CETREL, the Luxembourg affiliate of SIX Payment Services, needed to upgrade its Web Service capabilities to enhance API security, ensure long-term viability, and enable new peer-to-peer mobile payment solutions
- Rapid time-to-market for new digital customer services
- 24/7 availability for development and production on the same system, simultaneously
- End-to-end data-flow security, and excellent performance
- Stability, reliability and speed, with rapid response times, whatever the complexity of operations carried out
Enabling mobile payment solutions
SIX is a leading European payments services provider, offering comprehensive solutions for cashless payment transactions. SIX Payment Services ensures payment processing for card issuers, as well as card acceptance for merchants. In a major initiative, the CETREL office of SIX Payment Services is collaborating with SIX headquarters to enable peer-to-peer (P2P) mobile payment (m-payment) solutions.
SIX operates Switzerland’s financial market infrastructure and offers comprehensive services on a global scale in the areas of securities trading, clearing and settlement, as well as financial information and payment transactions. The company is owned by its users (approximately 140 banks of various sizes and orientations) and, with its workforce of more than 3,800 employees and presence in 24 countries, generated an operating income of 1.8 billion Swiss francs and a Group net profit of 247.2 million Swiss francs in 2014.
An in-house approach to API Web Services
As the competence center for credit-card issuing, the CETREL office of SIX Payment Services provides banks, credit institutions, and banking service providers with services for the entire lifecycle of a card (for example, production and personalization, modification, blocking, processing transactions, topping up prepaid cards, etc.). It also works with telecom companies to send SMS text messages to cardholders.
Historically, banks would send a daily file of card transactions to process in batch mode — a system that was neither flexible nor responsive. To modernize, the CETREL office of SIX reviewed available technology, decided to implement API Web Services, and developed a solution in-house.
After a few years’ operation, however, it became clear that the cost for maintaining the platform’s security was too high. The solution needed to be updated continuously to counter emerging threats and integrate new digital technologies used by the financial services industry.
“Axway API Gateway is a highly optimized, highly stable solution.”
Xavier Stenuit, Application Engineer, CETREL
A single off-the-shelf solution does the work of many
“Securing API Web Services is not our core business,” said Xavier Stenuit, Application Engineer at CETREL. “Our business is payment cards. We needed to delegate responsibility for that task to professionals.”
The CETREL office of SIX Payment Services launched an RFP to find an integrated web API security solution. Of five competitors, a short list of three was established, and Axway made the winning bid. “The Axway platform came with a series of modules that we could adapt to protect ourselves from any imaginable kind of attack,” said Stenuit. “It was so much easier than developing a system ourselves. With the Axway solution, the work of five or six people is replaced by one person working part-time, allowing us to make better use of our engineers’ capabilities.”
In the new architecture, all API Web Service calls and security functions, including encryption, were moved to Axway API Gateway, enabling CETREL to focus on its core business activity.
Ensuring security throughout the payment card lifecycle
SIX manages the entire card lifecycle, from issuance and modification to cancellation. Typical business processes include:
- Changing the name or address of a cardholder
- Verifying the balance on a prepaid card
- Blocking a card temporarily or permanently on detection of fraud
- Registering a card in the Visa/MasterCard 3D-Secure program
- Sending a text message (SMS) via the telecom provider to the cardholder’s phone, to confirm a purchase, offer an installment payment plan for that purchase, etc.
Each of these transactions involves an API Web Service call that is handled by Axway API Gateway and includes up to 200 different security checks (for example, encryption, decryption, message signing, signature verification, etc.). Axway’s solution for the CETREL office of SIX Payment Services currently handles:
- 3 million cards
- 300,000 API Web Service calls per day, with peaks of 40 calls a second
“The average transaction time, or latency, is less than 100 milliseconds, in spite of the vast number of security checks involved,” said Stenuit. “It’s a highly optimized, highly stable solution.”
