BUILDING A PAYMENT PORTAL IN THE CLOUD

12May 2014

A case study from Cyber-Duck Ltd Presentation at Rackspace Unlocked

Hi. I am Sylvain ReiterCo-Founder and Development Director@sylvainreiter

PCI Compliance in the Cloud

Case Study from dlc

Project methodology

Technological decisions

Results

PCI Compliance…

Introduced in 2004 as a global body, today PCI DSS 3.0

Enforces data security and fraud prevention

Affects all business processing payments (merchants & service providers)

4 levels of compliance

… in the Cloud

Still early days

Rapid technological changes

Best suited for demanding systems

Flexibility of use ready for production applications

logicworks.net

BUILDING A PAYMENT PORTAL

Requirements Gathering

Make sure you involve ALL stakeholders

Document expected outcomes for all flows

Take an agile approach to the timeline

Define business and technical requirements early

User Experience Phase

Make informed decisions via historical data analysis

Mock up user journeys on ALL devices

Iterate the prototype with real users’ feedback

Carefully optimise the copywriting and ‘Call to Actions’

Technical implementation (1/3)

Select a proven and secure framework

We picked the PHP 5.4 Laravel framework

Take an API-driven approach to ensure modularity and easy exchange with external systems

We used industry standard REST-ful API and XML/JSON

Technical implementation (2/3)

Ensure you have robust and accurate data

We validate every customer record with the back-office system

Store user details as per the Data Protection Act

We only store the users’ details during the checkout process

Technical implementation (3/3)

Delegate PCI to the experts

We use SagePay’s iFrame technology, shifting responsibilities

Add rigorous rules to the payment gateway’s settings

We enforce 3D secure validation and recommend manual due diligence if addresses mismatch

Hosting platform features

Do not compromise on flexible and secure partners

We use Rackspace’s High Performance Clouds

Delegate the technical support to the experts

Rackspace’s Monitoring tools and Fanatical Support gives us and our client 24/7 piece of mind

Hosting platform security

PCI compliancy requires quarterly vulnerability scans

Security Metrics handle scans and reports on issues

Private Clouds and Firewalls are protecting the data

Database server is not accessible from the outside world, IPTables firewall restricts access to API endpoint.

THE RESULTS

4 months post launch…

100% uptime on the platform

over 10,000 transactions (228% increase from pre-launch)

40h of agent time per month saved (calls & admin time)

Great customer feedback, 44% via mobile

Ongoing improvements and new feature developments

THANKS FOR YOUR TIME!