With AWS, there is no initial outlay and just the monthly cost to consider. It would be two or three times more expensive to deliver our services from our own data center.
Frederico Araujo Chief Information Security Officer

Founded in 2014 in Thailand, Omise provides payment gateway services such as application programming interfaces (APIs) and developer resources to merchants. The business supports about 500 merchants, including corporations, startups, and small to medium-sized enterprises, and it promises to enable new merchants to accept payments within 24 hours of signing up. Omise employs 40 people in Thailand and plans to expand into Japan in late 2015 and Indonesia in early 2016.

Strict regulatory controls that protect the integrity of Thailand’s payment system can make delivering e-commerce services in the country a long process. Many merchants are forced to offer traditional offline payment methods to enable consumers to purchase from their online stores.

To navigate this environment, Omise decided to develop an e-commerce application that would move card data from customers’ browsers to its infrastructure without interacting with customers’ merchant systems. This application had to be delivered from an infrastructure that was secure for storing credit card data to reassure merchants and consumers that personal information would be protected throughout the transaction process. The infrastructure had to be reliable to support operations in multi-zones, it had to be scalable, and it needed elasticity to support demand peaks of more than 1,000 transactions per minute.

Omise technical team members had experience using Amazon Web Services (AWS) from their previous organizations, and the business ruled out alternatives such as a physical infrastructure in an on-premises or a collocated data center due to their additional cost and complexity. In addition, AWS complies with the Payment Card Industry Data Security Standard (PCI DSS), an information security standard required for merchants and service providers to process credit card payments. This compliance helps service providers such as Omise achieve their own compliance and certification.

“To offer a payment gateway, we had to be PCI DSS compliant and AWS helped us to do this,” says Robin Clart, chief technology officer at Omise . Omise and the Bank of Thailand—the country’s central bank—worked with AWS to help obtain a license to operate as a financial organization in the country.

With the license granted, Omise started its operations. The business established two technology stacks within AWS to deliver its service. The first stack, known as “the vault,”’ stores the credit card data; the second runs the APIs and associated functions that enable merchants to charge cards and banks to complete transactions. The foundation of Omise’s AWS architecture is Amazon Elastic Compute Cloud (Amazon EC2), with additional AWS services supporting security monitoring and controls. Services such as AWS Identity and Access Management (IAM) enable Omise to restrict the people and roles with access to AWS resources.

“AWS IAM has been crucial in providing the access controls and a refined security that we need,” says Frederico Araujo, chief information security officer at Omise . The business also uses AWS Key Management Service (AWS KMS) to create keys to encrypt sensitive card and cardholder data, and to employ hardware security modules to protect the keys. Amazon KMS is integrated with AWS CloudTrail, which captures and delivers a history of AWS API calls for the Omise AWS account. “It is a PCI DSS requirement to have log files of all activity in AWS, and we have over 100 alert and monitoring settings,” explains Araujo.

Omise also takes advantage of Elastic Load Balancing to distribute incoming traffic across Amazon EC2 instances, and it uses AWS OpsWorks to organize and separate the two technology stacks. Amazon Relational Database Service (Amazon RDS) runs a managed relational database to store data related to merchants, users, and transactions, as well as full credit card information with the exception of CVV. The company uses Amazon ElastiCache for fast, managed in-memory caches to enable rapid retrieval of information. Omise sends outbound emails relating to security matters, transactions, and general notifications to merchants and their customers via Amazon Simple Email Service (Amazon SES). It relies on Amazon Simple Queue Service (Amazon SQS) for queueing and sending messages. In addition, the company hosts end users’ information files in the JavaScript language with Amazon Simple Storage Service (Amazon S3), and it delivers content to users with Amazon CloudFront.

The figure below illustrates Omise’s environment in AWS.

omise-arch-diag

Omise has achieved a wide range of benefits from using AWS beyond being able to operate a payment service in the tightly regulated Thailand market. The company can now support sudden spikes in merchants’ transaction volumes with the help of AWS. “When online ticketing merchants release tickets to an event, thousands of users will try to place an order at the same time. With AWS, we can support at least 1,000 transactions a minute, an increase from the average of 500 to 1,000 transactions per day,” says Araujo.

This elasticity is also delivered from an infrastructure that is considerably cheaper than an equivalent physical data center after the costs of PCI DSS compliance, physical security, and control measures such as CCTV are factored in. Araujo says the initial investment in an on-premises data center would have been up to US$40,000, excluding the monthly costs of leased lines and associated services. “With AWS, there is no initial outlay and just the monthly cost to consider," he says. "It would be two or three times more expensive to deliver our services from our own data center.”

Establishing its own data center would also require Omise to invest in backups, clusters, and disaster recovery infrastructure to minimize the risk of data loss or service disruption, rather than simply switching to another AWS instance if an issue occurs. To date, the AWS infrastructure has delivered 99.99 percent availability, well within the payment providers’ business requirements.

Omise has also slashed its time-to-market for new products and services, deploying new instances in minutes rather than waiting weeks to procure new physical servers. This agility has helped the business to accelerate its growth into new markets such as Japan and Indonesia.

Learn more about running e-commerce applications on AWS.