Conf42 Site Reliability Engineering (SRE) 2025 - Online

- premiere 5PM GMT

Technical deep dive of Mobile Payment Systems and its Rise

Video size:

Abstract

Unlock the future of mobile payments! Explore the breakthroughs in security, scalability, and reliability driving global adoption. Learn how platforms like Apple Pay and UPI are reshaping commerce, and discover the challenges and innovations shaping the future of FinTech on a global scale.

Summary

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hey everyone. I'm Li a senior, a software engineer in the FinTech industry. Today we are gonna take a technical deep dive of mobile payment systems, the end-to-end flow, and how they're handled in the real world, dealing with I potency and synchronous processing and making it a scalable solution. I. Mobile payments have transformed global finance offering, enhanced convenience, security, and efficiency through various mobile payment platforms like digital wallets, apple Pay, Google Pay, alipay and other forms of mobile payments using QR codes, et cetera. We'll examine the innovations driving the revolution and challenges ahead for the worldwide adoption. We'll also discuss the role of SE Ari in the high stake financial, mobile payments environment. Site reliability engineering plays a crucial role in maintaining the high up time demanded by the payments platform, SREs practice in and practices and insurance fault tolerance, rapid instant response and continuous monitoring that prevent costly outages and security breaches in this mission critical financial systems. The global eruption trends has been on the rise throughout the world, and you can see the numbers. People who use mobile payments are in hundreds of millions in each country, and the transactions are happening in billions of dollars. Now let's take a quick look at the players in the mobile payments flow. The who's, who in the payments processing flow in general, customer this is the individual making a purchase and initiating the payments using their mobile device. Merchant, I. The, this is the business of the person accepting the payments for goods or services. It can be through a point of sale, physical device or online checkout or some me medium of payment acceptance. They interact with the customer and the payments processing system, which is the backend flow. They're the middle man. The third person is the acquirer. This is the financial institution that process the payments on behalf of the merchant. Sometimes they provide the merchant with the point of sale terminal device. It could be the payments. A processor or the payment gateway to acquirer receives and forwards the transaction data for authorization the hold funds temporarily during the settlement, and finally deposit funds in the merchants account. Issue. This is the financial institution that issued the customer's credit or debit card, which is linked to the mobile wallet used for payment. They verify the customer account details and balances, authorized transactions and debit customer's account for approved payments. The other other player is the payment network, which access an intermediary between the acquirer and issuer, enabling communication and transaction routing for authorization and settlement. Some of the most common payment networks could be the card brands like Visa, MasterCard, African Express Payment Gateway. It's a secure interface. Connecting the merchants mean of accepting payments like the pause or online checkout UI experience to the payment processor and the payment network. They support and integrate with various payment methods and payment networks. They also offer fraud detection and prevention tool risk management and verification. It, they secure the payments information as it travels through the transaction process. It forwards the transaction data to the appropriate payment network. For further processing, token service provider secures the mobile and online place online payments by replacing sensitive call card holder data with nonsensitive substitutes like tokens. Token service provider can be the payment card networks like Visa Master Card. They generate and manage token specific to their respective car payment. This can be the payment gateway provided to example Stripe, PayPal, tree Braintree provide tokenization service, which enables a merchant to offer streamlined checkout experiences where customers don't have to reenter their card details. Mobile provider, mobile wallet providers. These provide the digital wallet app that customers use to store their payment card information securely and conveniently to make mobile payments. Some of the examples most of which are most commonly used are Apple Pay, Google Pay, Samsung, and Pay. Venmo has their own wallet. Alipay Capital One Wallet chase app. Taking a deeper look into how digital wallet works, they have revolutionized how we make purchases using our phones with just a few taps. The core of these wallets is tokenization the car details when added in a wallet. The wallet provider replaces your original card information with a token obtained from a token service provider, which we previously mentioned could be a cardboard network provider or a third party to organization service. Token generation and mapping. The token service provider creates a secure mapping between the generated token and the user real card information. This map mapping is stored in the token world. This token a randomly generated number access a substitute for your actual card number, and is safely stored at hardware level. The token is linked to your device and specific card, and it cannot be accessed and cannot be used on other devices. Let's take a look at the end of end-to-end flow of actual payment going through this flow. When we are making a payment with a digital wallet customer initiates a payment. The customer chooses to pay pay using their digital wallet at a physical store or an online checkout. They authenticate their identity on their device. It could be through a fingerprint, a