Rescuing failed subscription payments using contextual multi-armed bandits
On November 12, I was excited to sit down with Etsy’s Imran Hoosain, Staff Software Engineer, and Aman Pratap Singh, Senior Software Engineer, for a discussion on how the global marketplace recently migrated their PCI environment to a serverless, databaseless one.
Imran and Aman shared how the move allowed Etsy to offset the risk of holding onto credit card numbers in favor of vendor tokens, all without losing the flexibility and redundancy of a credit card vault. We also had a great Q&A session at the end, thanks to our audience’s participation.
PCI is made up of many standards that a company must meet to establish compliance and companies must be audited annually by the PCI Standards Council to ensure they’re compliant. For Etsy, this process used to be a lot more complicated and audits used to span multiple days when housing their PCI environment in a physical data center. With their new serverless environment, management and passing the audit are now both a lot less painful. That doesn’t mean either is easy — or that having a PCI environment is for everyone.
“Pandemic not included, we only spent a day talking to the assessor [with the new environment] and explaining the architecture overall and talking through various parts of the PCI spec that we’d have to prove out,” says Imran. “Having gone through the giant change once, next year we said we’d do it on a Zoom call. Sad part is we have to do it every year. Don’t do PCI if you don’t have to [although having one does allow benefits]!”
Since the PCI Security Standards are still primarily centered around physical databases (although they’re working on updating their requirements), proving divisions of responsibility when using a serverless environment (such as Google Cloud Build, like Etsy does) takes a fair bit of work. The biggest hurdle Etsy faced was proving what they weren’t responsible for.
“Right now, PCI is on version like 3.1.2, at least it was when we went through our last assessment in February,” says Imran. “Four is supposed to be more cloud supported and remove a lot of the data center terminology. We found the hardest part of convincing our assessor was that you can’t bring the same data server terminology to the cloud. Proving you can’t do something is actually quite hard. We relied on the fact that no human can access the environment or IAM permissioning. Google is compliant, they’re responsible for that level of architecture. We’re responsible for what we can control through the UI they provide us.”
Part of Etsy’s approach to reducing their PCI environment was to adopt tokens. Tokenization is when sensitive data such as a credit card number is replaced with a token that maps to the sensitive data, but has no intrinsic value of its own. Tokens allow Etsy to utilize its payment providers, such as Adyen, to handle credit card encryption on their end and return something Etsy can keep and pass back to them when they want to charge a card.
“Using tokens has other benefits, though, like account updater flows from our vendors,” says Aman. “For instance, Adyen will automatically update tokens when expiration dates change or if an account number changes without us having to change our tokens, which is super handy.”
Adds Imran: “One of the benefits of embracing tokens is we no longer use the PCI environment to perform authorizations on transactions. Now, we can bring all that code that does authorizations and passes a token to our main application, so it makes it a lot easier to use our testing frameworks to ensure our payment methods are correct.”
Want more detail on why and how Etsy migrated its PCI environment from a physical data center to a serverless one? Go behind the scenes with Imran and Aman in their full presentation below. And thanks to our speakers from Etsy, it was a pleasure diving into this topic with you!
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.