en flag +1 214 306 68 37
PA-DSS Compliant Payment Gateway with 3D Secure Authentication

PA-DSS Compliant Payment Gateway with 3D Secure Authentication

Industry
BFSI, Banking, Retail, Software products, Payments
Technologies
Java, Angular.js, Other

About Our Client

The Client is a European fintech software product company offering cloud and on-premises business solutions for banks, payment service providers, and ecommerce merchants. The company’s products are used by 350+ organizations across five continents. The annual amount of payments processed using the Client’s solutions exceeds $50B.

Specialized Payment Software Development Skills Needed

The Client wanted to develop a multi-component payment gateway product enabling ecommerce payments with 3D Secure payer authentication. The product was primarily aimed at banks that wanted to help their ecommerce customers quickly introduce secure digital payments on e-selling platforms. The product’s core component, a white-label payment gateway, was to be hosted on a bank’s server and provide ready-to-use APIs for integration with banking systems and e-merchant apps. Its customizable checkout interfaces would allow banks to communicate their brand and ensure cohesive payer experiences. Back-end 3D Secure components would enable payer authentication in compliance with the latest credit card network protocols like EMVCo 3D Secure 2.1.0 and 2.2.0.

The Client’s in-house software developers lacked a specialized background in engineering large-scale payment gateway systems and achieving compliance with the 3D Secure authentication programs used by international card networks. The company sought seasoned payment software competencies to aid the team in compliant product design and development.

The Client had a positive experience commissioning the development of its digital payment solutions for the MENA region to ScienceSoft in the past. Our Java talents earned the reputation of motivated, easy-to-cooperate professionals with solid expertise in building payment software, so the Client decided to involve ScienceSoft again.

Java Competencies to Develop a PA-DSS Compliant Payment Gateway with 3D Secure Authentication

After carefully studying the Client’s requirements, ScienceSoft selected the best-qualified Java development candidates and scheduled interviews so that the Client could quickly check the necessary technical skills. Our Java engineers, who had extensive track records in large-scale financial software projects and hands-on experience in building compliant payment solutions, appeared to be a good match. In one week, after the Client’s request, ScienceSoft’s team was fully equipped to start working on the project.

Throughout the cooperation, ScienceSoft’s Java engineers have been involved in the following tasks:

Payment product technical design

ScienceSoft’s experts took part in designing the architecture of the payment gateway and 3D Secure components. Our talents suggested employing the SOA approach to architect a flexible modular solution that would support growing transaction volumes and easy functional upgrades. They advised using container-based development to restrict access to the solution’s critical components and simplify establishing PA-DSS-approved controls. Along with enhancing security, this would facilitate DevOps, making product deployment across banks’ infrastructures faster and less effort-consuming.

ScienceSoft’s team was also involved in designing product features. Our experts sharpened digital payment processing functionality to guarantee adherence to international payment security standards, such as PCI DSS, PSD2, and UK Open Banking. The Client wanted its payment gateway solution to support secure online card payment schemes certified by international card networks like Visa, MasterCard, and UnionPay. ScienceSoft’s lead Java developer designed custom cardholder authentication mechanisms in compliance with EMVCo 3D Secure v1 (1.0.2) and v2 (2.1.0, 2.2.0) protocols employed by the world’s largest card networks.

Back-end development

ScienceSoft’s Java engineers participated in coding every major server-side component of the payment gateway suite:

  • A 3D Secure client (a merchant-side payment gateway app). Our developers built the back-end logic for automated checkout page generation, payment request processing, payment message routing, transaction status reporting to payers and merchants, and transaction recordkeeping. They also built merchant features for managing account information, tracking due and received payments, and setting custom rules, e.g., for transaction segmentation or buyer notifications.
  • A 3D Secure server (3DSS) responsible for initiating cardholder authentication during online payments. The 3DSS receives payer authentication requests from acquiring banks and displays in-app and in-browser payer checkout interfaces. When coding authentication functions, ScienceSoft’s team relied on the 3DS software development kit (3DS SDK) by EMVCo, which specifies the unified rules to develop compliant 3D Secure flows.
  • A directory server (DS) that maintains the information about card issuing and payment acquiring organizations. The DS validates cardholder authentication requests and routes them to the appropriate card issuer. This component also verifies 3D Secure implementation compliance with the EMVCo 3DS SDK standard. ScienceSoft’s team developed this component end to end, introducing a wide range of customization scenarios to enable DS interoperability with local card networks.
  • An access control server (ACS) that stores information about bank card enrollments and card statuses. The ACS processes cardholder authentication requests, checks card validity, and verifies card ownership based on one-time cryptograms. ScienceSoft’s engineers built the ACS in compliance with EMVCo’s latest 3D Secure standard to introduce frictionless payments. In this scenario, the ACS runs the real-time assessment of transaction risks (based on payer historical behavior, transaction value, device and browser information) and decides whether the transaction can be processed right away or requires additional authentication through the 3D Secure protocol. In the latter case, the ACS prompts the cardholder directly for authentication via a one-time PIN. Once the cardholder eligibility is approved, the ACS sends a payment authorization approval to the DS.