face ID, or a pin to unlock the digital wallet. Tokenization, as I previously mentioned, we have a secure token linked to the customer actual car store on the device. If it's a in-store purchase, the customer tabs or waves the device near the merchants contactless point of sale terminal using a nearfield communication, which we commonly known as NFC. The token is transmitted to the point of sale terminal. If it's an online checkout, the customer selects their digital wallet at checkout. The token is securely passed to the merchant's website. The merchant's payment gateway. After the device, after the token is transferred to the merchant website or the terminal, the, it's passed to the merchant payment Gateway. The tokenized data is passed to the merchant payment gateway, the gateway access in secure intermediary verifying. Encrypting the data. The payment information is verified for fraud detection and it is routed to appropriate payment card network. The card network receives the transaction request and ask for authorization from the issuer to ensure sufficient funds are available. The issuer verifies the customer account balance and the transaction limit and any other security measures and authorizes it the network, putting a hold on the funds in the customer account. The authorization message, travel back through the card network payment processor and the gateway to the point of sale, terminal or online checkout. The customer receives the confirmation of the successful payment, the payment gateway I aggregates the authorized transaction from the merchant throughout that day, or specific interval. The acquirer receives from the card network based on the settle transactions based on the response from Payment Gateway during the settlement time. The acquirer then deposit deposits the fund into merchant's account minus any processing fees. There are many other ways of making mobile payments across the globe. And the flow might differ in a few ways. One, one of the type is a QR code based payment. The customers can secure code displayed by the merchant using their mobile payment app. The customer's app generates a payment request with the transaction details and sends it to the payment provider. An example for this would be to would be an Alipay or WeChat pay the customer authenticates within their app using as previously mentioned, of some kind of biometrics or pin, and the payment provider verifies their accountant balance upon successful authorization. The provider notifies both the customer and merchant of the payment qr. Code based payments often lead directly involved often directly involve debit card debit slash the credit card of the customer's bank account, or linked payment account within the mobile payment app, bypassing traditional card networks in some cases. Sometimes it could be a card linked to, in which case, tokenization card networks, again come into play. In the case of bank transfer apps some of them examples will be like z the customer enters the recipient details or the merchant details in the case of payments like example, their phone number or email address link to their back. Account funds are directly transferred from the customer's bank account to the recipient's. Accounts offered in near real time, the customer authenticates now within their banking app and the transfer is authorized. These methods typically leverage existing bank transfer networks, like example a CH in us. Faster payments in UK facilitating direct account to account transfers. Mobile payments process is a complex ecosystem requiring careful design to handle massive transaction volumes. We need to ensure SEC security and provide a seamless user experience. This introduces unique challenges for I impotency. What is item impotency? It's ensuring an operation applied multiple times has the same effect as it is applied once. This is very important in the case of the financial transactions because when we make a transaction, we don't, and by mistake, if we retry it or due to accidental network calls at financial transaction can be made twice, which and despite being it applied multiple times, the transaction should go only once. Network. Network interruptions are common on mobile devices, which potentially lead to duplicate requests or unclear transaction statuses. Sometime hardware configurations or human error can lead to multiple transaction requests or multiple retries due to client error handling. These increase the changes of duplicate request. Duplication of financial transactions should be handled carefully to avoid duplicate transfers and handle retries and errors in a gracious way. There are different methods to follow to handle item potency in financial transactions. Let's go over them. Some of the technical solutions. Having an item potency key, which is the most common approach, the key is a unique identifier generator by client or in some cases from the server side, which is the payment gateway is included throughout our payments processing request. The server will be able to recognize the key and prevent duplicate processing request that this might need a database constraints and maintaining the transaction status. If the key is not present in the database, the system process the request. If the key is found, system retrieves the store result, which is, which might be in process or completed, and return it without reprocessing the transaction. In addition to item potency key, A due duplication video can be implemented to define a timeframe during which duplicate transaction requests are checked. This duplication check can be done based on customer merchant transaction account. The window of this duplication window time period may vary from case to case when a payment request is received, the system checks if an identical request was processed within that time window. Effective state management is essential for maintaining I dependency. The payments processing system should be able to accurately track the state of each transaction, even in the event of system failures