Transform your global payments network with today's technology
This Guidance helps financial institutions implement a quick response (QR) code and payment processing on AWS for their digital customers. With the managed serverless solutions, you do not need to own, run, or manage the compute infrastructure, allowing you to focus on payment processing.
Architecture Diagram
Step 1
To start, customers scan the business QR code displayed at the checkout page on a website or at the point of sale (POS) terminal.
Step 2
Amazon Route 53 routes traffic to an Amazon API Gateway endpoint where Amazon CloudFront distributes dynamic and static content. AWS security services such as AWS WAF and AWS Shield protect the web applications from common application-layer exploits and against distributed denial-of-service (DDoS) attacks.
Step 3
CloudFront content delivery network (CDN) is used to return resources found in its cache and static resources from Amazon Simple Storage Service (Amazon S3).
Step 4
API Gateway and CloudFront can be seamlessly integrated with AWS Certificate Manager. These services manage the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your applications.
Step 5
The request is routed through a Network Load Balancer to distribute incoming traffic across its healthy registered targets.
Step 6
Payment request is processed at application layer using Amazon Elastic Container Service (Amazon ECS) that deploys tasks on AWS Fargate.
Step 7
Payment transaction information is stored in Amazon Aurora or Amazon DynamoDB. Amazon ElastiCache is used as a session store to manage session information in payment processing. AWS CloudHSM is a cryptographic service for creating and maintaining hardware security modules (HSMs).
Step 8
Service logs are collected in Amazon S3 and analyzed and monitored using Amazon OpenSearch Service.
Step 9
At the security and compliance layer, AWS Config evaluates, assesses, and audits configurations of resources. Amazon GuardDuty monitors for malicious activity and unauthorized behavior, protecting AWS accounts and workloads. AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
Step 10
Payment request outbound traffic is sent to the payment processor through a NAT Gateway that is connected to card schemes for verification.
Step 1
To start, customers scan the business QR code displayed at the checkout page on a website or at the point of sale (POS) terminal.
Step 2
Amazon Route 53 routes traffic to an Amazon API Gateway endpoint where Amazon CloudFront distributes dynamic and static content. AWS security services such as AWS WAF and AWS Shield protect the web applications from common application-layer exploits and against distributed denial-of-service (DDoS) attacks.
Step 3
CloudFront content delivery network (CDN) is used to return resources found in its cache and static resources from Amazon Simple Storage Service (Amazon S3).
Step 4
API Gateway and CloudFront can be seamlessly integrated with AWS Certificate Manager. These services manage the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your applications.
Step 5
The request is routed through a Network Load Balancer to distribute incoming traffic across its healthy registered targets.
Step 6
Payment request is processed at application layer using Amazon Elastic Container Service (Amazon ECS) that deploys tasks on AWS Fargate.
Step 7
Payment transaction information is stored in Amazon Aurora or Amazon DynamoDB. Amazon ElastiCache is used as a session store to manage session information in payment processing. AWS CloudHSM is a cryptographic service for creating and maintaining hardware security modules (HSMs).
Step 8
Service logs are collected in Amazon S3 and analyzed and monitored using Amazon OpenSearch Service.
Step 9
At the security and compliance layer, AWS Config evaluates, assesses, and audits configurations of resources. Amazon GuardDuty monitors for malicious activity and unauthorized behavior, protecting AWS accounts and workloads. AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
Step 10
Payment request outbound traffic is sent to the payment processor through a NAT Gateway that is connected to card schemes for verification.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
To enable fast iteration and consistent deployment, you can use AWS Cloud Development Kit (AWS CDK) version 2, AWS CloudFormation, and Terraform. The recommended services are built with observability in mind, with process level metrics, logs, and dashboards. Extend these mechanisms to meet your needs and create alarms in Amazon CloudWatch to notify your on-call team of any issues.
-
SecurityRead the Security whitepaper
The payment backend is protected with API Gateway resource policies to allow your API to be securely invoked from known resources. When you choose managed services, you can be sure that all AWS API calls are done through HTTPS endpoints using TLS communication, which will protect your data in transit.
-
ReliabilityRead the Reliability whitepaper
All components scale automatically, and the account limits should be clearly defined for the supported product range to avoid affecting reliability. To further increase reliability, consider implementing a disaster recovery plan for your solution by initiating cross-region failover using Route 53 for the whole infrastructure.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
Managed serverless solutions can help you avoid having to worry about scaling requirements. Fargate removes the need to own, run, and manage a compute infrastructure, allowing you to focus on payment processing. Network Load Balancer distributes incoming traffic across multiple targets, which can handle millions of requests per second.
-
Cost OptimizationRead the Cost Optimization whitepaper
This Guidance is designed to help you build a serverless architecture that keeps costs down. You pay only for the time and resources used to process payments. With managed and serverless services, you can set attributes that ensure sufficient capacity. You must set and monitor these attributes so that you minimize excess capacity and maximize performance.
-
SustainabilityRead the Sustainability whitepaper
To reduce the amount of hardware required for provisioning, consider using managed container services, such as Fargate, instead of implementing your own container infrastructure.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content
How Payment Companies are Using Cloud Technology to Advance Quick Response (QR) Transactions
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.