Guest Blog by Braulio Lam, Co-Founder and CTO at Pungle
Building a modern payments platform is challenging enough as it is. There are different aspects to take into account when building a platform to handle payment transactions in real-time. The challenge becomes more complex when you build it directly in the cloud. By that I mean, not just hosting the platform in the cloud but also building key components of the payments process using ‘native’ cloud services. There are pros and cons to this approach but that is another blog post! In this post, I will talk about what are some of the things you need to know about building a modern payments platform in the cloud.
Which cloud infrastructure do I choose?
This is probably the one question you are going to spend the most time on. Not because it is the most complex, but because there are lots of options out there nowadays. Here are some of the things we considered:
Security - is the provider PCI compliant? Can they enforce protection mechanisms and policies to protect our application and data?
Reliability - can the provider give 24/7 services? Will transactions ever be ‘lost’?
Scalability - can they increase/decrease our throughput as needed?
Are all cloud services made equal? Unfortunately no. Depending on your company’s requirements (and policies?) you may choose one versus the other. We chose Amazon Web Services (AWS) because they provide us with various services (out-of-the-box) in all of the three mentioned criteria, allowing our developers to focus on specific domains of expertise while running a lean development team.
What about PCI Security?
Sure, all cloud service providers are ‘secure’ and provide some level of PCI compliance. What’s important when architecting your payments platform in the cloud is to know which specific cloud services you are going to use from your provider. For example, do you need a key management service like AWS KMS? What about a web application firewall (WAF) for protection against cross-site scripting and SQL injections? Once you know which cloud services you want to use, figure out what are the PCI implications. This will help you determine if you can rely 100% on the provider for PCI compliance or not and what that means for you in terms of being PCI compliant.
Remember that a key requirement of PCI compliance is ‘roles and responsibilities’ of all parties, so knowing who is responsible for what in all aspects of your payments infrastructure and architecture is very important. This may vary from one cloud provider to another.
You will win and lose customers based on the reliability of your payments platform. Now more than ever, it’s simpler (not simple) to build highly reliable solutions in the cloud. With the emergence of big data, machine learning and artificial intelligence, cloud service providers have spent a lot of resources making sure they can compete in these fields.
When it comes to payments, transaction messages can never be ‘lost’. It is simply too expensive to resolve these issues that seem to be a regular thing with existing legacy bank infrastructure.
The service provider you choose should be able to provide you with things like a queuing messaging service that can encrypt data on the fly or perform basic analytics on the data as it is being processed. Or support for other off the shelf services like Kafka or Solace.
How to Handle Growth?
The best problem to have for any payments platform is how to handle high volume of payments. Luckily for you, most cloud service providers can easily scale up or down based on various key metrics including the amount of traffic on the system.
I think that what’s important here is to be able to dynamically scale up or down, based on transaction volume. The payments platform should be able to scale itself as needed based on certain parameters in the system. Furthermore, you should be able to add custom rules in order to achieve the desirable scalability at any given point in time.
Long gone are the late nights and weekends at the data centre adding servers, upgrading memory or rerouting traffic from one old machine to another old machine.
Know Your Customer
Last but not least, you must know your customer - the developers!
Yes, ultimately your developers will be the ones who will have to work with your cloud services provider on a daily basis and therefore, they need to be involved in the process from day one.
Keep in mind that choosing a cloud service provider has implications to your development, dev-ops and IT security teams. Get them involved as soon as possible.
Ps. Do not cheap out on support! Your teams will need it.
The Pungle Payments Platform
Pungle leverages various AWS services and technologies in order to deliver highly available and highly reliable real-time payment services via Visa Direct. As well, Pungle provides its clients with proprietary real-time fraud prevention services and real-time data analysis using AWS services. In particular, we use SQS, Kinesis, KMS and Auto Scale amongst other services in order to process high volume payments in a secure cloud environment. Other technologies in our stack include Elixir, Golang, Scala, and Kafka.
About the author
Braulio Lam is co-founder and CTO at Pungle. Braulio is a software engineering leader, specializing in software engineering and management, with a focus on engineering process and software quality. Prior to starting Pungle, Braulio was responsible for software development and network operations at Home Trust Company supporting merchant services and prepaid issuing.
Before that, Braulio held various engineering leadership roles and worked for some very successful startups in Toronto, including Truition, Real Matters, Shop.ca, and Terapeak.
Braulio is a Professional Engineer and has a Bachelor of Engineering from Carleton University.