or network issues. We should store the state of each transaction in a per persistent storage that can survive system restarts and crashes. We can use distributed caches to quickly check duplicates and retrieve transaction statuses. Sometimes during payments processing, we would duplicate requests due to transaction failures or retrain logic on the client side to handle such scenarios, which we will, we, it's important to have. Implementation of retries with exponential backoff. The request is retried after a delay and this delay is increased exponentially with each try. Each retry like delays of one second, the second transaction with a delay of two seconds. The third time delay with the exponential increase of four seconds. And eight seconds the next time, so on. This helps in preventing duplicate transactions caused by repeated request due to temporary failures. The delay increases exp exponentially with each retry attempt, reducing the load on the server, and increasing the likelihood of successful processing. I Item potency can also be handled on the client by client side by ui, handling it to an extent like disabling payment button after the first click to prevent the duplicate request. If a transaction failed due to temporary issues. Provide a clear and safe way for users to retry, ensuring a proper item potency key is used. So if the transaction is processed and appropriate, status is provided. Otherwise, retry with the new I item potency key. A robust transaction status handling is also important. We can provide imme immediate response to the users about the request status or do a synchronous processing of transactions using polling or web hooks to update the transaction status. This leads the way to a synchronous payments processing. Modern applications demand, robust user-friendly payment system that cater to a variety of scenarios. Traditional synchronous payments processing often fall short, leading to slow responses and potential point of failures. That's where the trio of message queues, callbacks, and webhooks step into enable efficient, robust, and, and reliable asynchronous payments processing message queues. These are very important in case of hand in case of handling asynchronous payments processing requests, and they help or also help in handling traffic spikes gracefully. Preventing system overload during peak hours ensures payments are processed, even if temporary errors occur with dead letter queues. Further digging in deeper of a synchronous payments, processing, callbacks and web hooks can be used. They play a crucial role in facilitating a synchronous payments processing. A callback is a function that is passed as an argument to another function, which can be executed at a later time. In the context of payments, a callback can be used to handle real-time notifications or updates about the status of payment transaction. Webhooks on the other hands are user-defined HTTP callbacks that are triggered by specific events. When a payment event occurs such as a successful transaction or a failure, the payment gateway sends A-H-T-T-P post request to a specified review, URL, which is the webhook endpoint. This allows the merchant servers to receive instant updates about the transaction status, even if the original payment request was processed as synchronously. By using callbacks and webhooks, merchants can enhance the user experience by providing timely feedback about payment outcomes while also improving the efficiency and reliability of. Of the payments processing systems, callbacks and webhooks both facilitate a synchronous payments processing and online payments and mobile payments, but they differ in how they're implemented and how they communicate the information. The direction of communication is different. Callbacks in the context of payments. Callbacks usually involve the server to server communication. The payment processor directly communicates with the merchant server after a payment even has occurred. This is usually set up during the initial payment request where the merchant specifies a return URL to which the payment processor will send a status updates. Webhooks, unlike callbacks are set up through, through a push mechanism. So callbacks are a pull mechanism. Web hooks are a push mechanism. The merchant registers a webhook URL with the payments processor. And when an event related to the payment occurs, like transaction success or failure, or update the pyramid processes and htp, HTTP post request with the event details to the register, URL the setup are differences between the callbacks and the web hooks. So the callbacks are typically defined on a. Per request basis, meaning they need to be set up every time a payment request is initialized. So like it's on the go webhooks these are configured once at system or at account level and can be reused across multiple events and transaction. Once said, the web hook listens for events it's subscribed to regardless of specific transaction. So let's discuss about the use cases for callbacks and WebBook. Callbacks are generally used for direct responses to a payment request, often used for intermediate direction handling right after a payment process process for instance, taking the user to a success or failure page. There are more what webhooks are more versatile and used for a broader range of actions, such as updating payment status in the database. Sending email notifications or triggering other backend process that do not require immediate action from the users. In terms of reliability, callbacks can be susceptible to issues if the destination URL isn't available immediately. When the response is sent, this could cause loss of information if not properly managed. Webhooks are typically designed to handle failure better. They can employ mechanisms like retry, ensuring that data eventually reaches its destination. If there are even temporary issues with the receiving server. So in summary, while both callbacks and webhooks aid in a synchronously payments processing information webhooks provide