Transcript
This transcript was autogenerated. To make changes, submit a PR.
Hey everyone.
I'm Li a senior, a software engineer in the FinTech industry.
Today we are gonna take a technical deep dive of mobile payment systems,
the end-to-end flow, and how they're handled in the real world, dealing with
I potency and synchronous processing and making it a scalable solution.
I.
Mobile payments have transformed global finance offering, enhanced convenience,
security, and efficiency through various mobile payment platforms like
digital wallets, apple Pay, Google Pay, alipay and other forms of mobile
payments using QR codes, et cetera.
We'll examine the innovations driving the revolution and challenges
ahead for the worldwide adoption.
We'll also discuss the role of SE Ari in the high stake financial,
mobile payments environment.
Site reliability engineering plays a crucial role in maintaining the
high up time demanded by the payments platform, SREs practice in and practices
and insurance fault tolerance, rapid instant response and continuous
monitoring that prevent costly outages and security breaches in this
mission critical financial systems.
The global eruption trends has been on the rise throughout the
world, and you can see the numbers.
People who use mobile payments are in hundreds of millions in each
country, and the transactions are happening in billions of dollars.
Now let's take a quick look at the players in the mobile payments flow.
The who's, who in the payments processing flow in general, customer
this is the individual making a purchase and initiating the
payments using their mobile device.
Merchant, I. The, this is the business of the person accepting
the payments for goods or services.
It can be through a point of sale, physical device or online checkout or
some me medium of payment acceptance.
They interact with the customer and the payments processing
system, which is the backend flow.
They're the middle man.
The third person is the acquirer.
This is the financial institution that process the payments
on behalf of the merchant.
Sometimes they provide the merchant with the point of sale terminal device.
It could be the payments.
A processor or the payment gateway to acquirer receives and forwards the
transaction data for authorization the hold funds temporarily during
the settlement, and finally deposit funds in the merchants account.
Issue.
This is the financial institution that issued the customer's credit
or debit card, which is linked to the mobile wallet used for payment.
They verify the customer account details and balances, authorized
transactions and debit customer's account for approved payments.
The other other player is the payment network, which access an intermediary
between the acquirer and issuer, enabling communication and transaction routing
for authorization and settlement.
Some of the most common payment networks could be the card
brands like Visa, MasterCard, African Express Payment Gateway.
It's a secure interface.
Connecting the merchants mean of accepting payments like the pause or online
checkout UI experience to the payment processor and the payment network.
They support and integrate with various payment methods and payment networks.
They also offer fraud detection and prevention tool risk
management and verification.
It, they secure the payments information as it travels
through the transaction process.
It forwards the transaction data to the appropriate payment network.
For further processing, token service provider secures the mobile and online
place online payments by replacing sensitive call card holder data with
nonsensitive substitutes like tokens.
Token service provider can be the payment card networks like Visa Master Card.
They generate and manage token specific to their respective car payment.
This can be the payment gateway provided to example Stripe, PayPal, tree Braintree
provide tokenization service, which enables a merchant to offer streamlined
checkout experiences where customers don't have to reenter their card details.
Mobile provider, mobile wallet providers.
These provide the digital wallet app that customers use to store their
payment card information securely and conveniently to make mobile payments.
Some of the examples most of which are most commonly used are Apple
Pay, Google Pay, Samsung, and Pay.
Venmo has their own wallet.
Alipay Capital One Wallet chase app.
Taking a deeper look into how digital wallet works, they have
revolutionized how we make purchases using our phones with just a few taps.
The core of these wallets is tokenization the car details when added in a wallet.
The wallet provider replaces your original card information with a token
obtained from a token service provider, which we previously mentioned could
be a cardboard network provider or a third party to organization service.
Token generation and mapping.
The token service provider creates a secure mapping between the generated
token and the user real card information.
This map mapping is stored in the token world.
This token a randomly generated number access a substitute for
your actual card number, and is safely stored at hardware level.
The token is linked to your device and specific card, and it cannot be accessed
and cannot be used on other devices.
Let's take a look at the end of end-to-end flow of actual
payment going through this flow.
When we are making a payment with a digital wallet
customer initiates a payment.
The customer chooses to pay pay using their digital wallet at a
physical store or an online checkout.
They authenticate their identity on their device.
It could be through a fingerprint, a face ID, or a pin to unlock the digital wallet.
Tokenization, as I previously mentioned, we have a secure token linked to the
customer actual car store on the device.
