AWS-Hosted Web-Based Service for Semafone Payment Processing Meets PCI DSS Requirements

 

BUSINESS CHALLENGE

Semafone’s flagship solution Cardprotect Voice+ provides a secure way to take payments over the phone while easing compliance with the Payment Card Industry Data Security Standard (PCI DSS). But today, companies are increasingly embracing an omnichannel sales strategy and Semafone was receiving regular requests from its business customers looking for a secure digital payment platform to service non-voice transactions. They needed to implement a new cloud agnostic architecture quickly (in under 3 months) and it needed to be secure, compliant with PCI DSS and other regulatory standards and include a dedicated support team.

As a PCI DSS Level 1 service provider, Semafone must ensure that card holder data and personally identifiable information (PII) is secured and that encryption is properly implemented. The new platform needed to enhance the security of applications to mitigate recent vulnerabilities and threats, reduce both costs & time, and adhere to the latest PCI DSS requirements.

PROJECT DESCRIPTION

SoftServe developed a web-based service for payment processing that was built from scratch from detailed Semafone requirements. Cardprotect Relay+ enables merchants to generate secure links that they can send to their customers who then enter their payment details into a secure web form, whilst receiving real-time updates throughout the customer process.

The AWS hosted solution is integrated with different payment services providers (PSPs) using Client's created PSP integrations. The AWS infrastructure was built starting from a prepared Landing Zone, designed and delivered by the SoftServe DevOps and DevSecOps teams. The solution was built following industry best practices and approaches, including Infrastructure-as-Code principles.

This project was well-defined with strict timelines and a set of clear milestones.

The team focused on a secure software development lifecycle (S-SDLC) - a process that ensures the following security assurance activities; architecture analysis, code review, penetration testing – all integral to SoftServe’s development effort.

The project provided unique and valuable functionality our client required; all security assessments were performed by certified Payment Card Industry (PCI) professionals from SoftServe whilst Semafone provided qualified security assessors (QSAs) and multiple third-party penetration testers.

The web service solution for payment processing is compliant with PCI DSS and has the following relational database requirements, ensuring the solution is:

• Database agnostic
• Fault tolerant and highly available
• Fully PCI DSS compliant to Level 1 Service Provider standard
• Fully encrypted
• Strict in access control with full non-repudiation logging
• Iterative in cost-efficiency
• Flexible in capacity
• Deployable across multiple regions

Technologies were selected to create an optimal solution that would be cost efficient, scalable, and minimize administrative work.

Technologies were assessed to ensure only non-deprecated versions of SSL could be implemented.

VALUE DELIVERED

SoftServe delivered the platform on time, passing defined security and performance requirements. In addition to supporting auto-scaling, the platform created a comprehensive continuous integration and delivery process with CI/CD pipelines for Infrastructure-as-Code (IaC).

SoftServe delivered:

• AWS cloud preparation with Landing Zone in the foundation
• Infrastructure-as-Code (IaC)
• Implemented CI/CD pipelines
• Infrastructure architecture and requirements security assessment
• PCI DSS compliant solution preparation
• Crypto-key management
• Third-party security solutions implementation