a more robust and flexible solution suitable for automation task beyond immediate transaction response. Whereas callbacks are often limited to handling direct and immediate response to payment requests. Okay, putting it all together. Using asynchronous payment processing for better experience during high traffic loads we can use queues as digital post offices communicating between different microservices that process, the payments. Use callbacks and webhooks for proper updating the status of the transaction that's been that's been going on. This approach allows for a decoupled, scalable, and responsive payment system improving both user experience and application reliability. Not only in terms of making payments great strides have been made in terms of payment acceptance as well tap to be on iPhone for contactless payments. Gives merchants large and small easy and secure way. To accept contactless credit card and debit cards or even accept payments through apple Pay and other digital wallets using their iPhone or Android phones. No additional hardware or payment terminal is required on the Android side. PayPal and Stripe also provides something similar. The payment processing flow is similar when using your phone as, the point of sale device, there is additional step of payment service provider the merchant app now, which initializes the payment session with apple Payment Framework or with PayPal or Stripe. In a similar way. The merchant app sends the transaction to the payment process API, similar to how the payment flows go through once the information has been transferred to the device securely. Apple provides private a PS for power and private payment process to integrate with tap to pay for token and session management and configure payment per parameters. Stripe provides this feature through terminal Android SDK. These can, these features can be integrated easily into an iOS and Android application, providing the ease of accept and acceptance of payments in various financial applications. So all in all, some of the major enabling technologies for mobile payments and its large adoption are the NFC technologies, QR codes, tokenization, cloud infrastructures, enabling highly scalable payments. Site reliability engineering teams are integral to the success of modern payment technologies such as N-F-C-Q-R, core and Tokenization Systems. By ensuring the infrastructure behind these technologies highly reliable, secure, and scalable, and is dealt with low latency. SRE teams employ robust automation, continuous monitoring, and effective instant management to maintain healthy systems and performance. This proactive approach minimizes the downtime and ensures fifth resolution of issues and low latency, which is crucial for processing real-time transactions securely and efficiency. Furthermore, their efforts in handling token generation and management uphold to uphold stringent security standards are necessary for protecting sensitive payment information and preventing fraud. By optimizing the technology infrastructure and refining instant responses, SRE teams enhance user experience and build customer trust, which is essential for widespread our adoption of these payment technologies. The major success factor for mobile payments is having an intuitive experience for customers to to use to which makes our mobile payments more adaptable. We, having a wide range of acceptance, network and banking, interop, interoperability can support that, can support and process payments across different financial institution and card networks. Gives a great advantage in this market. Ha having, or we if providing open source SDKs and APIs to integrate with and enables large range of options to to make an access mobile payments, leveraging them, the mobile payment solutions can be integrated into existing merchant or customer application checkout experiences. This leads to better mobile pen mobile payments penetration and adoption in the market. Security innovation is the key in the success of mobile payments. With large adoptions comes greater chance of risk and frauds, advanced fingerprints, facial recognition and voice verification technologies create unique identity sickness that dramatically enhance account protection. Using hardware level biometric, ver verification has been a great boom. SRD teams implement automated candidate deployments for biometric verification service, ensuring the high availability with the low response times. Military grade cryptography. Pro cryptography protocols ensure complete data security throughout the entire transaction journey making interception virtually impossible. SRE practices include secret rotation automation. Encryption cer automation certificate encryption monitoring and chaos engineering tests that verify security resilience during infrastructure failures. Sophisticated machine learning algorithms and risk verification continuously analyze each transaction pattern to identify and block suspicious activity before fraudulent charges occur. SRE Observable observability platforms provide real-time metrics or model performance with automated rollbacks when a false positive rates exceeds the defined threshold. Layered security approach combines something something you have know and are creating multiple verification barriers that significantly reduce unauthorized access Risks. SRE teams implemented distributed rate limiting and circulators to protect authentication service during traffic spike and maintain sec consistent security verification performance. Okay, because of financial the, that we are discussing here, we obviously have financial regulation, data protection, banking standards, and cross borders rules through which we navigate SRE teams implement automated compliance monitoring with the realtime dashboards that track regulatory requirements across markets, ensuring 99.9 adherence to. The changing financial standards SRE practices include data re, residence automation, consent management, observability and chaos testing of privacy controls to maintain regulatory compliance while preserving the system reliability. SRE designs design service level objectives aligned technical performance with regulatory requirements, providing measurable reliability metrics that both satisfy banking needs and user expectations. SRE teams deploy region specific infrastructure. Infrastructure with automated regulatory checkpoints and edge computing capabilities that maintain compliance across diverse international jurisdiction. There are some technical and practical challenges in adoption of mobile payments. One is the infrastructure gap. Rural and developing areas face persistent connectivity challenges with unreliable or non-existent internet accesses, creating digital payment deserts. SRE team implements edge caching, offline transaction queuing, and progressive enhancement strategies to maintain service availability, even in areas with intermittent connectivity, device limitations, budget and legacy smartphones, like advanced process and secure elements necessary for implementing robust encryption and authentication protocols or storing encrypted information. SRE practices include resource aware degradation parts, lightweight cryptographic alternatives, and client capability detection to ensure consistent service reliability. Across di diverse device ecosystem, there are interoperability issues. Proper proprietary payments ecosystem created fragmented user experience forcing consumers to juggle multiple apps and limiting merchant adoption rates. SRE teams develop unified monitoring dashboards and inputs implement service mesh architecture with standardized reliability metrics to identify interoperability failures before they impact the end users. Backend integration, decades old backend infrastructure and some of the payments ecosystem built on co COBOL and batch processing struggles to interface with modern API driven real time payments protocol. SRE engineers deploy a release resilient integration layers with circuit breakers. Automated retry mechanisms and comprehensive observability tooling to maintain high transaction reliability despite legacy system constraints. There are some practical real world barriers as well, which we cannot avoid. That is the deep rooted nature of cash preference and technical technological ignorance and trust. Trust issues are some of the barriers. This is slowly changing with the technology penetration and mobile adoption globally. Mobile payments is no exception to cyber security risks through malware threats and phishing. Strong encryption is needed for transaction request. Otherwise, they can be exploited by intercepting and alternating tra transaction data over network through kind of man in the middle attacks. However, the future how's the future looking from for mobile payments is always good to look at. So in with the mobile payments and payments in general with the growth of crypto, cryptocurrencies will be soon supported in mobile payment platforms. Frictionless transaction will eliminate a checkout process entirely. Systems will automatically identify users and process payments with the help of IOT. Another thing which we already have in the market, but will still grow in future is super apps. These are all in one platform, which will combine payments with broader services, removing interop, interoperability barriers. These echo systems will centralize the financial activities with the other functions. Let's quickly go over some more roles of the SRE and overview of the of the responsibility and the payments processing and mobile payments. SRE plays a critical role in mobile payment systems. In payment processing systems and mobile payments SRE team bridge the gap between development and operation, while ensuring that the financials systems meet stringent availability, latency and compliance requirements, SRE teams implement comprehensive monitoring systems that detect anomalous payment patterns and transaction velocities. Maintaining hun high protection rate through automated threat response protocols and real time security. Posture visualization SRE practices will reshape a payment infrastructure resilience through automated error budgeting and chaos engineering like self-healing payment network, and predict outage prevention. Ensuring data protection and compliance with regulations by implementing strong encryption. Access controls are intrusion detection systems and reg regular security audits. Having a clear defined SLOs and SLIs specific to mobile payments such as transactions, success rate, latent of processing, and system up times will help in measuring and maintaining the reliability of the services. Predicting traffic patterns and scaling infrastructure accordingly is crucial to prevent outage during the peak demand Sr. Utilizes historical data and forecasting techniques for efficient resource allocation during peak loads. For example, during events like Black Friday or holiday seasons. SRE teams implement culturally responsive monitoring systems and localized reliability metrics to add address adoption resistance and failure handling. SRE teams deploy progressive user experience patterns, simplified authentication flows and visual interface alternatives. That respect cultural preferences while maintaining high availability across demographic, diverse user population. So SREs have a really important role in mobile payments. Thank you for listening. Hope you've got some insights into the technical aspects of large scale fault tolerant payments, processing flows and the payments processing systems and how they work. In the case of mobile payments. We have also discussed key factors in the success and the rise of mobile payments, so of the technical and cultural barriers and the technological advan advancements that are happening. We have also discussed the key and important role of SRE in the payments ecosystem. Once again, thank you.
...

Likhit Mada

Software Engineer Co-op @ Intuit

Likhit Mada's LinkedIn account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)