This is to brief you about best practices in developing payment
gateway, here I am not providing low level details. In one way this list can
be long, but at a high level I want to list 10 best practices or rule of
thumb.
My objective here is to make the payment gateway deliver
better success rate, be secure, fail safe, maintainable and scalable.
This way you should be able to create a payment gateway which will cater
requirement of future.
Here you go...
Here you go...
-
Modular and plug-gable: A payment gateway has to
integrate with different payment processors or acquirers (modules), a
transaction has to be routed to other core modules also, for example – dynamic currency
convertor, fraud and risk preventer, sending emails/SMS, tokeniser, sending
online real time notifications etc. All of these features when added as a
modules make the payment gateway simple, scalable, secure and maintainable.
Having different modules for different features also allows parallel processing
and best utilization of available resources, and in all this helps in giving
better transaction success ratio
-
Defensive programming: By this I mean http://en.wikipedia.org/wiki/Defensive_programming
and other techniques to eliminate any possible bugs, modular interdependencies,
security issues and unforeseen scenarios
-
Secure application development processes: Application
development process needs to include automated and manual security testing,
code review etc
-
Poor database can kill your payment system –
consider going through https://www.onlinepaymentsindia.com/2013/12/databasekills.html
-
Single entry/exit points – Each module should
have one and only one entry/exit point. This way you can apply proper access
controls at function/module level. This would also allow you to handle
errors/exceptions at one central place, via a single route
-
Request/Response contract with client: For
different services that your payment gateway is giving to merchants, try to
have a limited set of urls that merchants/users can use. Do not have a long and
confusing set of URLs or parameters. Request and response contact with
merchants should also be clear and concise. Type, minimum length, maximum
length, allowed characters, possible values should clearly be defined. This
will ease payment gateway integration, your merchants may not be having a big
technical team to handle technicalities of you system. This simple is payment
gateway integration, more is transaction success rate
-
Batch modules: End of day processing, reconciliation,
reporting, settlement and some analytics are usually done in batch mode. You
need to decide on your batch modules and processes in initial phase of
development, if not then in the end this will turn out to be a big hurdle. If
you are using java, then spring batch can be good for batch processing. Before
finalizing the data model, consider batch modules also. Click to see batch modules details
- Crypto: This is sometimes a challenge, because it involves key management, secure storage of keys and card holder’s data. This is usually target of attackers also. There are many different security strategies possible. At a high level following considerations can be good:
- Divide keys in parts and keep at different physical/logical locations
- Encrypt keys
- Using unique key per transaction can help
- Keep tight access controls on keys and key encryption keys
-
Keep rotating the keys
-
SOA: Since it is a modular software by nature,
service oriented architecture can lend reusability and performance. We have
front-end, back-end services, batch modules etc. SOA glues modules loosely, with
high coherence and low coupling/inter-dependencies
- Consider different industries: A payment gateway is not only about e-commerce card not present transactions, it is also about mobile payments, retail – card present transactions, EMV transactions, traditional POS transactions etc. Your data model, access control, and application design needs to consider this.
Follow Payment Technologies for more updates.
You are welcome to reach me for any suggestions and queries. Thanks for reading. Feel free to comment