If it's a in-store purchase, the customer tabs or waves the device near
the merchants contactless point of sale terminal using a nearfield communication,
which we commonly known as NFC.
The token is transmitted to the point of sale terminal.
If it's an online checkout, the customer selects their digital wallet at checkout.
The token is securely passed to the merchant's website.
The merchant's payment gateway.
After the device, after the token is transferred to the merchant website
or the terminal, the, it's passed to the merchant payment Gateway.
The tokenized data is passed to the merchant payment gateway, the gateway
access in secure intermediary verifying.
Encrypting the data.
The payment information is verified for fraud detection and it is routed
to appropriate payment card network.
The card network receives the transaction request and ask for
authorization from the issuer to ensure sufficient funds are available.
The issuer verifies the customer account balance and the transaction limit
and any other security measures and authorizes it the network, putting a hold
on the funds in the customer account.
The authorization message, travel back through the card network payment
processor and the gateway to the point of sale, terminal or online checkout.
The customer receives the confirmation of the successful payment, the payment
gateway I aggregates the authorized transaction from the merchant throughout
that day, or specific interval.
The acquirer receives from the card network based on the settle transactions
based on the response from Payment Gateway during the settlement time.
The acquirer then deposit deposits the fund into merchant's account
minus any processing fees.
There are many other ways of making mobile payments across the globe.
And the flow might differ in a few ways.
One, one of the type is a QR code based payment.
The customers can secure code displayed by the merchant
using their mobile payment app.
The customer's app generates a payment request with the transaction details
and sends it to the payment provider.
An example for this would be to would be an Alipay or WeChat pay the customer
authenticates within their app using as previously mentioned, of some kind
of biometrics or pin, and the payment provider verifies their accountant
balance upon successful authorization.
The provider notifies both the customer and merchant of the payment qr.
Code based payments often lead directly involved often directly involve
debit card debit slash the credit card of the customer's bank account,
or linked payment account within the mobile payment app, bypassing
traditional card networks in some cases.
Sometimes it could be a card linked to, in which case, tokenization
card networks, again come into play.
In the case of bank transfer apps some of them examples will be like z the
customer enters the recipient details or the merchant details in the case of
payments like example, their phone number or email address link to their back.
Account funds are directly transferred from the customer's
bank account to the recipient's.
Accounts offered in near real time, the customer authenticates
now within their banking app and the transfer is authorized.
These methods typically leverage existing bank transfer networks,
like example a CH in us.
Faster payments in UK facilitating direct account to account transfers.
Mobile payments process is a complex ecosystem requiring careful design to
handle massive transaction volumes.
We need to ensure SEC security and provide a seamless user experience.
This introduces unique challenges for I impotency.
What is item impotency?
It's ensuring an operation applied multiple times has the same
effect as it is applied once.
This is very important in the case of the financial transactions because when
we make a transaction, we don't, and by mistake, if we retry it or due to
accidental network calls at financial transaction can be made twice, which and
despite being it applied multiple times, the transaction should go only once.
Network.
Network interruptions are common on mobile devices, which potentially
lead to duplicate requests or unclear transaction statuses.
Sometime hardware configurations or human error can lead to multiple
transaction requests or multiple retries due to client error handling.
These increase the changes of duplicate request.
Duplication of financial transactions should be handled carefully to
avoid duplicate transfers and handle retries and errors in a gracious way.
There are different methods to follow to handle item potency
in financial transactions.
Let's go over them.
Some of the technical solutions.
Having an item potency key, which is the most common approach, the key is a unique
identifier generator by client or in some cases from the server side, which is the
payment gateway is included throughout our payments processing request.
The server will be able to recognize the key and prevent duplicate
processing request that this might need a database constraints and
maintaining the transaction status.
If the key is not present in the database, the system process the request.
If the key is found, system retrieves the store result, which is, which might
be in process or completed, and return it without reprocessing the transaction.
In addition to item potency key, A due duplication video can be implemented to
define a timeframe during which duplicate transaction requests are checked.
This duplication check can be done based on customer merchant transaction account.
The window of this duplication window time period may vary from case to case
when a payment request is received, the system checks if an identical request
was processed within that time window.
Effective state management is essential for maintaining I dependency.
The payments processing system should be able to accurately track the state
of each transaction, even in the event of system failures or network issues.
We should store the state of each transaction in a per persistent
storage that can survive system restarts and crashes.
We can use distributed caches to quickly check duplicates and
retrieve transaction statuses.
