Paycraft is a payments company providing contactless open loop products with capabilities of processing online and offline transactions. They cover a plethora of use cases regarding transaction processing time within milli-seconds. This simplify ticketing, validation and management for program operators. Paycraft was formed in 2013 with the team having multiple years and more of experience in the payment sector. The company is the preferred payment solution to banks, global consulting companies, transit operators, payment processors, card and device manufacturers and many others.
Paycraft had a requirement for a green-field deployment on the Azure platform that would meet the Payment Card Industry Data Security Standard (PCI DSS) 3.2 compliance which is an information security standard.
These were the high level challenges faced by Paycraft team:
- The application load should be managed on both the web servers as well as application servers.
- Provisioning of a Disaster Recovery (DR) site, located at different cesismic zone from primary DC location, was one of the important factors to meet the PCI DSS compliance.
- Provision of end to end SSL encryption including the database layer.
- Synchronization between primary and secondary databases present in the DC and DR regions.
- Implementation of strong access control measures for accessing the Virtual Machines as well as Azure Portal.
- User activity monitoring required on the Azure Portal.
- Requirement of application level monitoring to check security vulnerabilities.
Based on the detailed discussion with Paycraft, IntellyZen proposed the following solution to help migrate their application on the Cloud:
- Azure Load Balancers are placed with web servers behind public load balancer and application servers behind application load balancer.
- Mongo and PostgreSQL Database on Azure VM is setup with replication enabled between the primary and secondary databases.
- DR provisioning is established with network peering enabled between primary region and secondary region with cross region database synchronization and SSL encryption.
- As per the PCI standards Network Segmentation with MFA is emplemented on the Bastion servers that have access to the web, app and database servers with ssh banners.
- Network Time Protocol (NTP) used to sync the times across all the servers.
- Trend Micto Deep Security service with Master, Agent and Relay Agent architecture is deployed that provides an additional layer of security on all the servers.
- VPN is configured between their on-premise network to Azure networks with Azure Virtual Network Gateway service used.
- All the server CPU, Memory and Disk utilizations and logs are monitored along with user activity with Azure Monitor, Azure Log Analytics and service Activity Control.
- The developer friendly environment of the Azure platform helped the infrastructure setup and application deployment in a very efficient manner.
- The PCI DSS compliance was cleared in short time with all the required artifacts evaluation and submission by both the infra and development team.
- Setup of DR environment with network peering, server time synchronization, database scynchronization, monitoring and security tightening was achieved very quickly.
- By implementing Trend Micro Deep Security software, monitoring the application and servers for Anti-Malware, IDS / IPS, File Integrety Monitoring, Log Monitoring as well as Firewall was very effective.
- Server time synchronization wasn’t a burden of the developers anymore.
- Infrastructure monitoring for the Paycraft infra team has become very easy with all the required monitoring threshold enabled on both Azure and Trend Micro Deep Security level.