Ensuring payment product compliance with the globally accepted EMVCo protocols for 3D Secure authentication requires obtaining a specialized certification from EMVCo-approved laboratories. ScienceSoft’s engineers employed a DS and 3DS SDK compliance testing toolkit provided by Fime lab to attest their 3D Secure implementations against the EMVCo standards. This gave the Client confidence about the security and regulatory compliance of its payment authentication solutions.

picture 5

API development

According to the Client’s requirements, each component of the payment gateway suite can be deployed on a bank’s infrastructure as a standalone solution and integrated with the required systems. Our Java engineers built ready-to-use APIs for 3D Secure component integration with core banking systems, hardware security modules, card cryptography generation systems, and fraud detection tools. They also developed go-to APIs for payment gateway integration with e-merchant business systems and ecommerce platforms.

Achieving compliance with PA-DSS

Like any other payment gateway product, the Client’s solution must meet PA-DSS requirements to ensure payment processing security and facilitate compliance with PCI DSS. To adhere to PA-DSS, ScienceSoft’s lead Java engineer did the following:

  • Assisted the Client’s team in designing policies for compliant transactional data storage, retention, and deletion.
  • Implemented PA-DSS-compliant JSON Web Encryption (JWE) mechanisms for transactional data encryption at rest and during transmission.
  • Set up logging and monitoring tools to track payment gateway performance and control role-based access to transactional data.
  • Controlled team adherence to secure coding practices backed by OWASP ASVS to prevent code vulnerabilities that could compromise transactional data privacy.

Product rollout

ScienceSoft’s team continues to work together with the Client’s developers and DevOps engineers to help the Client’s customers deploy the chosen payment gateway components on their cloud and on-premises servers. Particularly, our engineers are responsible for product integrations and building custom connectors when the solution needs to communicate with specific software or legacy tools on a customer’s side. They also help banks integrate the DS with local card networks.

As part of the product rollout service, ScienceSoft’s pros help the Client’s banking clients pass 3DS product use certifications held by EMVCo and major card networks like Visa and MasterCard.

Product maintenance

ScienceSoft’s Java engineers also work on code refactoring and removing redundant features to improve the performance of 3D Secure components. The team is also involved in continuous product upgrading with new features to adhere payment processing and authentication flows to EMVCo’s evolving standards.

3-Year-Long Cooperation Leading to Worldwide Adoption of Payment Gateway Product

As of July 2024, ScienceSoft’s Java engineers have been working with the Client’s team for nearly three years. Thanks to the in-depth fintech background and hands-on payment gateway development skills of our talents, the Client obtained a robust payment product that ensures world-class protection of cardholder data and provides compliance with EMVCo 3DS v2 protocols. The easy-to-deploy, EMVCo-approved solution that offers secure and convenient checkout experiences quickly got traction among banks worldwide, giving our Client the possibility to win a larger market share and generate high revenue.

Inspired by the success of the payment gateway development project, the Client decided to expand our cooperation scope and engaged ScienceSoft in evolving its bank card embossing product.

Technologies and Tools

  • Back-end languages and libraries: Java, Spring (Spring Core, Spring Boot, Spring Web, Spring data), Hibernate5, Java logging (Logback), SSL, JSP, JSF, REST, JUnit, Mockito, aDoc, Nginx.
  • Databases: Oracle DB, PostgreSQL, H2.
  • GUI: HTML, jQuery, AngularJS 13, ExtJS 4.
  • IDE tools: IntelliJ IDEA, Android SDK.
  • Build automation tools: NPM, Maven, Gradle.
  • Containerization tools: Apache Tomcat, Weblogic, Docker, Minikube.
  • Monitoring tools: ELK (Elasticsearch, Kibana, Logstash), Grafana.
  • Testing tools: Soap UI, Postman, Apache JMeter.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies