Token Financial Technologies speeds time-to-market with a PCI DSS-compliant payment platform built by Zitec in less than 9 months

In less than 9 months, Zitec built a PCI DSS-compliant online payment platform for Token Financial Technologies, helping the FinTech company significantly reduce time-to-market. This allows Token to expand its payment services offering from Romania to the EU, and add more payment methods to its platform as the business grows.

Tapping into Europe’s FinTech opportunity 

Token Financial Technologies is Turkey's leading provider of payment solutions for merchants. The company is part of Arçelik Group, a subsidiary of Koç Holding, the largest industrial conglomerate in Turkey, also listed in the Forbes 500. One of this group’s strategic initiatives is developing a solid FinTech business and tapping into Europe’s FinTech opportunities. 

According to McKinsey, FinTechs are a driving force for modernization and customer satisfaction in Europe’s financial services sector. In each of the seven largest European economies, at least one FinTech ranks among the top five banking institutions. However, more than half of European countries have fewer than 10 FinTech companies per million capita, compared to 30 in Ireland and Switzerland and 26 in the UK. On average, the top five countries have 25 FinTech companies per million residents. 

The solution: a secure and scalable microservices-based payment platform 

To capitalize on this opportunity, Token Financial Technologies was looking for a mature IT partner to build a PCI DSS-compliant online payment platform capable of sustaining the growth of their FinTech business in Romania. They selected Zitec due to our team’s previous experience with fintech services, a compelling architecture proposal, and an experienced team.  

In essence, the scope of the project was to:

• build an EU-compliant platform that can be easily scaled to multiple countries; 
• provide a high level of security to ensure PCI DSS compliance and minimize fraud risk (obtain PCI DSS certification from an accredited auditor);
• focus on user experience to improve merchant acquisition and reduce onboarding friction;
• employ future-proof and proven technologies to improve development speed and project lifetime.

Once we completed the architecture conceptualization step, we started developing the software in an agile fashion. There were three milestones to be achieved, therefore the project perimeter was outlined on that scope: 

1. PCI DSS audit readiness

To ensure PCI DSS audit readiness, we developed the microservices sitting in a dedicated cluster, which would guarantee a secure rendering of the payment pages for Token customers, alongside auxiliary features and encrypted data storage. To efficiently process credit card payments, we developed a terminal router framework, holding the payment routing logic. On that scope, we integrated with one bank (Banca Transilvania) and a bank aggregator (Romcard) that offers backend integration with several other banks. This rigorous process resulted in successfully passing a relatively complex technical audit, where Zitec ensured the documentation of security procedures at the platform level, which then helped in getting the PCI DSS certification.

2. Merchant onboarding flow and admin development 

As a next step, we focused on developing the merchant onboarding flow and the admin interfaces. These microservices would ensure the merchant's registration through an automatic know your customer/business (KYC/KYB) process, merchant details management, transactions management, and auxiliary features through 3rd party integrations. The work of developing additional Admin Platform features & Client SDKs and performing the final acceptance testing ensured the deployment to the live environment.

3. Minimum Viable Product (MVP)

The MVP was launched in August 2022 and consisted of a payment service provider ecosystem that uses a series of banks for payment processing. It was centered on card payments for both individual merchants and marketplaces and was flexible enough to add alternative payment methods.

Addressing platform security and compliance requirements 

The project came with several complex technical requirements, given the sensitive card data involved. Zitec’s architecture proposal was a microservices approach, with a special setup in which we included all the services that were dealing with sensitive data into a dedicated and isolated PCI DSS Kubernetes cluster. The microservices needed to communicate with each other, so we added a permissions matrix to define all of the possible user roles, system operations, and the specific permissions on those operations by role. For this, we used AWS App Mesh, an important architectural decision in the scanning process to ensure the required PCI DSS level of compliance. 

There were five key areas in which the payments platform was required to meet all compliance and project scope requirements:

• Data Encryption is one of the key requirements of the PCI Standards. It ensures data protection when data is stored or transferred from one source to another. In this scope, we encrypted data for all cloud components that allow this, such as Database, logs, Elasticache, etc.
• Security of Kubernetes clusters - all information transmitted on the platform has to be encrypted and safe from unauthorized access. To fulfill monitoring requirements, we opted for a file integrity monitoring tool, Falco, which provides real-time, comprehensive visibility for the creation, deletion, and modification of all critical assets, files, and registries. It helps in ensuring an overview of any unauthorized modifications to all relevant critical systems, configurations, and content files, gaining instant visibility on all critical folders and registry changes, and maintaining the integrity of critical hosts with continuous, active monitoring. It also uses predefined policies to gain added efficiency and reduce alert volume.
• Constant scanning of PCI data - as PCI DSS requires monthly scans of the database, to check if there is any exposed card data, we used Pan Hunt, an open-source tool written in Python. We cloned and updated it to fit our purpose and included relevant card data patterns. For the constant scanning of the database to find PCI data, we used AWS Macie, which employs machine learning and pattern matching to discover and protect sensitive data.
• Developer-friendly infrastructure provisioning and scaling: given its complexity, the architecture’s components generated duplicate code. Through Terraform configurations, we variabilized the code to make it easier to maintain even when new components are added. This makes it easier for developers to introduce new parameters, reducing overall development costs. 
• Sensitive data handling: any managed AWS component dealing with sensitive card data had to be encrypted so no environment variables were exposed in the app code. AWS Secrets Manager was used to keep credentials separate from code, prevent them from being exposed as environment variables, and let the application read the secrets it needs dynamically from the cloud. 

The business outcome 

There are four key elements that outline our successful partnership with Token Financial Technologies: 

1. A cloud-based payment platform, which is compliant with the EBA (European Banking Authority) guidelines and PCI DSS certification;
2. Cost-saving: an incredibly short time-to-market of delivering a PCI DSS-compliant payments platform - less than 9 months;
3. External validation: a system verified by bank integrations and certified by PCI DSS auditors;
4. Scalable platform: a microservices architecture that brings optimized costs and allows for easy integration of new payment methods and expansion in other countries. 

"Collaborating with Zitec for the development of our Odero PAY online payment platform was a great experience. The team at Zitec had strong technical knowledge and went beyond expectations in terms of project management, advanced and scalable architecture e.g., cloud computing, microservices, Kubernetes, and security. Our platform was delivered with high uptime and a great user experience. Additionally, they have supported us during PCI DSS certification to ensure the security and compliance of our product. They are agile, professional, friendly, and very accommodating to our needs as a business. We highly recommend them and will continue to refer them to our merchants." 

Uğur Halatoğlu, Chief Technology Officer, Token Financial Technologies 

Future plans for Token 

Token plans to introduce new payment features such as BNPL (Buy Now Pay Later), Apple Pay, and Google Pay for their merchants to make the customer experience more convenient and seamless. Furthermore, they will expand cloud-based services in countries of the European Union so that merchants can have more opportunities to reach out to customers and maximize their sales potential. The increased presence in international markets by establishing partnerships with local banks and payment providers is also on their radar, along with continuous evaluation of new technologies and exploration of possible ways to improve their current solutions to remain competitive.