Hosted Fields for a Payment Gateway
Implemented Hosted Fields for a Netherlands-based payment gateway to keep sensitive card data off the merchant’s perimeter. Tokenization and 3-D Secure reduced PCI scope, accelerated integrations, and improved checkout conversion.
Industry
Fintech | Payments
Service
Full Stack Development
CLIENT
A Netherlands-based payment gateway focused on financial institutions, processing tens of thousands of daily transactions across Europe, with rapid growth and multi-region coverage.
CHALLENGE
As a PCI DSS - compliant company, the client needed to give merchants an easier, more secure checkout so they could benefit from PCI protections without being certified.
Delivering this required a deep understanding of Card Security Standards, the existing platform, and the external merchant ecosystem and it had to work flawlessly for thousands of existing customers on day one.
SOLUTION
Rolled out Hosted Fields so sensitive card data never touches merchant servers, with tokenization and 3-D Securehandled by the gateway. To ensure a clean release at scale, we started from a comprehensive Business Concept Document (BCD) and full software documentation, covering positive/negative paths and interactions with hundreds of third-party services.
1. Team.
Software Engineer, Architect
2. Infrastructure.
AWS with IaC (CloudFormation, EKS, DynamoDB); Stage/Production, VPC isolation, load balancing, auto-scaling.
3. Security.
IAM least-privilege, AWS Secrets Manager for keys, KMS encryption, HTTPS/TLS on all endpoints, WAF on ingress, PCI DSS readiness validation for card-handling components.
4. Automation.
CI/CD via GitHub Actions & Bitbucket Pipelines; static analysis, unit/integration tests; monitoring with CloudWatch & ELK.
5. Integrations.
Secure comms with external merchant platforms (Shopify, WooCommerce, Magento 2, and more); Hosted Fields frontend SDK implementing card tokenization and 3-D Secure.
6. Documentation.
6.1 System Architecture Document (SAD) - AWS infrastructure, networking, integration layers.
6.2 Business Concept Document (BCD) - business context, problem definition, rationale.
TECHNICAL IMPACT
1. Enhanced Security.
Card data never touches merchant servers -> reduced PCI DSS scope.
2. Tokenization Support.
Card data automatically replaced with secure tokens.
3. Modular Integration.
Lightweight JavaScript API works with existing checkout flows.
4. Customizable UI.
Each field can be styled to fit brand guidelines.
5. Automatic Updates.
Security patches and SDK updates handled by the gateway provider.
BUSINESS OUTCOMES
1. Faster Time-to-Market.
Integration is simpler and quicker than building a custom payment form.
2. Better Conversion Rates.
Seamless checkout experience keeps users on the same page.
3. Stronger Customer Trust.
Secure and branded experience improves perceived reliability.
4. Scalable Solution.
Easily supports multiple payment methods and regions as the business grows.
5. Increased Number of integrations.
More merchants were keen to select this opportunity over others.
Aspect | Before | After |
|---|---|---|
Merchant should be PCI DSS Compliant | Full PCI scope with complex audits | Minimal PCI scope - handled by gateway |
Integration Effort | Manual handling of card data and validations | Simple drop-in fields with SDK |
Merchant Onboarding | Some declined due to compliance and dev effort | More selected this opportunity |
Checkout UX | Redirects or frames caused user drop-offs | Seamless, branded payment flow on-site |
Maintenance | Continuous updates required on the merchant side | Gateway auto-handles security and versioning |
