Processor-hosted tokens only | SAQ A path — no Payment Cryptography |
| &lt; 50k auth/month          | Processor fraud tools first          |
| No QSA engagement            | Do not store PAN "temporarily"       |

## What to Do This Week

1. Run [pci-boundary-decision-matrix.md](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/pci-boundary-decision-matrix.md) with security + payments lead.
2. Complete [fraud-pipeline-checklist.md](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/fraud-pipeline-checklist.md) — block prod authorize until idempotency row checked.
3. Reprice [ledger-cost-worksheet.csv](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/ledger-cost-worksheet.csv) vs colo HSM lease.
4. Pilot **Payment Cryptography** P2PE sample from [AWS samples repo](https://github.com/aws-samples/samples-for-payment-cryptography-service).
5. Stand up **Verified Permissions** policy store for merchant ops — UUID principals only.

> **Reproduce this** — Download [ledger-cost-worksheet.csv](https://www.factualminds.com/examples/architecture-blog-2026/fintech-payments/ledger-cost-worksheet.csv). Replace `monthly_volume` with your authorization count. Compare total to current HSM + fraud infra line items.

## What This Post Doesn't Cover

- **Open banking PSD2** consent APIs — regional regulatory overlays
- **Crypto-native payments** — different ledger and compliance model
- **Full PCI SAQ evidence pack** — use [PCI architecture guide](/blog/pci-dss-compliance-aws-architecture-guide-fintech/)
- **Cross-border FX settlement** — treasury and nostro accounts

We have not load-tested **Payment Cryptography** above **25M** crypto ops/month in a single region — run a 1M-op soak test before peak holiday traffic.

**Related:** [Fintech industry hub](/industries/aws-fintech/) · [Cloud security](/services/aws-cloud-security/) · [Cloud compliance](/services/cloud-compliance-services/)

## FAQ

### When should we use AWS Payment Cryptography vs colocated payment HSMs?
Use Payment Cryptography when you need PCI PTS HSM V3 / FIPS 140-2 Level 3 operations (P2PE decrypt, PIN translation, TR-31 key import) without rack ops. Stay on colo HSMs only when a network mandates physical HSM audit in your datacenter and will not accept cloud crypto APIs.

### When should we NOT put PAN in our VPC at all?
When processor tokenization covers your flow — use Stripe/Adyen tokens and keep PCI scope on SAQ A. Do not "encrypt PAN in Postgres" without QSA scope review; that usually expands scope, not shrinks it.

### What replaces Amazon QLDB for new ledgers in 2026?
QLDB was discontinued July 31, 2025. Default: Aurora PostgreSQL with pgaudit + append-only ledger tables, or DynamoDB Streams → S3 Object Lock for very high event volume.

### How does this differ from the general fintech patterns post?
That post covers principles across payments, fraud, and compliance. This post is the lane-based reference architecture with PCI boundary, crypto API placement, and fraud pipe wiring.

### What could go wrong with EventBridge Pipes on the fraud path?
Duplicate declines when pipe retries without idempotency — DynamoDB conditional write on network_transaction_id before Step Functions decline branch.

### Should we use Verified Permissions for merchant RBAC?
Yes when ABAC rules (merchant tier, MCC, region) change faster than IAM policy deployments. Cedar 4.7 policy stores decouple authz from payment code — see Verified Permissions docs.

---

*Source: https://www.factualminds.com/blog/aws-fintech-payments-compliance-reference-architecture-2026/*