Sometimes during payments processing, we would duplicate requests due to
transaction failures or retrain logic on the client side to handle such scenarios,
which we will, we, it's important to have.
Implementation of retries with exponential backoff.
The request is retried after a delay and this delay is increased
exponentially with each try.
Each retry like delays of one second, the second transaction
with a delay of two seconds.
The third time delay with the exponential increase of four seconds.
And eight seconds the next time, so on.
This helps in preventing duplicate transactions caused by repeated
request due to temporary failures.
The delay increases exp exponentially with each retry attempt, reducing the
load on the server, and increasing the likelihood of successful processing.
I Item potency can also be handled on the client by client side by ui,
handling it to an extent like disabling payment button after the first click
to prevent the duplicate request.
If a transaction failed due to temporary issues.
Provide a clear and safe way for users to retry, ensuring a
proper item potency key is used.
So if the transaction is processed and appropriate, status is provided.
Otherwise, retry with the new I item potency key.
A robust transaction status handling is also important.
We can provide imme immediate response to the users about the request status
or do a synchronous processing of transactions using polling or web
hooks to update the transaction status.
This leads the way to a synchronous payments processing.
Modern applications demand, robust user-friendly payment system that
cater to a variety of scenarios.
Traditional synchronous payments processing often fall short,
leading to slow responses and potential point of failures.
That's where the trio of message queues, callbacks, and webhooks
step into enable efficient, robust, and, and reliable asynchronous
payments processing message queues.
These are very important in case of hand in case of handling asynchronous
payments processing requests, and they help or also help in
handling traffic spikes gracefully.
Preventing system overload during peak hours ensures payments are
processed, even if temporary errors occur with dead letter queues.
Further digging in deeper of a synchronous payments, processing,
callbacks and web hooks can be used.
They play a crucial role in facilitating a synchronous payments processing.
A callback is a function that is passed as an argument to another function,
which can be executed at a later time.
In the context of payments, a callback can be used to handle real-time
notifications or updates about the status of payment transaction.
Webhooks on the other hands are user-defined HTTP callbacks that
are triggered by specific events.
When a payment event occurs such as a successful transaction or a failure,
the payment gateway sends A-H-T-T-P post request to a specified review,
URL, which is the webhook endpoint.
This allows the merchant servers to receive instant updates about
the transaction status, even if the original payment request
was processed as synchronously.
By using callbacks and webhooks, merchants can enhance the user experience
by providing timely feedback about payment outcomes while also improving
the efficiency and reliability of.
Of the payments processing systems, callbacks and webhooks both facilitate
a synchronous payments processing and online payments and mobile payments, but
they differ in how they're implemented and how they communicate the information.
The direction of communication is different.
Callbacks in the context of payments.
Callbacks usually involve the server to server communication.
The payment processor directly communicates with the merchant server
after a payment even has occurred.
This is usually set up during the initial payment request where the
merchant specifies a return URL to which the payment processor
will send a status updates.
Webhooks, unlike callbacks are set up through, through a push mechanism.
So callbacks are a pull mechanism.
Web hooks are a push mechanism.
The merchant registers a webhook URL with the payments processor.
And when an event related to the payment occurs, like transaction success or
failure, or update the pyramid processes and htp, HTTP post request with the
event details to the register, URL the setup are differences between
the callbacks and the web hooks.
So the callbacks are typically defined on a. Per request basis, meaning
they need to be set up every time a payment request is initialized.
So like it's on the go webhooks these are configured once at system or at
account level and can be reused across multiple events and transaction.
Once said, the web hook listens for events it's subscribed to
regardless of specific transaction.
So let's discuss about the use cases for callbacks and WebBook.
Callbacks are generally used for direct responses to a payment request,
often used for intermediate direction handling right after a payment process
process for instance, taking the user to a success or failure page.
There are more what webhooks are more versatile and used for a broader
range of actions, such as updating payment status in the database.
Sending email notifications or triggering other backend process that do not
require immediate action from the users.
In terms of reliability, callbacks can be susceptible to issues if the destination
URL isn't available immediately.
When the response is sent, this could cause loss of information
if not properly managed.
Webhooks are typically designed to handle failure better.
They can employ mechanisms like retry, ensuring that data
eventually reaches its destination.
If there are even temporary issues with the receiving server.
So in summary, while both callbacks and webhooks aid in a synchronously
payments processing information webhooks provide a more robust and flexible
solution suitable for automation task beyond immediate transaction response.
