Payments@Groupon - Part 1
Find out how multi-billion dollar payments are processed & managed by an e-commerce company like Groupon. This three-part article series will take you through the complexities involved in managing a robust payments platform.
Groupon (NASDAQ: GRPN) is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events, and travel destinations, Groupon helps people find and discover experiences — big and small, new and familiar — that makes for a full, fun, and rewarding life. Groupon helps local businesses grow and strengthen customer relationships — resulting in strong and vibrant communities.
Global Payments Platform Overview
Payments at Groupon are powered by Groupon’s Global Payment Platform (GPP). GPP supports more than 15 different payment methods and all popular card variants globally. The payments platform complies with all the regulations mandated by governments and regulatory bodies in countries where we operate. We were at the forefront of being 3D Secure 2.0 compliant as mandated by the PSD2 (Payment Services Directive 2) in September 2019.
Global Payments Platform provides an end to end payments solution as a payment aggregator. The solution includes payment method selection, card tokenization, secure storage, billing record management, payment processing, and payment analytics.
Fig-2 shows a checkout page as seen by customers on Groupon’s website. The customer selects a suitable payment method, enters the card details (if the card payment method is selected), and buys the deal by clicking on the ‘Place Order’ CTA button. A simple looking ‘Place Order’ button click triggers a complex set of actions on the backend.
The ‘Place Order’ action translates into an order#create call. The call passes through multiple services like API Gateway, Orders, Inventory Services, and Payment Platform Services before an order is created and the payment is captured.
The focus of this article series is going to be the Global Payments Platform. Let us now get into the details.
Global Payments Platform is logically divided into three parts:
- Cardholder Data Environment & Tokenization Services
- Payment Services
- Payment Analytics
Architecture for Global Payments Platform is as given in Fig-3
Cardholder Data Environment & Tokenization Services
Tokenization services, Cardholder Data Environment, and PCI DSS compliance requirements fall under this logical bucket.
In this article, we will provide details on how Groupon manages the complex PCI DSS requirements. We will also see how our architects have been able to keep to a minimum the numbers of components and services that fall under the PCI DSS scope and how we manage the card tokenization and detokenization.
Payment method selection service, billing record management, integrations with various payment processors, payment routing mechanisms, and payment service admin tools are part of the payment services umbrella.
This includes the tools and dashboards managed by payment analysts. Analysts do the number crunching to keep track of payment authorization, decline rates, and decide on the payment routing strategies for different payment processor integrations. They also keep a track of popular and upcoming payment methods for Groupon to integrate with providing customers with options to use their favorite payment methods while purchasing deals on Groupon.
Cardholder Data Environment (CDE)
Groupon customers purchase deals from a wide available selection using online payment methods like Credit/Debit cards, NetBanking, PayPal, and Klarna to name a few. Global Payments Platform supports customers entering card information on the Groupon website, touch or mobile apps, and also via Hosted Payment Pages (HPP) provided by payment processors.
A customer’s card information needs to be handled with extreme care and with the highest level of security controls. The Payment Card Industry Data Security Standards Council has set some guidelines for all the companies which accept customer card information for online payment processing. These guidelines are called Payment Card Industry Data Security Standards (PCI DSS).
Groupon is a PCI Level 1 compliant company and goes through a rigorous audit every year. PCI DSS Level 1 is a set of requirements to ensure that companies that store, transmit, or process card data to the highest standards. PCI DSS Level 1 is the highest level of compliance.
Being a PCI DSS compliant company we had two options to apply the PCI DSS controls:
- Bring all the applications, services, and infrastructure under the PCI scope. This is very difficult to achieve when you have hundreds of services and multiple regions under audit scope.
- Build the minimum set of applications, services, and infrastructure which can handle the card data securely according to PCI DSS standards and decouple it from the rest of the platform.
Our architects opted for the second approach and built a Cardholder Data Environment as an isolated segment from the rest of the Groupon network.
The following tenets were used while designing the Cardholder Data Environment architecture:
- Cardholder Data Environment must be 100% PCI DSS compliant.
- A minimum set of services should be part of CDE.
