Skip to content
Offcanvas right

Case Studies / PCI-DSS compliant ISO-8583 client

PCI-DSS compliant ISO-8583 client

Custom development of high-performance PCI-DSS compliant ISO-8583 client for the processing of a huge amount of authorization messages and forwarding them to customers.

  • Custom Software Development
  • 2019 – 2020
  • Industry: FinTech
PCI-DSS compliant ISO-8583 client

Initial Task

Description

The Client submitted a request for the implementation of high-performance PCI-DSS compliant ISO-8583 client for the processing of a huge amount of authorization messages and forwarding them to customers for approve/decline decisions based on their processing rules and Risk Management Systems replies.

Technology stack

BackEnd

Oracle12c Redis Gradle Spring Boot Docker AWS Java 11
AWS

Challenges

01.

Implementations of ISO-8583 clients

ISO-8583 is a rather low-level protocol based on persistent TCP connections with complex message structure. There are no open-source implementations of ISO-8583 clients, so we decided to build it on our own using Netty framework. Building a fault-tolerant client with robust connection management required in-depth understanding of TCP protocol. While ISO-8583 message structure is described by hundreds of specification pages, Touchlane developers were able to make it happen with required diligence

02.

Multiple Performance Optimizations

As the ISO-8583 processing time affects cardholder experience at POS, we had strict performance requirements. In order to make it real we did multiple performance optimizations with caching, selected the appropriate messaging system based on our benchmarks. Building the system based on Reactive architecture, usage of non-blocking IO, etc. allowed us to support the high throughput and low latency.

Process

Phase / 01.

  • Analysis of performance requirements and ISO-8583 specification

    As ISO-8583 is a quite complex specification expressed in hundreds of pages, we had to understand which transport does this protocol use, what are the core message types and how they should be handled. This stage has significantly broadened our understanding of the target system requirements.

  • System Design (involving POCs & benchmarking)

    We've analyzed the PCI-DSS requirements, which influenced the target design by separating components that work with sensitive data into a separate module. That in turn meant that we needed an efficient message-passing solution for internal service communication. As a result of benchmarking different message-passing solutions, we've decided to use Redis Streams that met our performance needs.

Phase / 02.

  • Implementation of ISO8583 transport using Netty framework

    With no good open-source ISO-8583 client solutions, we implemented our own client from scratch. As ISO-8583 uses TCP as transport and Netty is widely used by modern open-source TCP/HTTP clients, we proceeded with Netty. The client implementation was rather challenging as we had to implement things like connection pooling, keep-alives, etc. on our own, which usually go "by default".

  • Implementation of ISO8583 message parsing

    That was extremely tedious task as the protocol describes 100+ data fields which have different encoding, encryption, formatting etc. Moreover, VISA and MC have different dialects of the same protocol, which increased the amount of work. Parsing itself was not a trivial task as it's rather low-level, meaning that we had to work a lot with binary operations and not commonly encodings.

Phase / 03.

  • Performance optimizations

    As the cardholder experience at POS is directly dependent on the processing speed of this application, we had rather strict performance requirements (< 50ms for processing of single authorization). That's why we had to fine-tune our processing system by optimizing the SQL queries and adding caching for speeding up client integrations.

  • Integration with third party Risk Management Systems

    As customers use different Risk management systems and API security mechanisms, we had to implement a variety of integration options for our clients for their seamless integration (e.g. MTLS, OAuth2, Basic Auth).

Overall Result

The project was launched in production, and the high-end system built by Touchlane developers has met all security standards and processed a large number of requests.

As the Client sells this technology, more and more new users take advantage of the developed product.

Fire away
your ideas!

Let's discuss our possible synergy

    By clicking Send you acknowledge that you have read and that you consent to be bound by Touchlane Terms of Use and to processing data in accordance with our Privacy Policy and Cookies Note