Whereas callbacks are often limited to handling direct and immediate
response to payment requests.
Okay, putting it all together.
Using asynchronous payment processing for better experience during high traffic
loads we can use queues as digital post offices communicating between different
microservices that process, the payments.
Use callbacks and webhooks for proper updating the status of the transaction
that's been that's been going on.
This approach allows for a decoupled, scalable, and responsive payment
system improving both user experience and application reliability.
Not only in terms of making payments great strides have been made in terms
of payment acceptance as well tap to be on iPhone for contactless payments.
Gives merchants large and small easy and secure way.
To accept contactless credit card and debit cards or even
accept payments through apple Pay and other digital wallets using
their iPhone or Android phones.
No additional hardware or payment terminal is required on the Android side.
PayPal and Stripe also provides something similar.
The payment processing flow is similar when using your phone as, the point
of sale device, there is additional step of payment service provider the
merchant app now, which initializes the payment session with apple Payment
Framework or with PayPal or Stripe.
In a similar way.
The merchant app sends the transaction to the payment process API, similar
to how the payment flows go through once the information has been
transferred to the device securely.
Apple provides private a PS for power and private payment process
to integrate with tap to pay for token and session management and
configure payment per parameters.
Stripe provides this feature through terminal Android SDK.
These can, these features can be integrated easily into an iOS and
Android application, providing the ease of accept and acceptance of payments
in various financial applications.
So all in all, some of the major enabling technologies for mobile
payments and its large adoption are the NFC technologies, QR codes,
tokenization, cloud infrastructures, enabling highly scalable payments.
Site reliability engineering teams are integral to the success of modern
payment technologies such as N-F-C-Q-R, core and Tokenization Systems.
By ensuring the infrastructure behind these technologies highly
reliable, secure, and scalable, and is dealt with low latency.
SRE teams employ robust automation, continuous monitoring, and effective
instant management to maintain healthy systems and performance.
This proactive approach minimizes the downtime and ensures fifth resolution
of issues and low latency, which is crucial for processing real-time
transactions securely and efficiency.
Furthermore, their efforts in handling token generation and management uphold
to uphold stringent security standards are necessary for protecting sensitive
payment information and preventing fraud.
By optimizing the technology infrastructure and refining instant
responses, SRE teams enhance user experience and build customer trust,
which is essential for widespread our adoption of these payment technologies.
The major success factor for mobile payments is having an intuitive experience
for customers to to use to which makes our mobile payments more adaptable.
We, having a wide range of acceptance, network and banking,
interop, interoperability can support that, can support and process
payments across different financial institution and card networks.
Gives a great advantage in this market.
Ha having, or we if providing open source SDKs and APIs to integrate with and
enables large range of options to to make an access mobile payments, leveraging
them, the mobile payment solutions can be integrated into existing merchant or
customer application checkout experiences.
This leads to better mobile pen mobile payments penetration
and adoption in the market.
Security innovation is the key in the success of mobile payments.
With large adoptions comes greater chance of risk and frauds, advanced
fingerprints, facial recognition and voice verification technologies
create unique identity sickness that dramatically enhance account protection.
Using hardware level biometric, ver verification has been a great boom.
SRD teams implement automated candidate deployments for biometric
verification service, ensuring the high availability with the low response times.
Military grade cryptography.
Pro cryptography protocols ensure complete data security throughout
the entire transaction journey making interception virtually impossible.
SRE practices include secret rotation automation.
Encryption cer automation certificate encryption monitoring and chaos
engineering tests that verify security resilience during infrastructure failures.
Sophisticated machine learning algorithms and risk verification continuously
analyze each transaction pattern to identify and block suspicious activity
before fraudulent charges occur.
SRE Observable observability platforms provide real-time metrics
or model performance with automated rollbacks when a false positive
rates exceeds the defined threshold.
Layered security approach combines something something you have know and
are creating multiple verification barriers that significantly
reduce unauthorized access Risks.
SRE teams implemented distributed rate limiting and circulators to protect
authentication service during traffic spike and maintain sec consistent
security verification performance.
Okay, because of financial the, that we are discussing here, we obviously have
financial regulation, data protection, banking standards, and cross borders
rules through which we navigate SRE teams implement automated compliance
monitoring with the realtime dashboards that track regulatory requirements across
markets, ensuring 99.9 adherence to.
The changing financial standards SRE practices include data re, residence
automation, consent management, observability and chaos testing of privacy
controls to maintain regulatory compliance while preserving the system reliability.
