Australian neobank Xinja stood up an Apple Pay capability in six weeks underpinned by a serverless environment that it was almost forced to abandon during testing.
Chief information officer and co-founder Greg Steel told the recent virtual AWS Summit that Xinja had accomplished with Apple Pay what it would take a larger bank about a year to achieve.
“We built this Apple Pay capability in about six weeks from start to finish, from when we first had a conversation with Apple to when we delivered this into production,” Steel said.
At present, Xinja allows customers to link a debit Mastercard to Apple Pay.
Steel used his presentation in part to describe how Xinja achieved PCI DSS compliance in order to allow customers to enrol with Apple Pay.
“When you want to enrol your debit card with Apple Pay from your mobile application, you need to deal with the PAN [primary account number], the card number,” Steel said.
“When you’re dealing with that card number it imposes a lot of requirements on you for extra levels of security, which is what the PCI DSS standards are all about.
“For Xinja [or any] new organization to achieve this, is very difficult and very complex.”
Steel said it would have been “prohibitively expensive” for Xinja to establish PCI compliance across its whole technical landscape.
Instead, he said, the team “looked at the parts of our architecture that needed to deal with the PAN, and split them off to a separate set of components, [which] we call that our card data environment.”
“The next thing we did is work with our AWS partner, Itoc, who are far more experienced and mature than Xinja when it comes to higher levels of compliance.
“We also engaged AWS architects and worked through an architecture that would deliver us a new modern PCI environment, quite different from what we’ve seen done in the past.”
The environment, which is managed by Itoc, uses a serverless architecture built on AWS services.
“At the end of the day, we’ve got a fully serverless environment that’s doing all of our card tokenisation and all of the complex integration with Apple Pay and Mastercard MDES [Mastercard digital enablement service],” Steel said.
“It’s very low cost, and it’s able to be run and managed entirely by Itoc and integrate with our system.”
Steel said the AWS services came with PCI compliance delivered via AWS’ assurance programs.
“All of the artifacts that demonstrate that compliance are available through AWS Artifact,” Steel said.
“We’re able to use that compliance information and provide it to auditors.
“We’re able to then understand our responsibilities as a consumer of those services to deliver the services in such a way that an auditor can fully understand and review that solution and provide that certificate of compliance.”
Though Xinja was ultimately able to launch Apple Pay capabilities, Steel said the team came close to having to re-architect the card data environment entirely due to problems that surfaced in testing.
“We found right at the worst possible time – a couple of weeks into our testing – that the time it takes for a NIC [network interface] to connect to the [AWS] Lambda [serverless compute platform] is too slow,” Steel said.
“It was taking about 15 seconds, and we had about a 30 second window in total.
“Some of the handshakes with Apple and MDES took us longer than that, and so we were blowing our timeframe.
“Our beautiful serverless architecture almost had to be abandoned. We were going to go back to build a container-based solution with hosts involved, which would have then meant all of the host protection and data protection that would have been involved.”
Xinja was ultimately able to avail itself of an improvement rolled out by AWS, which reduced the connection time to “about two seconds”.
While Steel said that “getting derailed right at the last minute like that was difficult”, he acknowledged it was also “the type of risk we take by diving boots-and-all into the cloud the way we have.”
He also saw the emergence of a fix during the crisis as emblematic of AWS’ response to evolving needs and requirements of customers.
“We can see that AWS is dealing with these same problems for other customers and other organisations around the world trying to do things better,” he said.
“So many times we’ve seen the solutions to our problem just bring the next cab off the rank that AWS has delivered for us.”
Steel believed Xinja also had a role to play in pushing AWS – and other partners – to evolve their offerings.
“Xinja sees itself as part of a richer ecosystem, working together to disrupt financial services,” Steel said.
“That creates a bit of a network effect with AWS, where we see that AWS is learning from the needs of these providers and delivering more capabilities to market all of the time that enable us to continue to disrupt and continue to push boundaries.”
Xinja provided an update on the large amount of cloud-based systems that now underpin its operations.
The neobank is already known to be the first worldwide to run on an SAP core called C4B (or Cloud4Banking). It uses Iress Xplan as its customer master.
Outside of that, the bank uses a large number of cloud services, with microservices used to stitch all the components together.
“Xinja forms the glue in the middle. We do all of the integration. We do all of the composition of more sophisticated services and products that we can deliver to customers through our mobile apps and through our APIs,” Steel said.
“Most of our partners are cloud-based, modern and easy to integrate with.”
Steel maintained it would have been too expensive to stand up Xinja without going all-in on cloud.
“When we started three years ago we weren’t sure that we could build a whole bank on the cloud. Plenty of people told us that we couldn’t, but we learned a few things,” he said.
“Firstly, there was no other way we practically could have done it. Building in a data centre is expensive, it requires a lot of people and a lot of brute force towards security controls.
“Building in the cloud can be far more efficient and elegant, particularly if you’re building modern systems.
“Lastly, the regulator doesn’t inhibit or impede using the cloud. The regulator sets standards for what an organisation needs to achieve, and the cloud provides a basis for being able to do this.”