Scalable and Secure Payment Solution with AWS
Payment management is crucial for the operation of product and service providers. Over the years, we have worked with organizations to develop scalable and secure solutions that integrate multiple payment gateways. In this article, we discuss some of the challenges we faced and how we resolved them.
Payment Gateway Integration Challenges
Integrating a payment gateway that allows organizations to receive payments online anywhere in the world presents several important challenges. Firstly, it is crucial to develop a solution that is scalable, secure, and instills trust in customers. Scalability ensures that the payment gateway can handle an increasing number of transactions without compromising performance, while security protects buyers' sensitive information from fraud and cyber-attacks.
A payment gateway solution must be able to cover demand peaks, whether sporadic or constant, always ensuring service availability. This means that the underlying infrastructure must be designed to automatically scale in response to sudden traffic increases, preventing system crashes and ensuring that customers can make purchases at any time and place.
Instilling trust not only involves protecting data but also generating a smooth and frictionless customer experience that minimizes errors. The payment gateway must also offer multiple payment methods and support different currencies, allowing customers to choose the option that best suits their needs and thereby increasing conversion rates.
Architecture of Our Payment Gateway on AWS
As AWS partners, we offer to integrate their services and tools to design and deploy robust solutions for payment processing. In this section, we describe the key components of the architecture of our payment gateway on AWS, highlighting how these elements work together to ensure scalability, availability, security, reliability, flexibility, compliance, and cost management. This integration provides a robust and reliable solution that allows organizations to receive online payments globally, securely, and efficiently.
Let's see how the different components of the solution participate by following a transaction from the moment the customer clicks the payment button to the confirmation that it was processed.
First (1), the application is served from CloudFront and its Edge Locations (AWS's content distribution network) to ensure fast, efficient, and cost-effective delivery of web applications. Static content is served directly from (2) S3 for the same purpose.
The click request reaches our solution and is filtered by WAF (3) to minimize the attack surface. This allows us to control each request, enabling or denying consultation with our payment system and increasing granular control over this layer of the system. The solution is deployed within a VPC (4) to avoid exposing components to the internet, providing greater security for both customers and service providers. This VPC spans two or more availability zones to ensure greater availability in case of an incident in one of them.
The microservice that receives the request is chosen by the ALB (5) and runs as an ECS task (6) on containers orchestrated by Fargate, which launches new instances to provide scalability in response to an increasing number of requests. As a managed service by AWS, it eliminates the operational work of the servers on which it runs.
The request redirection to the payment service is done through the NAT Gateway (7). This component is essential to ensure that instances in private networks can access the internet securely without exposing their private IP addresses. Using third-party payment methods (8) such as Mercado Pago, PayPal, etc., allows us to comply with applicable regulations and laws like PCI DSS, which is delegated to these service providers, ensuring the protection of sensitive data and avoiding penalties.
Additionally, the solution provides a communication layer for external service integrations so they can stay updated and receive events from third-party payment transaction results. This way, the transaction result persists in the relational database service RDS (9). Again, being a managed service by AWS, there is no need to manage security updates, disk space, or backups.
Finally, the action requested by the customer is processed securely through our solution, leaving a detailed record of the transaction. This process integrates with various external services and allows synchronization with them, thus ensuring the necessary availability and performance to obtain an instant result on the purchase request. All this provides a complete, smooth, and secure end-to-end experience.
ISO 9001:2015 Certification
Our development process, certified under the ISO 9001:2015 standard, is heavily based on continuous integration and deployment (CI/CD). To achieve this, we use the AWS development suite, which includes CodeCommit for code management, CodeBuild for its construction, ECR as a Docker image repository, and CodeDeploy for deploying solutions in environments created and managed with CloudFormation.
This allows us to ensure that, in case of incidents, we can reliably and quickly rebuild environments and have absolute traceability of the software in execution.
To maximize business privacy, we use KMS, the AWS key management service, to privately manage system private keys within the CloudFormation infrastructure, ensuring API keys remain private and secure from users within our AWS account.
The solutions use CloudWatch for monitoring and alerts that inform us about suspicious situations and facilitate error debugging.
Objectives Achieved: Better Payment Experience
Our solution allows handling the variable demand of hundreds of thousands of customers, scaling horizontally and, once this excessive demand is over, reverting to real parameters. This keeps infrastructure costs to a minimum, performance at its maximum, and offers the best possible payment experience. It is also flexible enough to adapt to different organizations and payment methods, prioritizing system and data security to provide greater confidence to their customers.
If this project sounded interesting and you are planning to make something similar for your company or institution, contact us. The coffee is on us ;).