Guidance for Payment Connectivity, Gateway, Orchestration, and Routing 1 To start, customers scan the business QR code

displayed at the checkout page on a website or at

on AWS
the point of sale (POS) terminal.

Amazon Route 53 routes traffic to an Amazon API

2
This reference architecture displays how a quick response (QR) or wallet payment traverses Gateway endpoint where Amazon CloudFront
distributes dynamic and static content. AWS
through various components. security services such as AWS WAF and AWS
Shield protect the web applications from common
application-layer exploits and against distributed
denial-of-service (DDoS) attacks.
VPC
5 CloudFront content delivery network (CDN) is used
3
to return resources found in its cache and static
resources from Amazon Simple Storage Service
Public subnet Network Load Public subnet
Balancer (Amazon S3).
AWS PrivateLink
4 Amazon API Gateway and Amazon CloudFront can
AWS WAF AWS Shield NAT Gateway NAT Gateway Payment be seamlessly integrated with AWS Certificate
4 Processor Manager. These services manage the complexity of
creating, storing, and renewing public and private
Private subnet Private subnet
SSL/TLS X.509 certificates and keys that protect
2 10 your applications.
Amazon API
Merchants Task Task Task Task Task Task
Gateway The request is routed through a Network Load
5
Balancer to distribute incoming traffic across its
Private subnet Amazon Fargate Private subnet healthy registered targets.
1 7 7
Amazon Route AWS Certificate
53 Manager Card Scheme 6 Payment request is processed at application layer
using Amazon Elastic Container Service (Amazon
6 ECS) that deploys tasks on AWS Fargate.
Amazon ElastiCache Amazon Aurora AWS CloudHSM Amazon ElastiCache Amazon Aurora AWS CloudHSM
Payment transaction information is stored
3 7
in Amazon Aurora or Amazon DynamoDB. Amazon
Consumers ElastiCache is used as a session store to manage
Amazon CloudFront session information in payment processing. AWS
CloudHSM is a cryptographic service for creating
and maintaining hardware security modules (HSMs).

AWS PrivateLink Service logs are collected in Amazon S3 and

Amazon Elastic Amazon Elastic 8
Container Service (Amazon ECS) Container Registry (Amazon ECR) analyzed and monitored using Amazon
Amazon S3 OpenSearch Service.
Monitoring and Logging 8 Security and Compliance 9
At the security and compliance layer, AWS Config
9 evaluates, assesses, and audits configurations of
resources. Amazon GuardDuty monitors for
malicious activity and unauthorized behavior,
Amazon DynamoDB Amazon GuardDuty AWS Config AWS Secrets protecting AWS accounts and workloads. AWS
AWS CloudTrail Amazon CloudWatch Amazon OpenSearch
Manager
Service Secrets Manager helps protect secrets needed to
access applications, services, and IT resources.

10
Payment request outbound traffic is sent to the
payment processor through a NAT Gateway that is
Reviewed for technical accuracy December 14, 2022 connected to card schemes for verification.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture