Consumers “want-what-they-want, when-they-want it.” Not surprisingly, this demand’s scope includes a desire among consumers to make payments when and where they wish—without interruption. And catering to such demand means working with a Payment Provider whose technology infrastructure and services support consistent uptime.
With that thought in mind, we thought it would be useful to list some of the “very basics” that your Payment Provider should have in place before you decide to “buy.”
Payment Uptime Requirements
Before looking at technology infrastructure and services, it’s important to explore uptime numbers and calculate them. Most reputable payment solutions providers promise an uptime of at least 99 percent, but 99 percent isn’t good enough. By common calculations, 99 percent uptime works out to seven hours, 26 minutes, and 24 seconds of downtime in a 30 day period—far too much. So, too, are uptime rates of 99.9 percent, which translates to 44 minutes and 38.4 seconds of downtime over a 30-day period, and 99.99 percent equals four minutes 28.84 seconds of downtime per 30-day period.
Moving into the more acceptable zone, an uptime rate of 99.999 percent equals 26.78 seconds of downtime over 30 days. But the best uptime rate is really 99.9999 percent—meaning businesses typically encounter just 2.68 seconds of downtime per 30 days.
Payment Technology ‘Must-Haves’
SERVICE LEVEL AGREEMENT:
The first “must-have” is a Service Level Agreement (SLA). At E-Complish, our clients receive an SLA (Service Level Agreement) for all projects. An SLA outlines a pre-calculated compensation method for when things get bad. It should outline the “why, how, when, and compensation schedule” should the SLA need to be enacted. An SLA (in our opinion) is crucial to the on-going relationship of the Payment Provider and Client.
A ‘Cloud Infrastructure’ offers secure, scalable, and fully redundant architecture. Using a ‘Cloud Infrastructure’ will provide enterprise-grade “instant capacity” for existing payment processing traffic, backups, and disaster recovery.
Additionally, a ‘Cloud Infrastructure’ will provide ‘Instant Scalability,’ meaning new servers can be added, removed, and deployed in real-time using a ‘Cloud Infrastructure.’
For proper uptime (dictated by an SLA), payment providers need to maintain multiple server pools so that their overall ‘payment acceptance server capacity’ does not become so taxed that their system goes down frequently. The provider should have a load balancer(s), which can function as a proxy device between the multiple web servers and “serve up the load” to the web servers based on the individual load they are experiencing.
A ‘Load Balancer’ retrieves information from a server pool before sending traffic to a specific web server. A ‘Load Balancer’ will analyze the web traffic “load” and then send that web traffic to the webserver that has the lowest load. In this way, data can then be evenly distributed among the web servers, guarding against web server load failures, supporting the continual availability of resources, and maximizing performance as a whole.
The Payment Provider’ should have Internal Monitoring that looks for anomalies and errors. Internal Monitoring is crucial to safeguard data. Internal Monitoring basics should have the following (at a minimum):
It goes without saying that a strong Firewall is required for payment processing. Having an enterprise-level Firewall that protects and alerts of attempted intrusions is a Payment Card Industry (PCI) requirement.
Just like your computer at home, Anti-virus is important to monitor a Payment Provider’s systems. Ant-virus works on a database approach to “look-block-and-report” known viruses.
Physical Access Controls
All ability to access the data-center where the servers reside should be heavily monitored and limited to necessary personnel. Without taking too much time here, there are literally hundreds of items to monitor that include things as simple as a written log of access to more complicated things like Wireless Access, Card Access, Biometrics, and video monitoring.
Logical Access Controls
Logical Access Controls are used for Identification, Authentication, Authorization, and Accountability in computer information systems. Logical Access Controls enforce access control measures for systems, programs, processes, and information. The controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems. Logical Access Controls are also monitored by the Log Management Service (LMS) and File Integrity Monitor (FIM) – more below on these two devices or services.
Log Management Service (LMS)
An LMS is used for the gathering of logs for all system services and actions. The LMS is the starting point for any investigation should there be a potential breach. The LMS should be actively monitoring incoming logs and alerting on anything that seems unusual.
Intrusion Detection Services (IDS)
This device or service is doing exactly what it sounds like, checking for intruders or any anomalies in the system. The IDS notifies and reports on any ‘actionable events.’
Intrusion Prevention Service (IPS)
IPS is a device or service that uses the IDS ‘actionable events’ to block and report system intruders. The IDS and IPS devices or services work together to detect, block, and report any actionable intrusion events.
File Integrity Monitoring (FIM)
The FIM device or service performs the act of monitoring the integrity of ‘Operating Systems’ and ‘Application’ files. The FIM actively compares the ‘Active State’ of a computer file to its ‘Starting State’ to determine if changes were made to the file. If changes are detected, the FIM reports on the files that changed.
Often overlooked is the ‘Segmentation Controls’ within a Payment Provider’s internal network. Segmentation keeps servers “segmented” from each other based on their function. Segmentation is meant to prevent a hacker from moving around in the Payment Provider’s network. Segmenting the ‘Web Servers’ from the ‘Database Servers’ is an example of ‘Segmentation Control.’ Having Segmentation Controls in place reduces the “attack surface available to pivot in” if one of the servers on the network segment is compromised.
Of equal value is ‘External Monitoring’ – meaning monitoring the Payment Provider’s servers with an ‘External Monitoring Service.’ This is where we see a lot of Payment Providers dropping the ball. External Monitoring Services act like the customer/consumer sitting on your webpage trying to make a payment. In other words, if the consumer/customer cannot get to your webpage to make a payment, the ‘External Monitor’ should be detecting that and putting up red flares! At E-Complish, we rely on ‘External Monitors’ to act on problems before our clients even notice that there may have been a problem.
DISASTER RECOVERY (the basics):
In our 20+ years, we have talked to many clients from many different industries, and they all ask for a ‘Disaster Recovery Plan’ from E-Complish. The subject of “Disaster Recovery” is vast and covers many aspects. To try and make this simple, we will break-down the “Disaster Recovery Basics” that you should be looking for from your Payment Provider.
Disaster Recovery as a Service (DRaaS) and Co-Location
‘DRaaS’ is a category of cloud computing used for protecting an application or data from a natural or human disaster or service disruption at one location by enabling a full recovery in the cloud at a different location. DRaaS differs from cloud-based backup services (like DropBox, iCloud, etc.) by protecting data and providing standby computing capacity on-demand to facilitate rapid application recovery. So what does that all mean? It means that E-Complish, using DRaaS, can “declare a disaster,” and within minutes, the entire data-center has moved to our Co-Location Disaster Recovery Facility. Having DRaaS and Co-Location (a separate Disaster Recovery datacenter) are crucial to payment processing.
Uninterruptible Power Source (UPS)
But what about those bad storms and power outages? Businesses would do well to ensure their Payment Provider uses a power configuration with multiple phases of power, from multiple Uninterruptible Power Sources (UPSs), in each of their datacenter facilities. Such a setup allows power to be obtained via a second UPS should there be a malfunction or other UPS power source issue. A typical UPS should be fuel-powered, like diesel fuel, to keep the power uninterrupted by natural disasters and the like.
Backups and Drills
Further, any reputable Payment Provider will employ database redundancy and replication to safely store data and make a backup server available in the event of database issues. The Payment environment should be tested at least annually.
Additionally, drills should be performed to test and perfect ‘Disaster Recovery.’ We perform these drills twice a year at E-Complish. We ensure that all backups can be restored, the DRaaS Co-Location is up and synced to the DRaaS database servers, and all access and data is flowing as expected.
Service Infrastructure Imperatives
Choosing a Payment Provider whose philosophy is “always-on” is imperative. In fact, it is another reason why Cloud Infrastructure, Uptime, Backups, and a Disaster Recovery Co-Location are all crucial when deciding on a new Payment Provider.
“With today’s technology, there should be no reason a Payment Provider needs to go down. Using maintenance as an excuse for downtime is just not acceptable anymore. Moreover, because system failures—and hence, downtime—can rear their head at any time of the day or night, round-the-clock support must be available from the Payment Provider. It should be understood that all reported problems must be fixed within minutes.”
~ Stephen Price, CEO/CSO – E-Complish, Inc.