PAX ensures PCI compliance controls and customer data protection on Amazon Web Services

Since 4th quarter of 2020, PAX migrate multiple essential SaaS applications from on-premise to Amazon Web Services cloud environment. PAX found that by utilizing traditional third-party security solutions within an on-premise environment, it often encountered problems during the implementation process — for example, security service standards provided by various suppliers were not fully compatible and/or missing critical functionality due to the limitations of the infrastructure. The incapability made integration between security services and the architecture extremely difficult. PAX determined it wanted a more powerful and overarching security solution and began looking at Amazon Web Services to meet its needs.

As an example, to implement Identity and Access Management (IAM) policies in an on-premises environment, solutions differ among various security product providers. Certain third-party security products do not support Single Sign-On (SSO). SSO is important for administrators and operators who manage solutions to help improve operational efficiency and at the same time reduce workload for PCI DSS compliance with regards to access management. Additionally, the IAM policies of those third-party products often do not meet the requirement of PCI-DSS compliance. After our evaluation of the Amazon Web Services security and compliance services, we found that Amazon Web Services makes it easy to implement and maintain PCI DSS compliance and enhance security by subscribing to tools such as, IAM, logging and monitoring solutions, as well as firewall and firewall management, data protection, compliance services and even the option to implement cloud-based HSMs for encryption management.

Shaoyi Li, PAX’s Amazon Web Services cloud security architecture consultant summarized it best “For compliance requirements that are of special concern to important strategic customers, such as FIPS 140-2 Level 3 certification of an HSM, we prefer to use solutions that are more compatible and efficient, while ensuring the stability of our customer services and rapid launch.”

With cloud security critical to its technology stack, PAX chose Amazon Web Services to build its overarching security solutions to support its PCI DSS compliance efforts for enterprise customers, as it started to expand into North America. For example, it uses Amazon Security Hub, which helps check the payment processing environment against PCI DSS controls that apply. Li further explains , "This also lets us centralize management, lower costs, and design a high-quality security architecture that is compatible with our own services."

PAX runs Amazon CloudHSM to meet custom needs of enterprise users in its payment processing gateway environment. PAX's enterprise customers use this to provide services to their own partner merchants in a multi-tenant scenario. These enterprise customers have their own compliance initiatives for protecting payment data. PAX governance requirements mandate the usage of Federal Information Processing Standards (FIPS) 140-2 level 3 or higher or PCI PIN Transaction Security (PTS), Hardware Security Module (HSM) certified HSMs for management of encryption keys utilized within the payment processing environment. Amazon CloudHSM provides FIPS 140-2 Level 3-validated HSM clusters, which can fully meet such needs.

In addition, PAX also provides comprehensive protection for Amazon CloudHSM in multiple aspects, such as disk encryption for the protection of the encryption key itself and its backup, Quorum authentication MFA, HSM user permission management, and identity and access management, to further improve system security. PAX has deployed a highly available architecture for Amazon CloudHSM and designed a disaster recovery solution to improve the reliability and resiliency of the system. PAX uses Amazon Simple Storage Service (Amazon S3), Amazon Lambda, and Amazon EventBridge to better integrate with Amazon CloudHSM in building disaster recovery solutions. More importantly, Amazon CloudHSM is hosted in a single-tenant environment that is fully controlled by PAX and does not share hardware devices or infrastructure with other Amazon Web Services tenants, thereby enhancing security during data transmission.

PAX runs on additional Amazon Web Services including Amazon Identity and Access Management (IAM), Amazon Shield, Amazon WAF, Amazon GuardDuty, Amazon Secret Manager, and Amazon Key Management Service (KMS).

Adopting a single global cloud security service provider not only ensures quality, but also saves PAX time in negotiating, discussing solutions, and familiarizing itself with products from other service suppliers. PAX uses Amazon Web Services security services to minimize the scope of the Cardholder Data Environment (CDE) on the Amazon Web Services. Amazon Web Services regularly achieves third-party validation for thousands of global compliance requirements that it continually monitors to help its customers meet security and compliance standards. PAX inherits the latest security controls operated by Amazon Web Services, strengthening its own compliance and certification programs, while also receiving access to tools it can use to reduce cost and time to run its own specific security assurance requirements. This has helped PAX avoid excessive broad assessment scopes and improve assessment efficiency, accelerate its PCI DSS assessment and shorten the product delivery cycle for enterprise customers by more than 40 percent.

For instance, using Amazon CloudHSM saves time in building infrastructure compared to running proprietary on-premises HSM. PAX also benefits from access to Amazon Web Services' global infrastructure and a network architected to protect its customers’ information, identities, applications, and devices. It can also improve its ability to meet core security and compliance requirements, such as data residency, protection, and confidentiality.

Data synchronization between Amazon CloudHSMs is automatically managed by Amazon Web Services. The management and provisioning of the underlying infrastructure are provided to PAX operations team through APIs, significantly reducing provisioning and making HSM highly available.Amazon CloudHSM’s elasticity nature allows PAX’s operations team to flexibly scale the number of Amazon CloudHSM devices at any time, depending on user connections as its business grows.Compared to local hosting and other third-party services, PAX found Amazon CloudHSM's prices model easy to understand and cost-effective, saving it over 20 percent.

Looking ahead, PAX will comprehensively upgrade its cloud-based design of SaaS services based on Amazon Web Services' Well-Architected Framework. At the same time, PAX will migrate its legacy services from on-premises cloud deployment to Amazon Web Services, and collaborate with Amazon Web Services' Enterprise On-Ramp Support (EOP) team to analyze and optimize costs, best practices in architecture design, and adopt Infrastructure event management (IEM) for critical services’ cloud migrations. PAX also plans to introduce Amazon Web Services' data analysis, Al, and other services into its existing business to better meet user needs.

PAX Global Technology Limited is a leading global supplier of electronic payment terminal solutions, focusing on providing customers with exceptional, cost-effective, and high-quality products and services. In 2021, PAX's annual revenue exceeded HKD $7.1 billion, net profit reached the HKD $1 billion milestone, and Android smart payment terminals grew 78% year-on-year (over HKD $3.2 billion). To date, PAX has shipped over 60 million electronic payment terminals worldwide.