How To Build for Payment Processing Resiliency
Can your business application handle a payment processor going down? How might you build resiliency while maintaining PCI compliance?
Join the DZone community and get the full member experience.Join For Free
If you're developing applications for a business, then one of your most important tasks is collecting payment for goods or services. Sure, providing those goods or services is essential to keeping customers happy. But if you don’t collect payments, your business won’t be around for very long.
In the dev world, when we talk about infrastructure, we often consider the resiliency of our servers and APIs. We don’t talk about payment processing in the same way. But we should.
Payment processing is something companies take for granted as long as it’s working smoothly. Once they’ve put some sort of solution in place, the cash starts flowing. Then, they forget about it until they encounter issues with their payment processor, or need to expand into a new region. With steady cashflows being essential to so many businesses, it’s worth thinking about resiliency for this critical piece of your business operations.
In this post, we’ll look at a few reasons businesses should put time into improving the resiliency of their payment processing, and how to approach this problem from a technical perspective.
Why Bother Building Resiliency Into Payments?
If your company is like most others, you’ve probably been using a single payment processor for a while. In that case, you might ask: Why should I build more resiliency than my processor already has in place? After all, that’s why you pay them their processing fees. It’s up to them to make sure things work properly.
Even if you set aside the present resiliency of whatever payment processor you’re using, you’ll still find many benefits from adding more processing options to your application. Of course, this isn’t possible if all of your customer PCI data is stored with a single payment processor, so you’ll need technical solutions to allow you to work with multiple payment processors without increasing your PCI compliance scope.
Potential Cost Benefits
For example, if you have only a single payment processor, you’re stuck paying whatever fees they charge you for the transactions you send their way. If you have multiple processors in place, you can route payments based on whichever service charges the lowest transaction cost and has the highest authorization rates.
Maybe one processor has better pricing on higher volumes of transactions, but a different one has better rates for high-amount transactions.
In this situation, you could send the majority of your customers’ purchases through the higher volume processor, but send large transactions through the processor that gives you better rates based on the individual payment amount. It’s a great way to boost profits without passing along costs to your customers.
Overcoming Geographical or Regional Restrictions
Certain individual payment processors may be constrained by geographical restrictions, giving you the ability to process payments only from specific countries. If you’re seeking to expand your business into other markets, you’ll encounter less friction if you already have several options on hand.
This way, you can route customer payments to specific processors based on their location. It’s also possible that you can benefit from different processing costs across different regions, continuing to find savings from that difference.
Greater Control Over the Process
Another benefit of adding more payment processing services to your stack is that you gain greater control over the details of how your payments are processed
By controlling how payments are processed in your systems, you can run more analytics to better understand the types of purchases your customers are making. With these insights, you can make even better decisions about which processors should receive your transactions.
Greater control also means that you can make sure you provide a better customer experience when any one of your payment processors experiences an outage. If you only have a single payment processor and it experiences an outage, then you’ll be unable to accept payments.
You’ll be scrambling to find a workaround. And for companies that make most of their annual business during a few key days—like many US retailers who rely on Black Friday shopping—such an outage can be disastrous.
If your business already has control over your payments stack, then you could be able to design your system to fail over automatically if transaction decline rates increase.
Along with protecting your sales, you’ll also benefit your customers by ensuring that they have a seamless payments experience, even if you’re rerouting payments to a backup processor behind the scenes.
With payment processing resiliency, your customers will experience no problems even as you failover to another payment processor.
How Do You Build for Payment Processing Resiliency?
By now, you’re probably thinking: How is this even possible? Doesn’t PCI compliance require passing your customers’ payment information straight from your purchase page to your payment processor, bypassing any systems that aren’t PCI compliant? At the very least, wouldn’t introducing this type of resiliency widen the scope of compliance, causing headaches for any business that has offloaded PCI compliance to a single payment processor?
If you don’t have the right technology, then yes — you definitely could end up increasing how much of your infrastructure falls under the scope of PCI compliance. Fortunately, using an architectural approach to this problem with a data privacy vault provides business flexibility without adding to your PCI compliance scope.
But, without a good solution for keeping customer financial data safe, your hands are tied. Instead of being able to enjoy true payment processing resiliency, you have to hope that your current payment processor is resilient.
But there’s a better way. Using a well-designed data privacy vault can unlock all of the benefits described above.
A data privacy vault lets you isolate, protect, and govern any type of sensitive information, including PCI data—while still remaining fully PCI compliant and without increasing your PCI compliance scope.
Instead of introducing greater risk, data privacy vaults significantly reduce the risk of using PCI data to process payments and help you to ensure PCI compliance across your business applications.
By enabling you to completely separate sensitive data — not just financial information, but also PHI and PII — from the rest of the transactional data in your systems, a data privacy vault gives your sensitive PCI data an extra layer of protection while easing compliance with data privacy regulations.
An Example Implementation
What does it look like to implement this technology in your systems? We’ll outline one example, from Skyflow (described in more detail here), looking at some of their diagrams to illustrate how this works.
To start with, let’s consider what a single credit card transaction looks like.
From the outset, when a merchant seeks to carry out a transaction with a credit card, the credit card data they send to the processor is already tokenized. This point is significant as it relates to introducing other processors since it means that you can store tokens in your systems, rather than sensitive, plain-text PCI data.
With these tokens, you can reference the PCI data that’s stored in the vault — credit card details like the PANs and expiration dates. Based on the routing logic for your application, you can send the PCI data to the appropriate processor at the appropriate time.
By using a data privacy vault to store PCI data you no longer need to store sensitive information within your own infrastructure or bet your business on a single payment processor that is storing PCI data on your behalf.
One company that is offering this type of payment resiliency, as well as data residency, is Apaya, a merchant-enabling payment automation platform based in Dubai. As Apaya emphasized building for payment processing resiliency, it leaned heavily on data privacy vaults to get the job done.
As a software developer, you build business applications that depend on payments to keep the faucet running. That means that heavy dependence on one payment processor introduces a single point of failure that could cripple your business if an issue arises. For this reason, many enterprises are building resiliency into their payment processing, leveraging multiple payment processors.
Of course, building in this flexibility without adding to your PCI compliance burden is only possible when companies leverage tools like a data privacy vault. Designing your systems to isolate sensitive data and ease compliance with a data privacy vault is good design, and good for business.
Opinions expressed by DZone contributors are their own.