Delivering on the Internet’s Promise for Global E-Commerce Reach

Many components make up today’s one trillion-dollar e-commerce market. One notable player is the acquiring bank. Acquiring banks are playing more significant roles as they continue bringing many more e-commerce merchants to market. Also known as “acquirers,” these banks (or other financial institutions) process credit/debit card payments for merchants. In other words, acquiring banks give merchants the ability to accept card payments from the card-issuing banks within a “bank card association” (e.g., Visa, Mastercard, Discover, etc.).

Acquiring banks work on behalf of sellers, in contrast to the card-issuing banks which work on behalf of buyers. Since all of the merchants’ card transactions, including purchases and reversals, go through the acquiring banks, the banks must have an IT organization that can deliver systems with high levels of performance, scale, reliability, and security.

Background

The Shift4 division which was created via the acquisition of Finaro, is a next-gen smart payments provider and fully licensed acquiring bank providing cross-border processing for e-commerce and omni-channel payments. Their processing and acquiring services were developed in-house to provide merchants with stable, robust, and streamlined payments. It uses technological innovation to tie together the many pieces of an e-commerce workflow and address the unique needs of online merchants of all sizes across borders. Acquiring banks have historically operated in a single country, but since thirty percent of e-commerce is now cross-border, merchants need help in doing business with customers in other countries.

The company is based in Israel and Malta and has nearly 250 employees operating across those two countries, as well as Europe, the US, and China.

Shift4 can provide solutions to all players in the offline, e-commerce, and mobile commerce arenas, including direct merchants, payment service providers, and payment facilitators. Partners and customers can choose from a variety of services, including acquiring, gateway services, approval rate optimization, advanced anti-fraud protection, business intelligence, and a host of other value-added services and products.

Shift4 operates in a highly regulated industry and must continually address compliance requirements. It works with card schemes and all relevant financial institutions to ensure compliance and provide merchants with easier access to international markets. Shift4 diligently seeks the right technologies to help ease the burden of achieving and proving regulatory compliance so they can focus on innovation that drives competitive advantage.

The Shift4 Research and Development (R&D) group interacts with technical and business teams such as product management, TechOps, etc., to drive innovation within its core business. There are three groups in R&D; two are mixed development with developers and quality assurance (QA) engineers, and the third group is dedicated to building automation tools.

Challenges

A few years ago, the team began looking for an in-memory technology that supported secure internode communications in their server cluster. In their growing business environment, performance and resilience were critical top-of-mind issues. They needed real-time visibility into the transactional flow between nodes. They felt that pursuing an in-memory solution would provide them with the performance levels they needed, but they also needed extremely high levels of business continuity. They also felt they could leverage an in-memory technology as a caching mechanism on the database data for their microservices.

Just as importantly, regulatory compliance was a factor in their initiative. Regulations like the Payment Card Industry Data Security Standard (PCI DSS, or sometimes just PCI) were an inherent part of their business. Having a platform that could simplify their compliance effort and reduce the risk of violation would be ideal.

One requirement of PCI is implementing processes and technologies that will protect cardholder data from unauthorized access. This generally includes a combination of authentication/authorization controls plus encryption. The former ensures that only authorized personnel can access the data when going through legitimate access points. The latter ensures that the data is protected from a wide variety of system breaches like “eavesdropping” (i.e., when a hacker captures network traffic of transmitted data between nodes).

Solution

The use of an in-memory computing platform easily addressed both performance and a majority of their data protection requirements. The in-memory speeds they gained for processing transactions were a clear advantage. In addition, the fact that data was stored in-memory and not on disk made it easier to deal with the payment card data that flowed through their systems. They could not save the highly sensitive data on persistent storage, as that would create an unnecessary attack surface. Leveraging in-memory storage instead provided an easy way to process transactions without having disk-based exposure.

The team considered two options, Apache Arrow and Hazelcast. The tech lead chose Hazelcast because of his prior experience with it, its ease of use, and the fact that it met all of their other requirements better than the alternative.

The enterprise version of Hazelcast offers the built-in security capabilities that Shift4 needs to safeguard its transaction data. This capability was important to Shift4 because they had prior experience with another in-memory technology that proved to be difficult to implement with regard to data security. With a suite of security features in Hazelcast, implementing the software into their environment was a much simpler process than if they had to build their own security layer.

The business continuity capabilities of Hazelcast Enterprise, especially the WAN Replication feature, simplified the effort in creating a zero-downtime system. Shift4 uses cross-site replication across data centers in a disaster recovery scenario to ensure uptime, even if a site-wide failure occurs.

The team showed that with Hazelcast, the development effort seemed to take almost no time at all, so the technology-enabled very fast time-to-market. The team made it clear to the other stakeholders that Hazelcast was the right technology for them. They knew there were many other opportunities for using Hazelcast, as unlike other in-memory technologies, it was more than just a cache. It provided interservice communications, executors, maps, queues between processes, event journals, and other data structures that they knew they could use in the future.

Results

Hazelcast was very easy to implement, which was a huge plus. The programming model in Hazelcast is different from that of a database, but it is similar and in most cases, more transparent. In fact, programming with Hazelcast comes naturally to most developers; it was easy to adopt by the Shift4 development team and they were quick to implement it. The security features were also easy to implement, and they fit well with the company's security requirements, which turned out to be a big selling point for Hazelcast.

While they did not measure Hazelcast performance directly, they observed that the overall transaction processing was sped up by several orders of magnitude, and Hazelcast was a major contributor to this acceleration. They used an independent party to measure their gateway speed against other providers, and Shift4 finished in the top ten globally, giving them bragging rights on speed.

Every product that Shift4 built in the past year had Hazelcast embedded in it at some level. The company now has close to ten applications that benefit from the power of Hazelcast.