SRE designs design service level objectives aligned technical
performance with regulatory requirements, providing measurable
reliability metrics that both satisfy banking needs and user expectations.
SRE teams deploy region specific infrastructure.
Infrastructure with automated regulatory checkpoints and edge computing
capabilities that maintain compliance across diverse international jurisdiction.
There are some technical and practical challenges in adoption of mobile payments.
One is the infrastructure gap.
Rural and developing areas face persistent connectivity challenges with unreliable
or non-existent internet accesses, creating digital payment deserts.
SRE team implements edge caching, offline transaction queuing, and
progressive enhancement strategies to maintain service availability,
even in areas with intermittent connectivity, device limitations,
budget and legacy smartphones, like advanced process and secure elements
necessary for implementing robust encryption and authentication protocols
or storing encrypted information.
SRE practices include resource aware degradation parts, lightweight
cryptographic alternatives, and client capability detection to ensure
consistent service reliability.
Across di diverse device ecosystem, there are interoperability issues.
Proper proprietary payments ecosystem created fragmented user experience
forcing consumers to juggle multiple apps and limiting merchant adoption rates.
SRE teams develop unified monitoring dashboards and inputs implement
service mesh architecture with standardized reliability metrics to
identify interoperability failures before they impact the end users.
Backend integration, decades old backend infrastructure and some
of the payments ecosystem built on co COBOL and batch processing
struggles to interface with modern API driven real time payments protocol.
SRE engineers deploy a release resilient integration layers with circuit breakers.
Automated retry mechanisms and comprehensive observability tooling to
maintain high transaction reliability despite legacy system constraints.
There are some practical real world barriers as well, which we cannot avoid.
That is the deep rooted nature of cash preference and technical
technological ignorance and trust.
Trust issues are some of the barriers.
This is slowly changing with the technology penetration
and mobile adoption globally.
Mobile payments is no exception to cyber security risks through
malware threats and phishing.
Strong encryption is needed for transaction request.
Otherwise, they can be exploited by intercepting and alternating tra
transaction data over network through kind of man in the middle attacks.
However, the future how's the future looking from for mobile
payments is always good to look at.
So in with the mobile payments and payments in general with the growth of
crypto, cryptocurrencies will be soon supported in mobile payment platforms.
Frictionless transaction will eliminate a checkout process entirely.
Systems will automatically identify users and process payments with the help of IOT.
Another thing which we already have in the market, but will still
grow in future is super apps.
These are all in one platform, which will combine payments
with broader services, removing interop, interoperability barriers.
These echo systems will centralize the financial activities
with the other functions.
Let's quickly go over some more roles of the SRE and overview of the of
the responsibility and the payments processing and mobile payments.
SRE plays a critical role in mobile payment systems.
In payment processing systems and mobile payments SRE team bridge the gap
between development and operation, while ensuring that the financials systems
meet stringent availability, latency and compliance requirements, SRE teams
implement comprehensive monitoring systems that detect anomalous payment
patterns and transaction velocities.
Maintaining hun high protection rate through automated threat response
protocols and real time security.
Posture visualization SRE practices will reshape a payment infrastructure
resilience through automated error budgeting and chaos engineering
like self-healing payment network, and predict outage prevention.
Ensuring data protection and compliance with regulations by
implementing strong encryption.
Access controls are intrusion detection systems and reg regular security audits.
Having a clear defined SLOs and SLIs specific to mobile payments such as
transactions, success rate, latent of processing, and system up times will
help in measuring and maintaining the reliability of the services.
Predicting traffic patterns and scaling infrastructure accordingly is crucial
to prevent outage during the peak demand Sr. Utilizes historical data and
forecasting techniques for efficient resource allocation during peak loads.
For example, during events like Black Friday or holiday seasons.
SRE teams implement culturally responsive monitoring systems and localized
reliability metrics to add address adoption resistance and failure handling.
SRE teams deploy progressive user experience patterns,
simplified authentication flows and visual interface alternatives.
That respect cultural preferences while maintaining high availability across
demographic, diverse user population.
So SREs have a really important role in mobile payments.
Thank you for listening.
Hope you've got some insights into the technical aspects of large
scale fault tolerant payments, processing flows and the payments
processing systems and how they work.
In the case of mobile payments.
We have also discussed key factors in the success and the rise of mobile
payments, so of the technical and cultural barriers and the technological
advan advancements that are happening.
We have also discussed the key and important role of SRE
in the payments ecosystem.
Once again, thank you.