4. BUILDING A PAYMENT PORTAL
IN THE CLOUD12
May
2014
A case study from Cyber-Duck Ltd
Presentation at Rackspace Unlocked
5. Hi. I am Sylvain Reiter
Co-Founder and Development Director
@sylvainreiter
6. PCI Compliance in the Cloud
Case Study from dlc
Project methodology
Technological decisions
Results
7. PCI ComplianceâŠ
Introduced in 2004 as a global body, today PCI DSS 3.0
Affects all business processing payments (merchants &
service providers)
Enforces data security and fraud prevention
4 levels of compliance
8. ⊠in the Cloud
Still early days
Rapid technological changes
Best suited for demanding systems
Flexibility of use ready for production applications
10. Requirements Gathering
Make sure you involve ALL stakeholders
Document expected outcomes for all flows
Take an agile approach to the timeline
Define business and technical requirements early
11. User Experience Phase
Make informed decisions via historical data analysis
Mock up user journeys on ALL devices
Iterate the prototype with real usersâ feedback
Carefully optimise the copywriting and âCall to Actionsâ
12. Technical implementation (1/3)
Select a proven and secure framework
We picked the PHP 5.4 Laravel framework
Take an API-driven approach to ensure modularity and easy
exchange with external systems
We used industry standard REST-ful methods and XML
13. Technical implementation (2/3)
Ensure you have robust and accurate data
We validate every customer record with the back-office
system
Store user details as per the Data Protection Act
We only store the usersâ details during the checkout process
14. Technical implementation (3/3)
Delegate PCI to the experts
We use SagePayâs iFrame technology, shifting responsibilities
Add rigorous rules to the payment gatewayâs settings
We enforce 3D secure validation and recommend manual due
diligence if addresses mismatch
15. Hosting platform features
Use flexible and secure partners
We use Rackspaceâs High Performance Clouds
Delegate the technical support to the experts
Rackspaceâs Monitoring tools and Fanatical Support gives us
and our client 24/7 piece of mind
16. Hosting platform security
PCI compliancy requires quarterly vulnerability scans
Security Metrics handle scans and reports on issues
Private Clouds and Firewalls are protecting the data
Database server is not accessible from the outside world,
IPTables firewall restricts access to API endpoint.
18. 4 months post launchâŠ
100% uptime on the platform
over 10,000 transactions (228% increase from pre-launch)
40h of agent time per month saved (calls & admin time)
Great customer feedback, 44% via mobile
Ongoing improvements and new feature developments
22. SECURITY
PERFORMANCE
RELIABILITY
PER UNIT COST
UTILITY BILLING
SPEED
MUTLI-TENANT & GENERALIZED SINGLE TENANT & SPECIALIZED
SECURITY
PERFORMANCE
RELIABILITY
PER UNIT COST
UTILITY BILLING
SPEED
Built - In Trade Offs: Hybrid Simplified
A CROSS SECTION OF ADVANTAGES AND DISADVANTAGES
PUBLIC CLOUD DEDICATED
PRIVATE CLOUD
37. Live Demo
âą Create Magento Deployment
âą Set up monitoring
âą Image web servers
âą Configure Autoscale group and policy
âą Start the Spring Sale