CardFlight is a leading provider of tools and technology that allow developers to build their own mobile point of sale. The company’s offering includes a set of EMV chip-card-ready APIs for developers, as well as software and card readers that enable businesses to accept payments on mobile devices. With all US merchants now required to either accept EMV cards or cover the cost of fraudulent transactions, CardFlight is experiencing huge demand for its mobile payment solution.
Companies that operate in the payment processing space must be fully compliant with Payment Card Industry (PCI) standards for data storage and management. As well as having to ensure that all systems are physically secure, companies must ensure that personal details and credit card information collected from customers at the point of sale are fully encrypted, both in flight and at rest. Additionally, all changes made to systems and processes must be fully documented, as well as audited, regularly.
These were some of the challenges facing innovative payment startup CardFlight, which has created an end-to-end mobile payment solution for merchants. This solution can be seamlessly integrated with merchants’ existing mobile applications, allowing them to accept EMV chip card payments using an SDK card reader attached to a regular smartphone or tablet PC.
As a startup, CardFlight needed to achieve PCI compliance in the simplest, fastest, and most cost-effective way possible. Elie Toubiana, vice president of engineering at CardFlight, says, “We had several challenges that were unique to startups. We needed to build software with enterprise grade security, meet and exceed the PCI DSS, all while moving quickly. This is a combination that traditionally would be impossible to achieve with a startup budget. Nevertheless we were determined to find a technology partner that would enable us to meet these challenges.”
To minimize the burden of PCI compliance and bring its mobile EMV payment platform to market as quickly and cost-effectively as possible, CardFlight chose to host its supporting IT infrastructure on the Amazon Web Services (AWS) cloud. Toubiana says, “When we set up the business, AWS was the only cloud provider that was fully PCI- compliant, both in terms of physical data center security and logical system security. This made our decision to work with AWS a very easy one.”
The entire AWS cloud is engineered to support PCI compliance and to streamline the auditing process. “The configuration rules in AWS make it easy to build out infrastructure in a way that’s fully PCI-compliant,” says Toubiana. “We can track and audit every deployment—from launching new Linux instances and services in Amazon Elastic Compute Cloud (Amazon EC2), to provisioning storage in Amazon Simple Storage Service (Amazon S3) and managing our databases with the Amazon Relational Database Service (Amazon RDS).”
A number of AWS cloud technologies help CardFlight to streamline PCI compliance, including AWS Key Management Service (AWS KMS). “AWS KMS provides us with enterprise-grade encryption technology in the cloud,” says Toubiana. “As well as resetting encryption keys every so often, the tool gives us an auditable record of data that’s been encrypted and why, which simplifies PCI audits significantly.”
To protect sensitive data stored in AWS, CardFlight uses Amazon Virtual Private Cloud (Amazon VPC). “Amazon VPC allows us to create logical boundaries between systems and to create clear and defined paths in and out of our network, which is very important for PCI compliance,” says Toubiana. “We could have built a PCI-compliant environment without VPC, but it would have been a lot messier and more time-consuming.”
For additional system and data security, CardFlight uses Amazon Identity and Access Management (IAM) and AWS CloudTrail. Jesse Angell, software engineer at CardFlight, says, “We use AWS IAM to control access to all of our AWS resources at an incredibly granular level. This level of access control goes well beyond what we could implement in a physical facility. We also use AWS CloudTrail to log every change that is made to our infrastructure, which increases our overall security significantly.”
When CardFlight started out, the company had two options: host its systems on AWS, or build its own PCI-compliant infrastructure from scratch. “Designing and building a PCI-compliant data center with the high levels of physical and system security would have been cost-prohibitive,” says Toubiana. “In fact, the AWS cloud is what made our business viable: We simply couldn’t operate any other way.”
As a theoretical exercise, CardFlight has estimated the potential cost savings of hosting its systems on the AWS cloud compared to building its own data center. “Based on an informal analysis, I’d say that both our capex and opex costs are around 40 percent lower with AWS compared to building out infrastructure in traditional data centers,” says Angell. “Operating on AWS means we spend less on infrastructure. This is a great benefit as we are then able to spend more on product development, bringing more value to our customers than we could have otherwise.”
When CardFlight began operating, the company signed up to the AWS Activate program, which gives startups access to the low-cost, easy to use infrastructure they need to grow rapidly. “We got lots of great support from AWS through the Activate program,” says Toubiana. “As well as getting free training, which was incredibly useful, I probably spent 10 or more hours chatting with AWS engineers online, which helped me to optimize the infrastructure and resolve questions that came up.”
Building on its initial AWS architecture over time, CardFlight has been able to compete effectively with established payment companies. “With AWS, we had access to enterprise-class infrastructure as a new startup with limited resources, which was previously unheard of,” says Toubiana. “The fact that we could build a PCI-compliant infrastructure in a matter of weeks also helped us get to market faster, and that has been a critical success factor for us.”
Payment services must be constantly available to ensure that merchants never lose a sale, and CardFlight has delivered on this promise with AWS. “Our payment platform has been down for a total of one hour since we launched,” says Toubiana. “With AWS, all our systems have built-in redundancy, which means we can guarantee excellent service levels for our customers and build trust in our brand.”
With AWS, CardFlight has been able to scale its business rapidly to take advantage of new business opportunities. “We can provision new instances in services in real time, while remaining PCI-compliant, which makes us extremely agile as a business,” says Angell. “We have been able to grow our AWS environment quickly and seamlessly provide a secure, fast payment platform to thousands of merchants, with no need to replace physical hardware servers or update software. With AWS, we can keep on growing, and our infrastructure will never hold us back.”
To learn more about how AWS can help you reduce the cost and administrative burden of PCI compliance, visit our PCI details page.