INSART for a Fintech Company

Online Payment Platform Developed from Scratch

The Challenges

INSART was selected to create the online payment system from scratch. During development, we had to rise to the following challenges:

  • Conduct a business analysis, create software requirements specification (SRS), and complete required preparations.
  • Develop the platform according to SRS.
The Solution

Conduct a business analysis

Business value: The client’s system was conceived as a standard-setting and innovative solution to allow customers to make payments, purchases, and money transfers instantly and securely via the Internet. Because the cost of an error in such systems may amount to hundreds of thousands of dollars, work on the project started with business analysis research intended to define all possible pitfalls and prevent losses in the platform to be developed.

Details: The system was expected to have the following functionality:

  • Make internal settlements between system users;
  • Make mass payments;
  • Receive payments for various business projects via the Internet;
  • Make payments for goods and services via the Internet;
  • Keep funds on electronic accounts in various currencies;
  • Make internal currency exchanges;
  • Work with cryptocurrencies similar to fiat currencies;
  • Be able to process more that 20 thousand transactions per hour;
  • Customize the security level of a current account;
  • Provide an application programming interface (API) for interaction with online shops and services;
  • Have multilanguage support;
  • Support both private and business clients;
  • Provide 24/7 service.

The system needed to have a simple and intuitive interface, and work online without the need to install any client application.

In terms of security, the system had to be absolutely safe and reliable. This meant that it had to:

  • Have complete DDoS protection;  
  • Have data backup and data replication capabilities;
  • Provide transaction reconciliation;
  • Use the Web Application Firewall;
  • Be developed according to the Payment Card Industry Data Security Standard (PCI DSS).

Result: A detailed SRS was created. This laid out functional and nonfunctional requirements and described the interactions that the platform had to provide.

Develop the platform

Business value: The client was planning for the system to process more than 20,000 transactions per hour and provide 24/7 service. This entailed the risk of losing large amounts of money, and meant the platform had to be available day and night. It also had to be secure, reliable, and scalable.

Detailed description: A dedicated team was created by INSART to implement the project. The team consisted of seven experts:

  • A project manager (PM);
  • A business analyst (BA);
  • A technical lead;
  • Three software Java frontend-backend developers;
  • A QA engineer.

To start the project, INSART selected a PM with FinTech expertise and high skills in management under pressure.

The system development had two tiers: a development environment and a production environment. The development environment was similar to the production environment and was used for development and testing. The production environment included a cluster of powerful servers. The following components provided the system performance:

  • Load balancer: distributes users’ requests between servers; thus, the system becomes fault-tolerant.
  • HSM Luna: a hardware security module that generates and stores cryptographic keys, provides cryptographic processing (encryption and decryption, digital signature and verification, etc.), and audit of critical operations.
  • Incapsula WAF: provides protection against DDoS attacks, SQL injections and other threats.
  • RAID: provides storage of the same data in different places, thus increasing the fault tolerance of the system.

System data is stored in three independent databases:

  1. User data: according to PCI DSS, data used for verification should be stored in a separate file.
  2. Based data: information about wallets, transactions, etc.
  3. Static data: general information, rules, templates, etc.

The following processes were incorporated to ensure the system’s reliability and security:

  • Remote backup of all sensitive data on remote servers.
  • Hot deployment—enhancements and improvements are provided without having to stop the system process.
  • Security access to the administration dashboard using user principle name.
  • Two-factor authentication for every user level, from administrator to common users.
  • Multilevel verification for common users and transactions. At the same time, the system is designed to be familiar and easy to use.
  • Automatic balance verification allows the system to monitor the following indicators:
    • The sum of money in a user’s wallet corresponds to the expected sum based on information about the user’s transactions;
    • The sum of transactions corresponds to balances of the external systems.
  • Notification system enables information about failed verifications and other threats to be sent to key developers, which helps them respond to such events immediately.

