Our client was founded in 2009 to address compliance challenges faced by the contact center industry in the UK. Today, the company has employees in Europe, North America, and Australia and its customer base resides in 25 countries. The client operates across all markets and its growth is fueled by long-term partnerships with leading network telecommunications companies.
Our client is a global leader in secure voice transactions and its technology is integrated with numerous payment service providers. Additionally, they offer a secure mechanism to capture and process card data using non-voice channels such as e-commerce-based solutions and web chats.
Our client had an outdated call center and they made the decision to create a web service for payment processing—via the web and phone to expand their portfolio of service offerings. As a leading card service provider they needed to guarantee the cardholder data and personally identifiable information (PII) was secure. They wanted to:
- Improve application security to ensure they were current with regards to recent vulnerabilities.
- Implement future ready security solutions to save time and budget.
- Implement solutions that are compliant with recent Payment Card Industry Data Security Standard (PCI DSS) requirements.
SoftServe delivered a web-based service for payment processing built from scratch using microservices-based architecture. The solution is integrated with different payment services providers and is hosted on AWS. It uses a combination of AWS managed services as well as self-managed HA Kubernetes clusters. The AWS infrastructure was built starting from prepared Landing Zone (designed and delivered by the SoftServe DevOps team). The Solution was built following best practices and approaches, including Infrastructure-as-Code principles. Cloud infrastructure is fully described via Terraform configurations. Additionally, Ansible and Packer were used for provisioning and baking golden AMIs respectively. This project had strict timelines and a well-defined set of milestones to reach.
The team focused on a secure software development lifecycle (SDLC)—a process that ensures security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.
The project provided unique and valuable items to our client. All secure activities were performed by certified Payment Card Industry (PCI) professionals from SoftServe.
In summary, SoftServe provided:
|Development Team Support
||QA Team Support
||DevOps Team Support
|Application architecture and requirements security assessment
||Security test cases
||AWS cloud preparation with Landing Zone in foundation
|Potential security risk threat modeling
||Security testing approach
|Static code analysis
||Guidance in security testing
|Dynamic application security testing
||Security testing automation where possible
||Integration with Splunk log
|AWS cloud infrastructure security assessment
||Infrastructure architecture and requirements security assessment
||PCI DSS compliant solution preparation
|PCI DSS compliance checks
||Kubernetes and Docker security checks
||Third-party container security solution implementation
As a result of the collaboration the client decreased time to market to only four months and now can:
- Identify application and infrastructure related vulnerabilities of measurable risk
- Design, business logic and compound flaw risks identification
- Secure card data and PII
- More comprehensive analysis in order to reduce false negative and false positives rates, particularly for vulnerabilities only detectable through manual assessment
- Penetration testing and other PCI DSS mandatory reports that can be shared with any interested party on their request as proof of conducting security audit
- Diagnosis of infrastructure vulnerabilities from an external hacker perspective
- Achieving PCI DSS required security level for moving to production
The project was delivered on time and passed defined security and performance requirements. In addition to its support of auto-scaling, the platform created a comprehensive continuous integration and continuous delivery process, including CI/CD pipelines for IAC. SoftServe also provided the customer with knowledge sharing model, that closed the gaps of the client in AWS and cloud-native solutions.