- Zero to minimum friction for other teams to add the regular features allowing them to maintain a high development velocity.
- Services under CDE should be performant, scalable, resilient, and monitored as per Groupon Engineering standards.
Cardholder Data Environment is highly access controlled and secure at each level. CDE architecture mentioned below in Fig-4 is majorly divided into three segments:
- CDE DMZ: It is a demilitarized zone that caters to the communication between the CDE and the outside world (Groupon non-CDE and internet). It isolates the private CDE network from the external network. In the cloud world, we can map DMZ to a public-facing subnet within a VPC. We have deployed bastions, firewalls, and utility boxes in DMZ to control ingress and egress traffic in our Cardholder Data Environment.
- Secure CDE: It is a secure environment that does not have direct access to the external network. Core services required for card tokenization and detokenization are deployed here.
- CDE Vault: It is a highly secure data vault that contains cardholder card data and audit logs. This is strictly access controlled within the private network of CDE. Only PCI DSS compliant apps and servers have access to the CDE vault.
Tokenization services are the heart and brain of the CDE. These services are designed as proxy services with one very specific requirement of replacing the sensitive card details with a card token and vice versa. More implementation details of the tokenization process can be found in the PCI at Groupon — The Tokenizer engineering blog.
Fig-5 and Fig-6 show the sequence diagrams for card data tokenization and detokenization.
We have looked at architecture details for the Card Data Environment. Now let us look into how we enforce the PCI DSS controls and processes.
How do we apply PCI DSS controls?
There are 12 control sections in the PCI DSS. We will cover 6 of the more technical controls here.:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Build and Maintain a Secure Network and Systems
- Create a separate segmented network for the Cardholder Data Environment within the Groupon datacenter.
- Segment network within the CDE to restrict access to services, databases, audit logs, etc.
- Install firewalls at each level to control ingress and egress traffic.
- Multi-factor authentication to login to the servers.
- All the libraries, packages, and software running in the CDE are tested extensively and continuously for vulnerabilities before and during use.
- Never use the default configuration, passwords, and settings in the CDE.
- Rotate SSL certificates and encryption keys regularly.
- Update the libraries, packages, and software regularly to the most stable and latest versions.
Protect Cardholder Data
- Cardholder data is stored in the secure encrypted vault within the CDE.
- Expired data is regularly purged.
- Cardholder data is never exposed directly to Groupon non CDE services. Tokenization services in the CDE replace the cardholder data by a token which is used by non-CDE services.
- Communication between the CDE and public networks is always done using the encrypted channel with trusted certificates and keys.
Maintain a Vulnerability Management Program
- Deployed antivirus runs on each host within CDE to detect malicious software and packages.
- Network and host intrusion detectors monitor for malicious activity or policy violations in the CDE networks.
- Take actions based on detected vulnerabilities.
Implement Strong Access Control Measures
- We have implemented role-based access controls for users like administrators, database administrators, and developers.
- User roles are defined based on the level of access a particular user needs within the CDE to perform their defined jobs.
- We have implemented access controls for programmatic users used by the applications and databases as well.
- Roles for programmatic users are defined for the jobs like tokenization, detokenization and card BIN reads.
Regularly Monitor and Test Networks
- All the system access and audit trails generated by applications, programmatic and non-programmatic users are stored securely in the CDE vault for analysis.
- Access and audit trails can’t be modified and altered to create false data.
- Periodically analyze the access and audit trails of the users and applications to detect any policy violations.
Maintain an Information Security Policy
- We have a dedicated team to enforce and maintain the Information Security Policy for our CDE.
- The Infosec team is the gatekeeper for CDE.
- One of the rules which are enforced by the policy for all developers is the need to finish secure coding practices and PCI DSS training before working on the Cardholder Data Environment.
Hope you have enjoyed this article. In the next article of this series, we will touch base upon SOX and GDPR compliance, payment method selection, payment integrations, and billing record management.
Stay tuned !!
By enabling real-time mobile commerce across local businesses, live events, and travel destinations, Groupon helps people find and discover experiences — big and small, new and familiar — that make for a full, fun and rewarding life.
We are expanding our family. You can reach out to us at Groupon Careers.