In Financial Services, payments have evolved from a commodity into a key differentiator, driven by customer demand for faster, easier, and more seamless payment processing. Expectations from regulators for PCI DSS-compliant workloads have evolved with increased focus on risk reduction, transparency, and standardization. In this space, the need to replace legacy systems, address security concerns, and support a highly seasonal 24/7/365 operation present barriers to innovation. In this chalk talk, we examine how our customers address these concerns by using the AWS Cloud to rapidly build their own scalable payment systems, leveraging PCI DSS-compliant AWS services across compute, database, analytics, and security. Together, we explore traditional design patterns based on our PCI DSS Quick Start, as well as the evolution to managed services, microservices, and serverless services.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Disrupting Traditional Payment
Systems Architecture with AWS
Anthony Galleno
Solution Architect
AWS Financial Services
F S V 3 2 0
Andrew Shortt
Solution Delivery Manager
AWS Financial Services

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Rapid Evolution In Payments
PCI DSS Compliance
PCI Architecture on AWS
Serverless Architectures on AWS
Q & A

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The global payments landscape is shifting
Shift to digital
accelerated by
growing smartphone
adoption and new
channels for non-cash
transactions
New non-banks and
Payment Service
Providers (PSPs) offering
payment services and
technology, enabling
transactions outside
traditional channels
Changing customer
demands including
frictionless payments
experience, one-touch
options, and instant
settlement
Progressive changes
among regulators
promoting transparency,
security, innovation,
interoperability, and
competition

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Consumer demands are driving innovation
Retail and corporate payments customers want faster, easier, digital payments.
Now: Payments as a differentiator
• Firms investing in payments technologies and
processing infrastructure
• Faster, seamless payment experiences and
better use of customer data
• Collaborative payment ecosystem focused on
customer demands
• New payments channels replace cash in small
transactions and increase firm’s revenue
Before: Payments as a commodity
• Small transactions dominated by cash
• Check payments still common
• Most digital payments running on legacy
platforms
• Card payments processing handled by
credit card networks
• Payments considered low profit product by
banks and Payment Service Providers

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers Innovating Payments with AWS

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS Compliance
“If you accept or process payment cards, the PCI Data Security Standards apply to you.”
In order to connect to the major
card networks, the system you
build must comply with PCI DSS
guidelines and be scoped, audited,
and reviewed by an on-site PCI
Qualified Security Assessor.

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS Compliance on AWS
Scale Compute to match
demand
Advanced data storage
and analytics
Seamless customer
experience
Model Risk, Credit and lending
decisions
Build, test, launch new
features
Serverless/Infrastructure
as code
Security and compliance
Connect payment apps
More than 60 AWS services are PCI-DSS compliant. With pay as you go pricing and global
availability customers can leverage these services to deliver fast, frictionless payment systems.

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS Guidelines on AWS
Build Maintain a Secure Network
and Systems
1. Install and Maintain a Firewall
Configuration to Protect Cardholder Data
2. Do Not Use Vendor-Supplied Defaults for
System Passwords and Other Security
Parameters
VPN Gateway
Protect Cardholder Data
3. Protect Stored Cardholder Data
4. Encrypt transmission of cardholder data
across open, public networks

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS Compliance on AWS
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and
regularly update anti-virus software
6. Develop and maintain secure systems
and applications
Implement Strong Access Controls
7. Restrict Access to Cardholder Data by
Need to know
8. Identify and Authenticate Access to
System Components
9. Restrict Physical Access to Cardholder
Data

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS Compliance on AWS
Regularly Monitor and Test
Networks
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes Flow logs
Maintain an Information Security
Policy
12. Maintain a policy that addresses
information security for all personnel

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI quick-start on AWS
Availability zone
Public Subnet
VPC
Internet
Private Subnet Private Subnet
RDS MySQL
DB instance
NAT gateway
Availability zone
Public Subnet
Private SubnetPrivate Subnet
Auto Scaling group
Instances Auto Scaling InstancesAuto Scaling NAT gateway
RDS MySQL
DB instance
Auto Scaling group
Instances Auto Scaling InstancesAuto Scaling

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless API Development
POST /v1/pay
GET /v1/preferences/001
paymentbackend.com

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Tuesday, November 27
FSV302 - Transforming Consumer Banking with a 100% Cloud-based Bank
4:45 – 5:45 | Venetian, Level 3, Murano 3205
Thursday, November 29
FSV305 - How HSBC Uses Serverless to Process Millions of Transactions in Real Time
1:00 – 2:00 | Bellagio, Level 1, Grand Ballroom 2

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless API Development
POST /v1/pay
GET /v1/preferences/001
paymentbackend.com

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI quick-start on AWS
Availability zone
Public Subnet
VPC
Internet
Private Subnet Private Subnet
RDS MySQL
DB instance
NAT gateway
Availability zone
Public Subnet
Private SubnetPrivate Subnet
Auto Scaling group
Instances Auto Scaling InstancesAuto Scaling NAT gateway
RDS MySQL
DB instance
Auto Scaling group
Instances Auto Scaling InstancesAuto Scaling

17. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Anthony Galleno
gallenoa@amazon.com
Andrew Shortt
ashortt@amazon.com

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.