Payments@Groupon - Part 1

Find out how multi-billion dollar payments are processed & managed by an e-commerce company like Groupon. This three-part article series will take you through the complexities involved in managing a robust payments platform.

Anchal Jijhotiya
Sep 2 · 8 min read

Written by Anchal Jijhotiya and Prashant Ranade

Groupon (NASDAQ: GRPN) is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events, and travel destinations, Groupon helps people find and discover experiences — big and small, new and familiar — that makes for a full, fun, and rewarding life. Groupon helps local businesses grow and strengthen customer relationships — resulting in strong and vibrant communities.

Image for post
Image for post
Fig-1 Groupon App.

Global Payments Platform Overview

Global Payments Platform provides an end to end payments solution as a payment aggregator. The solution includes payment method selection, card tokenization, secure storage, billing record management, payment processing, and payment analytics.

Fig-2 shows a checkout page as seen by customers on Groupon’s website. The customer selects a suitable payment method, enters the card details (if the card payment method is selected), and buys the deal by clicking on the ‘Place Order’ CTA button. A simple looking ‘Place Order’ button click triggers a complex set of actions on the backend.

Image for post
Image for post
Fig-2 Groupon Web Checkout Page (With dummy details).

The ‘Place Order’ action translates into an order#create call. The call passes through multiple services like API Gateway, Orders, Inventory Services, and Payment Platform Services before an order is created and the payment is captured.

The focus of this article series is going to be the Global Payments Platform. Let us now get into the details.

Global Payments Platform is logically divided into three parts:

  1. Cardholder Data Environment & Tokenization Services
  2. Payment Services
  3. Payment Analytics

Architecture for Global Payments Platform is as given in Fig-3

Image for post
Image for post
Fig-3 Global Payments Platform Architecture.

Cardholder Data Environment & Tokenization Services

In this article, we will provide details on how Groupon manages the complex PCI DSS requirements. We will also see how our architects have been able to keep to a minimum the numbers of components and services that fall under the PCI DSS scope and how we manage the card tokenization and detokenization.

Payment Services

Payment Analytics

Cardholder Data Environment (CDE)

A customer’s card information needs to be handled with extreme care and with the highest level of security controls. The Payment Card Industry Data Security Standards Council has set some guidelines for all the companies which accept customer card information for online payment processing. These guidelines are called Payment Card Industry Data Security Standards (PCI DSS).

Groupon is a PCI Level 1 compliant company and goes through a rigorous audit every year. PCI DSS Level 1 is a set of requirements to ensure that companies that store, transmit, or process card data to the highest standards. PCI DSS Level 1 is the highest level of compliance.

Being a PCI DSS compliant company we had two options to apply the PCI DSS controls:

  1. Bring all the applications, services, and infrastructure under the PCI scope. This is very difficult to achieve when you have hundreds of services and multiple regions under audit scope.
  2. Build the minimum set of applications, services, and infrastructure which can handle the card data securely according to PCI DSS standards and decouple it from the rest of the platform.

Our architects opted for the second approach and built a Cardholder Data Environment as an isolated segment from the rest of the Groupon network.

Tenets

  • Cardholder Data Environment must be 100% PCI DSS compliant.
  • A minimum set of services should be part of CDE.
  • Zero to minimum friction for other teams to add the regular features allowing them to maintain a high development velocity.
  • Services under CDE should be performant, scalable, resilient, and monitored as per Groupon Engineering standards.

Architecture

  1. CDE DMZ: It is a demilitarized zone that caters to the communication between the CDE and the outside world (Groupon non-CDE and internet). It isolates the private CDE network from the external network. In the cloud world, we can map DMZ to a public-facing subnet within a VPC. We have deployed bastions, firewalls, and utility boxes in DMZ to control ingress and egress traffic in our Cardholder Data Environment.
  2. Secure CDE: It is a secure environment that does not have direct access to the external network. Core services required for card tokenization and detokenization are deployed here.
  3. CDE Vault: It is a highly secure data vault that contains cardholder card data and audit logs. This is strictly access controlled within the private network of CDE. Only PCI DSS compliant apps and servers have access to the CDE vault.
Image for post
Image for post
Fig-4 Cardholder Data Environment Architecture.

Tokenization Services

Fig-5 and Fig-6 show the sequence diagrams for card data tokenization and detokenization.

Image for post
Image for post
Fig-5 Card Details Tokenization Sequence Flow.
Image for post
Image for post
Fig-6 Card Details Detokenization Sequence Flow.

We have looked at architecture details for the Card Data Environment. Now let us look into how we enforce the PCI DSS controls and processes.

How do we apply PCI DSS controls?

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Build and Maintain a Secure Network and Systems

  • Segment network within the CDE to restrict access to services, databases, audit logs, etc.
  • Install firewalls at each level to control ingress and egress traffic.
  • Multi-factor authentication to login to the servers.
  • All the libraries, packages, and software running in the CDE are tested extensively and continuously for vulnerabilities before and during use.
  • Never use the default configuration, passwords, and settings in the CDE.
  • Rotate SSL certificates and encryption keys regularly.
  • Update the libraries, packages, and software regularly to the most stable and latest versions.

Protect Cardholder Data

  • Expired data is regularly purged.
  • Cardholder data is never exposed directly to Groupon non CDE services. Tokenization services in the CDE replace the cardholder data by a token which is used by non-CDE services.
  • Communication between the CDE and public networks is always done using the encrypted channel with trusted certificates and keys.

Maintain a Vulnerability Management Program

  • Network and host intrusion detectors monitor for malicious activity or policy violations in the CDE networks.
  • Take actions based on detected vulnerabilities.

Implement Strong Access Control Measures

  • User roles are defined based on the level of access a particular user needs within the CDE to perform their defined jobs.
  • We have implemented access controls for programmatic users used by the applications and databases as well.
  • Roles for programmatic users are defined for the jobs like tokenization, detokenization and card BIN reads.

Regularly Monitor and Test Networks

  • Access and audit trails can’t be modified and altered to create false data.
  • Periodically analyze the access and audit trails of the users and applications to detect any policy violations.

Maintain an Information Security Policy

  • The Infosec team is the gatekeeper for CDE.
  • One of the rules which are enforced by the policy for all developers is the need to finish secure coding practices and PCI DSS training before working on the Cardholder Data Environment.

Summary

Stay tuned !!


By enabling real-time mobile commerce across local businesses, live events, and travel destinations, Groupon helps people find and discover experiences — big and small, new and familiar — that make for a full, fun and rewarding life.

We are expanding our family. You can reach out to us at Groupon Careers.

Groupon Product and Engineering

All things technology from Groupon staff

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store