Joining the peer-to-peer revolution
The latest deployment of Axway API Gateway is for a groundbreaking P2P solution now in the pilot phase at SIX for the Swiss banks. The solution enables person-to-person payments via smartphone apps. In the current implementation, users download the bank’s P2P app, transfer funds from their bank account to the app’s stored value, and then use those funds to pay other people.
The solution will scale up rapidly in terms of volume of transactions; variety of funding and payment options; and, geographical reach:
- New interfaces will enable users to pay at traditional terminals, i.e., for peer-to-merchant payments in shops; later enhancements will enable payment over the internet.
- Nationwide launch in Switzerland is set for 2015.
- Users will be offered additional ways of funding the smartphone app, using a credit or debit card, PayPal or other means, thus making the app available to unbanked customers.
- Ultimately, the app will be made available in the Apple® App Store and on Google Play™, enabling users worldwide to access the service, regardless of bank affiliation.
The heart of the solution: consistent security rules
In the P2P mobile payment services introduced by SIX, interactions between Swiss banks and SIX systems are handled via API Web Services. “The use of secured leased lines is usually considered as sufficient to guarantee confidentiality and nonrepudiation,” said Stenuit. “But we decided to use Axway API Gateway so we could monitor all traffic and protect the system.”
Explaining their thinking, Stenuit said: “We wanted to take a coherent approach, ensuring that all Web Services go via Axway API Gateway, where we can apply consistent security rules while working from a single point.”
Axway API Gateway is a key component of the P2P solution of SIX, where it is responsible for the movement of all funds, including:
- Transfer of funds from the bank account to the smartphone
- Transfer of funds from the smartphone to the bank when a payment is made to another person, merchant or website
Hitting the ground running shortens implementation
The P2P mobile payment solution of SIX went from drawing board to production in record time. “We had just 60 days to deploy and test the gateway interfaces,” said Stenuit.
Axway API Gateway was effectively invisible to the mobile backend development team, and was therefore taken for granted. “It was a very dynamic and cooperative process,” said Stenuit. “On demand, we implemented new interfaces on the gateway or modified existing ones — and we did all this on the fly — without interrupting live Web Services calls. We met every deadline, without impacting production.”
As planned, the project began in September 2014 and was rolled out in November, right on time.
Axway dashboards tell you everything that’s going on
“From the business standpoint, the Axway system is critical,” said Stenuit. “So it’s one of the systems that we continuously monitor.” SIX built its own database to capture information about each Web Service call. They use Axway dashboards to view call status.”
The Axway dashboards are very useful, because we see immediately when there is a large number of calls in error,” said Stenuit. “The dashboard shows in real time any failure, from an encoding error to database unavailability. It’s crucial information.”
SIX also uses Axway API Gateway’s traffic screen, which shows the encrypted and decrypted contents of the message and the response. “We go to that screen to analyze a particular response, to resolve issues,” said Stenuit.
Moving forward with stability, reliability and speed
With Axway API Gateway now providing critical services to SIX, the benefits may be summarized as follows:
- Rapid time to market. With this flexible and well-designed system, changes can be implemented on the fly, and new interfaces delivered in record time. This is key for a solution like P2P.
- Faster and easier onboarding of new customers. Often, there is a discrepancy between specifications sent to banks and the way banks interpret that information. With Axway API Gateway, adjustments can easily be made to smooth the way for easy onboarding.
- 24/7 availability. During the day, work is routinely done on the platform to develop new functions while production continues unimpeded, ensuring that deadlines are met.
- Clustering and virtualization. Clustering is well implemented in Axway API Gateway, such that nodes can be worked on or new ones added — with no downtime.
- Security. Data-flow security is very strong, and indeed Axway API Gateway is renowned for this side of the business.
- Stability, reliability and speed. Response time is rapid and the system extremely stable, whatever the complexity of operations carried out.
- Performance. System performance is excellent and there are no visible limits to the system’s capacity. In some instances, all data traffic was sent to just one of the four machines. That machine successfully handled the calls, with no slowdown at all.
Taking the long view, Stenuit concluded: “At SIX, we believe in partnerships. We appreciate the reliability of Axway and have confidence in their products and services.”