Turnkey Payment Service Provider: A Case Study in Tailored Solutions

Table of contents:

1. Introduction
2. PSP White-Label Deployment Stages
3. Stage 1.  Discovery phase
4. Want to know more about prices and services at each stage?

Introduction

This article marks the beginning of a series delving into a specific case from Boxopay’s practice. Here, we kick off the narrative of how we delivered a turnkey Payment Service Provider (PSP) solution for a client servicing online stores in their region.

Our approach differs from other companies, which typically provide white-label gateways through the SaaS model, where the payment gateway is hosted on the vendor’s servers. While we could have opted for the SaaS model, in this particular case, we proposed a turnkey solution that involves deploying an on-premises payment software platform tailored to the specific needs of our client. In this case, our team conducted all engineering, R&D, and project management tasks independently, without requiring any technical or organizational resources from the client.

Building the PSP infrastructure took us just over 6 months. This journey involved a comprehensive approach, including selecting a cloud provider, foundational preparation and establishment of PCI DSS infrastructure, deploying and configuring the application with client branding, undergoing PCI DSS audit and certification, integrating with the acquirer, and onboarding the first merchant up to the first real transaction.

Throughout the implementation of this project, a team of three specialists was consistently involved: an IT project manager, a DevOps specialist, and a system administrator. Additionally, a separate team was allocated to develop the connector with an acquirer.

PSP White-Label Deployment Stages

The process included five distinct stages, each playing a crucial role in the creation and integration of the acquiring infrastructure.

1. Discovery phase served as the foundation, in which we meticulously identified the  client needs and drafted a detailed work plan and schedule of tasks and requirements for their implementation.
2. During the infrastructure setup phase, we embarked on deploying a robust multi-product infrastructure, ensuring it met the strict PCI DSS Level 1 standards. Our quest led us to search for a provider capable of constructing a PCI DSS-compliant infrastructure, weighing options between cloud solutions and dedicated servers. Among the solutions we explored, we also considered the offerings of various cloud providers for a turnkey PCI DSS-compliant infrastructure. This stage resulted in creating and configuring essential servers, establishing connectivity between them, and installing the necessary system software.
3. Deployment of PSP software and PCI DSS certification phase. The project entailed establishing two infrastructures: one for testing and one for production, with limited administrative access to the console server. Initially, we initiated deployment by establishing a DNS server and a local repository for component updates. We then proceeded with configuring the Docker repository and setting up the application control server, followed by deploying the database management system.

   Additionally, we configured application servers 1 and 2 and balanced traffic between them. For security measures, we installed antivirus software, set up log storage, configured HIDS/HIPS, and established system and application monitoring.

   The final stages involved deploying the document management system, stress testing, conducting a PCI DSS audit, and completing certification. With the successful certification, we proceeded to the project’s final phases.

4. The branding and integration with acquirers phase centered on seamless integration of our software with local acquirers via the eCom scheme.

   During the preparatory stage of integration, we reached out to the acquirer’s technical specialists to obtain integration documentation and testing plans. With this information, we set up testing channels, verified connections, and proceeded with developing and testing the functionality.

   We also customized the software with the client’s branding during this stage. And to ensure a successful start we conducted training sessions for the client’s team and assisted in the smooth launch of the first merchant.

5. The pilot transaction. The final stage ensures that the system is efficient and ready to ‘go live’ and process live transactions with real cards through the first merchant who has completed the onboarding process. After conducting technical and product training for the client’s staff, we smoothly transitioned the infrastructure to their control.

Through this series of articles, we aim to provide a comprehensive overview of our journey, offering valuable thoughts and best practices for those seeking to establish a trustworthy payment infrastructure.

Stage 1.  Discovery phase

Let’s start by delving into the beginning of our project journey, where we’ll explore the initial Discovery phase and discuss the valuable insights we’ve gained along the way. The Discovery phase marks a crucial starting point, where our team’s core focus was to collect and analyze vital information, laying the groundwork for the entire project. During this step, we made sure that all stakeholders were aligned in terms of goals and expectations.

Our approach involved more than just providing a pre-packaged system with a fixed set of features. Instead, we offered a solution-building service. During the Discovery stage, our primary focus was to determine the specific business challenges we were facing. Following thorough research, we outlined our goal: to develop an e-commerce Payment Service Provider (PSP) capable of routing transactions between two acquirers, supporting Apple Pay and Google Pay, enabling OCT, and seamlessly integrating with merchants via a server-to-server scheme.

At the heart of the Discovery phase lies the detailed project implementation plan, carefully crafted by the team. This plan serves as a guiding blueprint for all further actions, including collaboration with third-party contractors.

During this phase, we unearthed a crucial detail: the local regulations in our client’s jurisdiction mandate that the server infrastructure for PSP and similar solutions must reside within the country’s territory. We incorporated this requirement into our project implementation plan. This requirement narrowed down our options to just two virtual server providers that met the necessary specifications and operated within the country.

Eventually, the client selected one of these providers, finalized an agreement with them,  and granted us the necessary access. However, we discovered that the chosen provider had some limitations. As a result, we adjusted our plan to include the installation and configuration of third-party applications such as a mail server, balancer, and DBMS, as these were not provided by the chosen provider.

In this phase, we also shortlisted the banks the client intends to collaborate with. It became evident that we would need to undergo the integration process with each bank based on their respective documentation and successfully complete integration tests.

In response to the client’s safety concerns, we performed a thorough risk assessment, identifying potential threats and opportunities that could influence the project’s success.

Overall, the discovery phase is critical as it helped us to establish the project’s foundation and sets the direction for further phases. Stay tuned for upcoming articles detailing the further stages of the project.