Dev Dives: Streamline document processing with UiPath Studio Web
Rackspace Unlocked 2014 - Cyber-Duck's PCI Compliance Case Study
1. BUILDING A PAYMENT PORTAL IN THE CLOUD
12
May
2014
A case study from Cyber-Duck Ltd
Presentation at Rackspace Unlocked
2. Hi. I am Sylvain Reiter
Co-Founder and Development Director
@sylvainreiter
3. PCI Compliance in the Cloud
Case Study from dlc
Project methodology
Technological decisions
Results
4. PCI Compliance…
Introduced in 2004 as a global body, today PCI DSS 3.0
Enforces data security and fraud prevention
Affects all business processing payments (merchants & service
providers)
4 levels of compliance
5. … in the Cloud
Still early days
Rapid technological changes
Best suited for demanding systems
Flexibility of use ready for production applications
logicworks.net
7. Requirements Gathering
Make sure you involve ALL stakeholders
Document expected outcomes for all flows
Take an agile approach to the timeline
Define business and technical requirements early
8. User Experience Phase
Make informed decisions via historical data analysis
Mock up user journeys on ALL devices
Iterate the prototype with real users’ feedback
Carefully optimise the copywriting and ‘Call to Actions’
9. Technical implementation (1/3)
Select a proven and secure framework
We picked the PHP 5.4 Laravel framework
Take an API-driven approach to ensure modularity and easy
exchange with external systems
We used industry standard REST-ful API and XML/JSON
10. Technical implementation (2/3)
Ensure you have robust and accurate data
We validate every customer record with the back-office system
Store user details as per the Data Protection Act
We only store the users’ details during the checkout process
11. Technical implementation (3/3)
Delegate PCI to the experts
We use SagePay’s iFrame technology, shifting responsibilities
Add rigorous rules to the payment gateway’s settings
We enforce 3D secure validation and recommend manual due
diligence if addresses mismatch
12. Hosting platform features
Do not compromise on flexible and secure partners
We use Rackspace’s High Performance Clouds
Delegate the technical support to the experts
Rackspace’s Monitoring tools and Fanatical Support gives us
and our client 24/7 piece of mind
13. Hosting platform security
PCI compliancy requires quarterly vulnerability scans
Security Metrics handle scans and reports on issues
Private Clouds and Firewalls are protecting the data
Database server is not accessible from the outside world,
IPTables firewall restricts access to API endpoint.
15. 4 months post launch…
100% uptime on the platform
over 10,000 transactions (228% increase from pre-launch)
40h of agent time per month saved (calls & admin time)
Great customer feedback, 44% via mobile
Ongoing improvements and new feature developments