Going live | Hyperswitch

This chapter will give you an overview of everything you would need for going live with your cloud setup

Prerequisites

In order to user Hyperswitch for accepting digital payments through a consumer facing website or mobile application there are three main prerequisites

Go live checklist:

Here's a quick summary of everything you would need for going live with Hyperswitch:

Monitoring

Make sure logs are being printed for all components in your setup
Aggregate your logs across instances and setup a logging system (e.g. Grafana Loki) for storing and viewing your logs
Make sure your metrics pipeline is setup and provides visibility into both application and system performance

PCI Compliance

Make sure your system is meeting the PCI compliance requirements for your business
If you are storing card data make sure your card vault is set up as per our instructions

Security

Keep the system hidden from external access; instead, use a front-end system or a reverse proxy as a protective layer in front of it
Make sure to follow our security guidelines for various components in your set up

Integrate with your app

Make sure your API keys are not exposed on the front-end (website/mobile app)
Avoid duplication or storage of your API keys in multiple locations
Test your integration and make sure all scenarios in the payments lifecycle is handled
Make sure your application (Frontend/Backend) is set up to handle all the possible error scenarios
Keep track of new releases/bug fixes and make sure to keep your system updated

Infra

Make sure DB and Redis connections are properly configured
Load test your setup and provision resources according to the expected traffic
In case you have whitelisting for outgoing request endpoints, make sure to whitelist the required processor endpoints

Account with cloud service provider (AWS/ GCP) to host Hyperswitch application
Contractual relationship and active processing account with payment processor or acquirer (this will be in the form of API keys or merchant identifier)

For deploying and managing application using Kubernetes
Handling a Web application written in Rust using Postgres (primary datastore), Redis (distributed key-value store for cached lookups), Prometheus/Grafana (monitoring), S3/CDN (serving static files)

Refer here to find out which level of PCI compliance applies to your business.

Report on Compliance (ROC): Engage an independent third-party Qualified Security Assessor (QSA) certified by the PCI-SSC to perform the PCI audit and share the findings. The ROC will be prepared by the QSA at the end of the PCI compliance activity. This is required only if your online business processes greater than 1 million card transactions per annum.

Quarterly Network scans: Engage an Approved Scanning Vendor for conducting quarterly network scans and submitting the scan reports to the payment processor/ acquirer

Self Assessment Questionnaire (SAQ): This is an assessment which can be self-completed by a business without engaging an Independent PCI Auditor, if your business processes less than 1 million card transactions per annum. A person responsible for the payment infrastructure within your organization fills out the SAQ. This could be the stakeholder who is the closest to your payment infrastructure - your Dev Ops Manager, or Information Security Officer, or CTO.