AWS re:Invent 2025 - Last HSM Standing: PayPal POS’s move to AWS Payment Cryptography (SEC215)

AWS Payment Cryptography: PayPal POS's Move to the Cloud

Overview

• PayPal POS, originally founded as Zettle in 2010, is a provider of mobile payment solutions for small and medium-sized businesses.
• They previously relied on on-premises hardware security modules (HSMs) to securely process card transactions, but faced challenges with infrastructure management, compliance, and scalability.
• PayPal POS decided to migrate their payment processing to AWS Payment Cryptography, a cloud-based solution that provides the same functionality as traditional HSMs.

Motivations for Change

• PayPal POS had a small, lean team that was responsible for managing their entire infrastructure, including data centers, compliance, and payment processing.
• Spinning up new data centers in different regions was expensive and time-consuming, limiting their ability to expand globally.
• The team was also burdened by the operational overhead of maintaining and auditing their on-premises HSMs, which was a significant distraction from their core product development.

Migration Approach

1. Audit Approval: Before starting the migration, PayPal POS had to undergo a delta audit to ensure their new AWS Payment Cryptography setup was PCI P2PE compliant.
2. Shadowing: They implemented a "shadowing" approach, where they would send all payment requests to both the existing HSM and the new AWS Payment Cryptography service, allowing them to compare performance and correctness.
3. Gradual Rollout: Due to external dependencies, such as key exchanges with acquirers, PayPal POS rolled out the migration in a gradual, staggered manner, carefully monitoring the transition.
4. Failover Incident: During a data center incident, PayPal POS was able to quickly shift all traffic to AWS Payment Cryptography, avoiding any customer impact and demonstrating the reliability of the new solution.

Key Benefits

1. Reduced Operational Burden: PayPal POS no longer has to manage physical HSMs, data centers, or compliance audits, freeing up their team to focus on product development.
2. Improved Scalability: Launching new regions with AWS Payment Cryptography is significantly easier and more cost-effective, as there is no need to provision additional hardware.
3. Developer Empowerment: Developers at PayPal POS are now directly interacting with the AWS Payment Cryptography APIs, increasing their ownership and understanding of the payment processing logic.
4. Reduced Audit Scope: The migration to a cloud-based, API-driven payment cryptography service has significantly reduced the scope and complexity of PayPal POS's PCI compliance audits.

Technical Details

• AWS Payment Cryptography provides a RESTful API for performing common payment processing operations, such as translating PINs, decrypting data, and generating/validating cryptographic values.
• The service is fully managed and elastic, allowing PayPal POS to scale up and down as needed without provisioning additional hardware.
• During the shadowing phase, PayPal POS monitored various metrics, including response time, result discrepancies, and skipped operations, to ensure the new service met their performance and correctness requirements.

Business Impact

• By migrating to AWS Payment Cryptography, PayPal POS was able to expand into new regions more easily and cost-effectively, supporting their growth as a global payment solution provider.
• The reduced operational overhead and improved developer ownership allowed the team to focus more on product innovation and delivering a better experience for their small and medium-sized business customers.
• The increased reliability and resilience of the cloud-based payment processing solution helped PayPal POS avoid potential customer-impacting incidents, which is critical for their merchant customers who rely on consistent payment processing.

Conclusion

PayPal POS's migration to AWS Payment Cryptography demonstrates the benefits of moving critical payment processing workloads to the cloud. By leveraging a fully managed, API-driven service, they were able to reduce operational complexity, improve scalability, and empower their development team, all while maintaining the same level of security and compliance as their previous on-premises HSM setup.