AWS for Industries
Building a Credit Card Payment Processing Platform on AWS
The Financial Services Industry (FSI) is in the midst of a significant transformation and given the key role digitization plays, electronic payments are at the epicenter of this transformation. Payments are becoming increasingly cashless, and the industry’s role in fostering inclusion has become a significant priority. Innovation and development of digital economies are supported by payments which function as a stable backbone for global economies. There is a lot going on behind the scenes of a card payment transaction. A clear window into how credit cards are processed can help businesses manage their operations more effectively. In this blog post, we will illustrate how you can build your credit card payment processing platform on AWS. We will also provide two high-level reference architectures for credit card processing, the acquiring side and the issuing side of a credit card payment authorization.
Benefits
Processing systems are being modernized in the cloud to:
- Scale quickly and efficiently to meet seasonal spikes
- Maintain high availability while supporting increasing throughput every year and address stringent security requirements
- Support global businesses by expanding into markets around the world while complying with data residency and regulatory requirements
- Enable rapid prototyping for new product development
Credit card payment processing requires financial institutions to meet high availability and throughput SLAs combined with low latency. AWS provides tools and services such as Amazon API Gateway, Amazon Managed Streaming for Apache Kafka (MSK), and Amazon DynamoDB to support customers looking to build a modern distributed payment processing platform in the cloud and scale to thousands of transactions per second. AWS customers are using containerization as a powerful technology that can greatly enhance the availability of payment processing systems by isolating and managing application dependencies in a portable manner. Organizations can achieve even greater availability and resiliency by using Amazon Elastic Kubernetes Service (EKS) to automate the scaling and management of containerized workloads based on demand, resource availability, and integration with AWS networking and security services. Automated monitoring and alerting tools can be integrated with container orchestration platforms to provide real-time visibility into the health and performance of payment processing systems, enabling proactive responses to issues before they impact users.
The AWS cloud offers multi-layered security with identity management to help customers meet stringent security requirements. Threat detection and response services are available to help identify potential security misconfigurations, threats, or unexpected behaviors. AWS offers modern networking capabilities such as Amazon Virtual Private Cloud (VPC) and AWS PrivateLink to allow messages to flow among payment entities without traversing the public internet. Global customers can use multiple AWS availability zones and regions to expand to new markets. In addition, customers can leverage compliance reports and certifications from AWS Artifact as well as vendor due diligence mechanisms to understand and evidence the controls that AWS is responsible for. Customers are able to build a robust controls environment leveraging AWS services and resources to further demonstrate their adherence to compliance requirements in local markets.
Developers can use AWS tools and services to standardize and automate for compliance, security, and infrastructure as code. Technical product managers can work with their development teams to quickly prototype and innovate with a customer to solve for emerging use cases. AWS DevOps enables developers to rapidly release new features and helps operation teams reduce the time it takes to get applications into production. Tools such as AWS Config Rules, Service Catalog (Governance as code, Security and IAM Policy, Retention and Back up policies, Logging and Monitoring policies), and CloudFormation Guard make it easy for central teams to govern distributed development teams, enabling them to go fast while maintaining compliance and cloud best practices.
Card processing components
Credit card payments are typically processed as dual-message transactions in three main steps. The first step is the “authorization” of the transaction. The authorization occurs in real-time to check with the issuing bank to ensure that funds exist in the cardholder’s account. The issuing bank also provides its decision of whether to approve or decline the transaction. Second step is the “clearing” of the transaction. The clearing involves the bundling of authorized transactions sent to the issuing bank for reconciliation. The third step, “settlement”, represents the movement of the funds to the merchant’s bank account.
Now let’s look at an overview of the major players in credit card-based payments to illustrate portions of the value chain and contextualize the acquirer processing and issuer processing reference architectures for credit card-based payments.
Merchants can include corporations, entrepreneurs, sole proprietors, and every type of business in between. Merchants play a cornerstone role in the payment transaction process by leveraging the tools of card payment acceptance: a credit card terminal or point-of-sale system for card-present transactions, secure eCommerce websites equipped with a payment gateway, or payments integrated into an ever-growing range of applications.
A payment gateway facilitates a payment transaction with the transfer of information between a payment portal (such as a website, mobile phone, or interactive voice response service) and the payment processor or acquirer.
Payment processors are companies that process credit and debit card transactions on behalf of merchants and their merchant banks. Payment processors connect all of the other players in the credit card lifecycle, and have evolved beyond their processing functions to offer a full range of payment-related services to help businesses grow.
