Mastercard: Tarantool-based PCI DSS compliant payment service

Mastercard (NYSE: MA) is a global technology company in the payment industry. The company’s mission is to develop and strengthen the digital economy that benefits everyone everywhere by providing safe, simple, smart, and affordable transactions. By using secure data and networks, forging partnerships, and exploring sources of inspiration, Mastercard delivers innovations and solutions that help people, financial institutions, governments, and businesses realize their greatest potential. Decency quotient (DQ) is a fundamental part of Mastercard’s culture. Mastercard conducts business in more than 210 countries and territories and creates a sustainable world that offers invaluable opportunities for everyone.

Nowadays, interbank money transfer by phone number has become a common operation. Mastercard entrusted Tarantool with the implementation of the concept. The cardholder must be able to transfer money by phone number, social network ID, or other details without knowing the recipient’s card number. The companies jointly drafted the terms of reference and ubased the implementation on Tarantool.
The decision took into account international and Russian legislation norms—the Payment Card Industry Data Security Standard, the Bank of Russia Information Security Standard, and the General Data Protection Regulation of the European Union.

The system consists of three components: a hub, a card storage, and a user registration portal. The hub and the storage are based on Tarantool, while the portal is implemented with Vue.js. Thus, Tarantool works as the backend for the registration portal.

When a user initiates a transfer using the recipient’s banking details, the banking system requests the recipient’s card from the hub. The hub searches the storage for a data pair: the banking details and the recipient’s card. If the recipient’s banking details are in the storage, the transaction goes through at once. The bank receives the card number, transfers the money, and notifies the hub about it. The hub notifies the storage. The transaction is closed.

If the recipient’s banking details are not found in the storage, the hub communicates with the recipient via SMS, e-mail, or social network profile. The recipient enters the portal or social network and submits a bank card. Then the hub transmits the new card data to the sending bank and, with the user’s consent, places the data in the storage.

During transfers, the hub performs bank verification. For example, it checks encryption keys, card limits, and whether the card belongs to the issuer in the country of the transfer. For verification, Tarantool imports card data from MySQL. The hub determines the bank, the country, and the payment system, and makes the corresponding decision. Thus, the Tarantool-based hub protects, controls, sends notifications, and stores the transfer history.

SMS
verification

Two-step SMS verification login to the administrative control panel
HSM
encryption

Data encryption transferred from OpenSSL software to HSM hardware
AES
encryption

Inside the database, everything is encrypted synchronously using the AES algorithm