The Client

The client is an app-based solutions provider in the hospitality industry. 

The Business Need

Secure payment processing is a critical concern of both mobile app providers and end-users, especially in the food-ordering sector. For a company taking payments, collecting them by credit card processing using information provided by the end-user is the ideal approach. Most financial sector partners, though, have strict security requirements.

Enforcement of these requirements is usually done through an audit of payment card industry (PCI) compliance. This is a broad-spectrum survey of the systems used to handle payment processing, especially scanning server ports and checking responses to code and SQL injection attacks, to test for hacking vulnerabilities.

The standard is regularly updated, and compliant software and hardware must be maintainable well into the future. Failing to comply for an extended amount of time can result in being cut off from basic credit card-processing services, something no restaurant operator can afford.

The Technical Need

At its base, the project was about providing best-in-class handling of sensitive financial data volunteered by paying end-users. The client needed to extend their existing capabilities while satisfying the strict guidelines that are normal in the market sector.

Bringing the project to fruition required the development team to:

• • Analyze PCI requirements and map them with the system
  • Select an architecture and design a solution that was PCI-compliant
  • Develop, implement and test software that was fully integrated into the solution
  • Set up and secure a server environment using Microsoft Azure
  • Provide support during the production deployment phase
  • Deliver support during PCI audits
  • Assemble supporting documentation

Key challenges included dealing with strict and challenging deadlines, maintaining banking-grade encryption and deploying the solution to the cloud, in this case Azure.

The Optimus Solution

Optimus worked with the client and their advisors to develop a complete understanding of the project’s requirements. This included bringing together requirements with a stable and secure cloud-based infrastructure suitable for PCI-compliance. 

Deliverables had precise requirements, detailed data definitions and data flows. Microsoft blueprints for compliance were regularly consulted during the deployment of the solution in a cloud environment.

All analysis, architecture and design work was vetted by the client and their advisors to ensure a high degree of satisfaction with the solution’s levels of operability. A delivery plan also had to be created and implemented upon completion of the solution framework.

The Optimus Global delivery team was tasked with software development using Java and Spring Boot. The goal of the offshore team was to build a highly secure web service that fulfilled all the client’s requirements. Optimus also assigned the Noida team to develop a full suite of automated tests for the web service. 

The onshore team provided oversight of  technical and architectural work while keeping the client in the loop. The onshore team was also responsible for dealing with building, deploying and securing the solution using Microsoft Azure as part of a cloud-based infrastructure.

The following phases were necessary to the successful execution of the project:

• • A discovery phase focused on analysis and architectural requirements
  • An implementation phase what included delivery of the web service and essential tests
  • A build and deployment phase where a compliant environment was configured and tested
  • A product deployment and support phase
  • Documentation and audit support

Technologies Used

Several technologies were also critical to the project. These included:

• • REST API components
  • Aspect OOP
  • Java and Spring Boot
  • A JPA access layer
  • Custom-modified components for the deployment of the web service
  • Active Directory
  • Application Gateway with the OWASO 3.0 Rule Set
  • DNS
  • An SQL database
  • Security Center
  • Key Vault
  • A virtual network and the configuration of network security groups
  • The Operations Management Suite
  • Resource Manager

The Result

We are pleased to report that the PCI audit was passed “with flying colors.” (as quoted by our client).  Our client is now much better equipped to provide desired services to top-tier customers. They also have achieved shorter product release cycles and better access to business intelligence data.  

Conclusion

This project is a good example of using the power of Cloud and Agile and delivering a core business need in a timely fashion. This project used the power of our Microsoft Azure expertise, global delivery model, and a close collaboration with the client.