Acquirers, also known as acquiring banks or merchant acquirers, are financial institutions that establish and manage merchant accounts. A merchant account is a type of business bank account that allows a business to accept and process electronic payment card transactions. Every business that accepts credit and debit card payments may establish a merchant account, through institutions such as an acquirer bank or independent sales organization (ISO). As an alternative, they can establish a sub-merchant account (where another company provides a merchant account on your behalf) through institutions such as a payment facilitator. During a card payment transaction, acquirers or their processors pass transaction requests and authentication data between merchants and the card associations.
Card associations connect customers, merchants, issuing banks, and acquiring banks. Card associations act as the governing bodies of payments processing. Major card associations include American Express, Discover, Mastercard, UnionPay, and Visa. Card associations set interchange rates, mediate disputes between issuers and acquirers, and work to promote safe, fast, and efficient payments.
An issuing bank or issuer processor is the institution that issues the credit card to the cardholder. Issuers provide essential services by connecting consumers to the financial system and facilitating the funding of transactions to businesses. The funding process provides the financial fuel that enables businesses to survive—and thrive.
The customer, also known as the cardholder, initiates a payment card transaction by providing their payment credentials either in-person (card-present) or remotely (card-not-present). Transaction amounts are recorded with their financial institution, thus resulting in a credit or debit, depending on the type of account.
The lifecycle of each card payment transaction can vary depending on various factors. However, a few steps in the card transaction lifecycle are fixed in place: authorization, clearing, and settlement. We will illustrate the first step in the card transaction lifecycle, payment authorization, with reference architectures for both issuers and acquirers.
Authorization
The first step in the credit card lifecycle is authorization. A customer presents their payment card credentials to a merchant, either in-person or through a secure remote method. For card-present transactions, the card details are communicated to the point-of-sale terminal through card chip insertion, tap to pay, card swipe, or other methods such as manual card entry. During the communication between the EMV card or digital wallet and the terminal for a physical point-of-sale transactions, the application identifiers (AID) and cardholder verification method (CVM) methods are determined. For card-not-present transactions, the card details are provided through several options including a merchant plug-in or an available payment wallet. Payment service providers (PSPs) provide the ability to tokenize the card details during checkout so that the card credentials aren’t stored by the merchant. The card details are encrypted and sent to the payment gateway to route it to the appropriate payment processor. The payment processor checks the card bin (the first six or eight digits of the card) or account range information to determine which services must be applied to the transaction, such as fraud scoring and account updater services. The account updater service is provided for card-not-present transactions to provide the latest card number in the card lifecycle in cases of lost/stolen cards. The processor along with the payment switch is responsible for determining the card network to which the transactions must be routed, and converting it to the right message format (i.e., ISO8583, ISO20022) and layout before sending it to the network.
Acquiring Processor Authorization Flow
Once the card network receives the network message, it will detokenize the payment information as needed and run the relevant on-behalf services, such as additional fraud scoring, spend control, data conversion, digital, and other validation services depending on the type of card, transaction type, and payment channel.
Issuer Processor Authorization Flow
The card network will then send the message to the issuing bank or the processor to run its risk, card control, balance, chip, address, velocity, policy, and other required checks before it responds back with an approval or decline. In the response message, it will provide a reason code for an approval such as “0- Approved’ or a decline such as “05 – Do Not Honor” or “62 – Restricted Card”. Depending on the type of card or token and the channel of each transaction, the card network or issuer will validate the dynamic information which is uniquely generated for the card transaction.
AWS reference architecture for acquiring authorization
The high-level architecture diagrams below present the main components of the Authorization system and its communication model between different channels and various schemes when built on AWS.
The flow starts with various channels sending encrypted card information to the Authorization system through secured communication lines to Amazon API Gateway. AWS WAF can be enabled to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. API Gateway is integrated with Amazon Cognito to ensure that only authorized users have access to the API, and that the resources are protected from unauthorized access.
Authorized payment transaction is sent to Amazon Managed Streaming for Apache Kafka (MSK) via Network Load Balancer. PCI requires card holder data to be encrypted both in transit and at rest. Amazon MSK uses TLS 1.2 by default and recommend TLS 1.3, as it encrypts data in transit between the brokers of MSK cluster. TLS encryption in transit (client-to-broker, broker-to-broker), TLS-based certificate authentication, and SASL/SCRAM authentication can be achieved with the assistance of AWS Secrets Manager. The transactions in a Kafka topic are consumed in real-time by AWS Fargate containers. AWS Fargate can be used with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances. You can use your Amazon ECR private repositories to host container images and artifacts that your Amazon ECS tasks may pull from.
