Upload
sylvain-reiter
View
720
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
BUILDING A PAYMENT PORTAL IN THE CLOUD
12May 2014
A case study from Cyber-Duck Ltd Presentation at Rackspace Unlocked
Hi. I am Sylvain ReiterCo-Founder and Development Director@sylvainreiter
PCI Compliance in the Cloud
Case Study from dlc
Project methodology
Technological decisions
Results
PCI Compliance…
Introduced in 2004 as a global body, today PCI DSS 3.0
Enforces data security and fraud prevention
Affects all business processing payments (merchants & service providers)
4 levels of compliance
… in the Cloud
Still early days
Rapid technological changes
Best suited for demanding systems
Flexibility of use ready for production applications
logicworks.net
BUILDING A PAYMENT PORTAL
Requirements Gathering
Make sure you involve ALL stakeholders
Document expected outcomes for all flows
Take an agile approach to the timeline
Define business and technical requirements early
User Experience Phase
Make informed decisions via historical data analysis
Mock up user journeys on ALL devices
Iterate the prototype with real users’ feedback
Carefully optimise the copywriting and ‘Call to Actions’
Technical implementation (1/3)
Select a proven and secure framework
We picked the PHP 5.4 Laravel framework
Take an API-driven approach to ensure modularity and easy exchange with external systems
We used industry standard REST-ful API and XML/JSON
Technical implementation (2/3)
Ensure you have robust and accurate data
We validate every customer record with the back-office system
Store user details as per the Data Protection Act
We only store the users’ details during the checkout process
Technical implementation (3/3)
Delegate PCI to the experts
We use SagePay’s iFrame technology, shifting responsibilities
Add rigorous rules to the payment gateway’s settings
We enforce 3D secure validation and recommend manual due diligence if addresses mismatch
Hosting platform features
Do not compromise on flexible and secure partners
We use Rackspace’s High Performance Clouds
Delegate the technical support to the experts
Rackspace’s Monitoring tools and Fanatical Support gives us and our client 24/7 piece of mind
Hosting platform security
PCI compliancy requires quarterly vulnerability scans
Security Metrics handle scans and reports on issues
Private Clouds and Firewalls are protecting the data
Database server is not accessible from the outside world, IPTables firewall restricts access to API endpoint.
THE RESULTS
4 months post launch…
100% uptime on the platform
over 10,000 transactions (228% increase from pre-launch)
40h of agent time per month saved (calls & admin time)
Great customer feedback, 44% via mobile
Ongoing improvements and new feature developments
THANKS FOR YOUR TIME!