Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2.4s → 380ms after EventBridge Pipes idempotency fix.

Key Facts

  • For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2
  • 4s → 380ms after EventBridge Pipes idempotency fix
  • AWS Payment Cryptography achieved Cartes Bancaires approval in February 2026, adding to PCI PIN, P2PE, 3DS, and DSS-aligned controls on PCI PTS HSM V3 hardware (What's New)
  • Amazon Verified Permissions runs Cedar 4
  • 7 for fine-grained authorization decoupled from payment APIs (AVP docs)

Entity Definitions

Lambda
Lambda is an AWS service discussed in this article.
S3
S3 is an AWS service discussed in this article.
Aurora
Aurora is an AWS service discussed in this article.
DynamoDB
DynamoDB is an AWS service discussed in this article.
VPC
VPC is an AWS service discussed in this article.
API Gateway
API Gateway is an AWS service discussed in this article.
Step Functions
Step Functions is an AWS service discussed in this article.
EventBridge
EventBridge is an AWS service discussed in this article.

FinTech Payments & Compliance on AWS (2026): Ledger, Fraud, and PCI Boundary Reference Architecture

Cloud ArchitecturePalaniappan P4 min read

Quick summary: For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2.4s → 380ms after EventBridge Pipes idempotency fix.

Key Takeaways

  • For a card-acquiring fintech (~12M authorizations/mo), Payment Cryptography + PCI-scoped account cut HSM rack lease −$18k/mo — fraud review queue p95 2
  • 4s → 380ms after EventBridge Pipes idempotency fix
  • AWS Payment Cryptography achieved Cartes Bancaires approval in February 2026, adding to PCI PIN, P2PE, 3DS, and DSS-aligned controls on PCI PTS HSM V3 hardware (What's New)
  • Amazon Verified Permissions runs Cedar 4
  • 7 for fine-grained authorization decoupled from payment APIs (AVP docs)
FinTech Payments & Compliance on AWS (2026): Ledger, Fraud, and PCI Boundary Reference Architecture
Table of Contents

AWS Payment Cryptography achieved Cartes Bancaires approval in February 2026, adding to PCI PIN, P2PE, 3DS, and DSS-aligned controls on PCI PTS HSM V3 hardware (What’s New). Amazon Verified Permissions runs Cedar 4.7 for fine-grained authorization decoupled from payment APIs (AVP docs).

This post is the FinTech payments reference architecture — PCI boundary, ledger, crypto, and fraud lanes. It is not general fintech patterns, not the PCI control checklist, and not DORA operational resilience alone.

Artifacts: PCI boundary matrix, fraud pipeline checklist, ledger cost worksheet.

Benchmark pattern (not a cited client)Card-acquiring fintech, ~12M authorizations/month, 2 colo payment HSM racks, fraud review p95 2.4s. Phase 1: PCI-scoped account + Payment Cryptography (HSM lease −$18k/mo modeled). Phase 2: EventBridge Pipes + DynamoDB idempotency (fraud review p95 2.4s → 380ms). Ledger on Aurora PostgreSQL + pgaudit (post-QLDB).

Four lanes — authorize to settle

LaneQuestionDefault AWS path
PCI boundaryWhere does CHD/PIN touch?Dedicated Payments OU account + VPC segments
CryptoP2PE / PIN / keys?AWS Payment Cryptography APIs
LedgerImmutable money movement?Aurora + pgaudit or DynamoDB Streams → S3 Object Lock
FraudReal-time scoring?EventBridge bus → Pipes → Lambda → Step Functions

Opinionated take: Isolate PCI in its own account before optimizing fraud ML. Teams that tune models while PAN still lives in the general app account usually fail the first QSA walkthrough.