The container passes data to a payment HSM (Hardware Secure Module) and receives the decrypted data. The Payment HSM can be provisioned through our newly launched AWS managed Payment HSM service – AWS Payment Cryptography. The DynamoDB client-side encryption library can be used to encrypt the original text and store the ciphertext in the cipher database. The token response is stored in the application database for internal application operations. In-memory data cache with sub-millisecond latency on Amazon ElastiCache for Redis can be used to immediately to server the card availability requests for card networks. The tokenized information can be run against various business flows using AWS Step Functions to validate Bin checks, Risk checks, Account checks, Fraud checks and other value-added services based on the card and transaction type. After validation, the response is formatted to an ISO format and sent to an egress Amazon MSK for consumption. Multiple Kafka listeners can make connections to the card networks.
AWS reference architecture for issuing authorization
In the issuing processing flow, the card network relays the payment authorization request, using a socket connection, to an Issuing Bank or a Processor (IBP) by sending a payload. Payment Network Interface Processor (PNIP) implemented either on a rack-mounted in an on-premises or a co-location receives the TCP/IP traffic from card network. IBPs can use AWS Direct Connect to connect from an internal network to an AWS Direct Connect location over a standard ethernet fiber-optic cable. AWS Direct Connect with AWS Transit Gateway aids in building a network transit hub that connects multiple VPCs and on-premises networks.
Traffic from incoming authorization requests is routed to the Tokenization VPC via Network Load Balancer over AWS Transit Gateway. Network Load Balancer operates at the connection level (Layer 4), routing connections to the target containers within customer VPC based on IP protocol data. Tokenization VPC tokenizes the sensitive card information, the cryptography operations such as validate, verify operations on card data must be performed on a scalable, resilient service as AWS Payment Cryptography. The information will be stored in the Cipher Database and can be retrieved in Amazon ElastiCache instead of relying on databases.
The request is transferred to Auth Payment Processor VPC for further processing. Authorization containers can be natively integrated with Amazon Elastic Kubernetes Service (EKS) to deploy applications.
The Authorization container appends additional information to the authorization request based on the card type for business validation checks. Business Process workflow engine runs multiple checks such as Fraud, Risk, Velocity, Account and various policies that include chip, pin, token, limit, and cash based on card type. Business Validation response is streamed to Amazon Managed Streaming for Apache Kafka (MSK) topic, the Authorization container processes the response and stores the information in Amazon DynamoDB. The IBP then sends an authorization response (such as an Approve or Decline response) back to the Card Networks then to the acquiring processor before it finally ends up back at the merchant terminal.
Payment processors have valuable customer data and can derive customer insights using Amazon Comprehend, including sentiment analysis and analysis of product reviews. Real-time personalized recommendations such as product rankings, specific product recommendations, and customized direct marketing can be leveraged using Amazon Personalize.
Conclusion
Credit cards remain an important payment method for both point-of-sale and card-not-present transactions. Cashback, card benefits, and airline points are just a few of the reasons customers use credit cards to pay for their purchases. In 2022, large U.S. credit card issuers saw strong growth in credit cards with the re-acceleration of travel and entertainment spending. Innovation is also occurring in the credit card space with digital-first credit solutions which allow virtual cards or tokens to be available as soon as customer applications are approved and enables the card information to be added to the digital wallets right away.
Customers expect payment transactions with a credit card to be processed in a few seconds and this post shows how to use AWS services to build cloud payment processing solutions which are secure, processed in real-time, highly resilient, and can handle spikes in payment volumes during peak days or times. In addition, cloud-based payment systems can implement robust security measures to ensure PCI DSS compliance with AWS tools and services. Innovation continues to rejuvenate the credit card market as fintechs make it easier for merchants to launch merchant branded (aka private label) credit cards and customize rewards based on the unique needs and lifestyles of the customer segment.
For more information about how to work with AWS and to understand how we are supporting payment customers around the world to execute payment processing, please contact your AWS Account Manager or visit AWS Financial Services – Payments.
Disclaimer:
Any discussion of reference architectures in this post is illustrative and for informational purposes only. It is based on the information available at the time of publication. Any steps/recommendations are meant for educational purposes and initial proof of concepts, and not a full-enterprise solution. Contact us to design an architecture that works for your organization.