Today, the system has the following features:

  1. Ability to work with the following currencies: US dollar, euro, pound sterling, Russian ruble, Ukrainian hryvnia.
  2. Account replenishment via any of the currencies mentioned above and using any of the following methods:
  • Banking system
  • E-currency (OKPay, Payeer, Perfect Money, BTC-e, bitcoin, etc.)
  • Mobile phone
  • Cash
  1. Funds transfer to various targets:
  • The wallet of a current customer (currency exchange) or to another customer
  • The card of a current customer or another customer
  • A Visa/MasterCard
  • An e-currency (OKPay, Payeer, Perfect Money, BTC-e, bitcoin, etc.)
  • A recipient not registered in the system, by specifying his/her email
  • Cash
  1. Enrollment of virtual and plastic cards for US dollar and euro.
  2. Ability to check transactions made and search transactions by period, status, type, wallet, or card.
  3. Customer support system integrated with the Zendesk ticket system. Users may select the department to which they wish to send the ticket, (support service, integration help, document verification, card questions, accounting).
  4. Extensive security settings:
  1. Some of the settings can be switched on/off, such as:
    • Identifying suspicious changes;
    • SMS authorization;
    • Activating code card for transaction authorization.
  2. Other settings must be configured, including:
    • IP address binding;
    • Activating payment password;
    • Token management: software and/or hardware tokens are available.
  1. Referral program, which allows customers to make money from friends’ transactions.
  2. Features for developers:
  • Merchant API to use the client’s features in developer’s own applications;
  • Shopping cart interface to receive payments from online shops and services.
  1. Account deletion: if no transactions have been made, all user data will be removed; if any transactions have been made via a user’s wallets or cards, the account will be hidden but the data will not be removed.
  2. Payment patterns, which allow customers to enter all data required for each transaction.
  3. Notification system, which informs customers about their actions or the fact that these actions cannot be completed.

Process approach: Agile with two-week sprints was chosen as the development methodology. After the first release, further development was provided not according to iterations, but based on the tasks’ priority.

Results: Over three years, INSART developed the client’s payment system from scratch. Following the first release, the system has already been working for two years. Today, the system has 250,000 clients and processes more than 2,000 transactions per day. The system is reliable, highly available, and scalable. It can process up to seven transactions per second, which is up to 25,000 transactions per hour.

The platform complies with the PCI DSS, which confirms its high security level. The security system protects the platform from DDoS attacks and other threats. A unique algorithm for generating wallet numbers provides fraud protection. Automatic balance verification has allowed the system owner to save hundreds of thousands of dollars.

Now, the system successfully competes in the online payments market. In addition to popular currencies, such as US dollar, Euro, and pound sterling, the platform enables clients to work with cryptocurrencies as with fiat currencies. The 24/7 support, notification system, and document verification features have made the system even more popular. The number of clients is constantly increasing.

Architecture Overview

When choosing a set of technologies for the project, we decided to rely on those used for industrial development; they also needed to be open source and have big communities. At the time development started, technologies such as the Spring framework and Hibernate were the most advanced.

The following technologies were used:

  • Programming language: JRE 1.7
  • Frameworks: Spring (Spring Security, Spring ORM), Java Server Faces (RichFaces), JCaptcha
  • ORM: Hibernate
  • Database: PostgreSQL—This database was chosen based on a substantiated suggestion received from an information security specialist.
  • Project assembly plugin: Maven 3  
  • Continuous integration tool: Jenkins   
  • Graphic interface components testing framework: Selenium
  • Module testing framework: JUnit
  • Web service testing tool: SoapUI  
  • Messaging server: Apache ActiveMQ—This message broker with an open source code fully implements JMS. It provides enterprise features such as clustering, storage, and communications, with the ability to use a variety of databases, caching, and logging.
  • Java framework for event-driven Web application support: Atmosphere
  • Distributed cache: JBoss Infinispan
  • Web Server: Tomcat  7.x
  • Java Architecture for XML Binding (JAXB)
  • Caching: Ehcache

Java-based technologies were chosen for technical implementation as Java has proven to be the most reliable, scalable, and secure technology for big FinTech projects.

The following Application Programming Interfaces (API) were used:

  • Receiving financial data (currency exchange rates)
    • yahoo-finance-api
    • Xe.com
  • Interaction with an SMS gateway (aggregator):
    • www.smsc.ru
    • Infobip service
  • Defining GeoIP data:
    • MaxMind API
  • Ticket system:
    • Zеndesk
  • Working with tokens:
    • SAAS from Protectimus

The following development tools were selected: Eclipse IDE, IntelliJ IDEA, SOAP client, SVN.

Feedback

Founder & CEO at the Fintech Company:

“The INSART team was great. Everything that was planned, they finished on time. The PM and developers were skilled and experienced. Their work was very efficient, innovative ideas were of benefit to the entire project.”

Get in Touch

Or just write us
sales@insart.com