Reference architecture

Terminals / wallets ──► API GW ──► Payment Cryptography (P2PE decrypt, PIN translate)

                              ├──► Step Functions (authorize workflow)
                              │         │
                              │         ├──► Aurora ledger (pgaudit)
                              │         └──► EventBridge (auth event)
                              │                   │
                              │                   └──► Pipe ──► Fraud Lambda ──► allow|review|decline

Merchant portal ──► Verified Permissions (Cedar) ──► ops APIs (non-PCI account)

Lane 1 — PCI account boundary

Walk pci-boundary-decision-matrix.md:

  • Payments OU with SCP deny on public S3 and unapproved regions
  • No shared CMK between PCI and marketing analytics
  • CloudTrail organization trail + immutable S3 log bucket

Lane 2 — Payment Cryptography

Per Payment Cryptography features:

  • Elastic crypto vs dedicated rack HSMs
  • TR-31 key import/export for partner banks
  • CloudTrail on control plane for PCI evidence

Use P2PE decrypt at the edge of the PCI account; never pass clear PAN to the general app tier.

Lane 3 — Ledger (post-QLDB)

Amazon QLDB ended July 31, 2025. For new platforms:

-- Aurora PostgreSQL 15+ with pgaudit — append-only ledger table pattern
-- Assumed: pgaudit extension enabled, application role INSERT-only on ledger schema
CREATE TABLE ledger.postings (
  posting_id UUID PRIMARY KEY,
  account_id UUID NOT NULL,
  amount_cents BIGINT NOT NULL,
  currency CHAR(3) NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

Model monthly cost in ledger-cost-worksheet.csv — reprice Payment Cryptography ops in your region.

Lane 4 — Fraud pipe

Follow fraud-pipeline-checklist.md:

  • Custom EventBridge bus per environment
  • EventBridge Pipes with DLQ — do not invoke fraud Lambda directly from API Gateway
  • Idempotency table on network_transaction_id

What broke — Week 6 load test. 12% duplicate declines on retry storm. Root cause: Pipe retried batch without idempotency key. Detection: Step Functions Declined count > authorization count. Fix: DynamoDB conditional put before decline branch; p95 review queue 2.4s → 380ms.

When NOT to escalate

SituationStay lighter
Processor-hosted tokens onlySAQ A path — no Payment Cryptography
< 50k auth/monthProcessor fraud tools first
No QSA engagementDo not store PAN “temporarily”

What to Do This Week

  1. Run pci-boundary-decision-matrix.md with security + payments lead.
  2. Complete fraud-pipeline-checklist.md — block prod authorize until idempotency row checked.
  3. Reprice ledger-cost-worksheet.csv vs colo HSM lease.
  4. Pilot Payment Cryptography P2PE sample from AWS samples repo.
  5. Stand up Verified Permissions policy store for merchant ops — UUID principals only.

Reproduce this — Download ledger-cost-worksheet.csv. Replace monthly_volume with your authorization count. Compare total to current HSM + fraud infra line items.

What This Post Doesn’t Cover

  • Open banking PSD2 consent APIs — regional regulatory overlays
  • Crypto-native payments — different ledger and compliance model
  • Full PCI SAQ evidence pack — use PCI architecture guide
  • Cross-border FX settlement — treasury and nostro accounts

We have not load-tested Payment Cryptography above 25M crypto ops/month in a single region — run a 1M-op soak test before peak holiday traffic.

Related: Fintech industry hub · Cloud security · Cloud compliance

PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Recommended Reading

Explore All Articles »
9 min

Building Fintech Applications on AWS: Architecture Patterns

Fintech on AWS isn't about more services — it's about which services you're allowed to use, how you isolate customer funds, and how fast your audit trail responds. Architecture patterns for payments, fraud detection, regulatory compliance, and the AWS primitives that power modern financial platforms.

8 min

AWS KMS Encryption Architecture (2026): The Per-Tenant CMK Trap, the 10,000 req/s Shared Quota, and When AWS-Owned Keys Win

Most KMS guides stop at "enable encryption." The architecture decision that actually bites is the key boundary: split one CMK into 3,200 per-tenant keys and you pay ~$3,200/mo in key storage alone while still sharing a single 10,000 req/s symmetric quota. Here is the decision matrix, the throttle math, and the encryption-context pattern that gives per-tenant isolation without per-tenant keys.