Lowering costs through PCI-compliant SOA
CGI, a 30 year old Systems Integrator with over 27,000 employees and more than 100 offices worldwide, is used to repeat business. After all, with an 8.8 out of 10 satisfaction ranking in 2007 from CGI’s ISO 9001:2000-certified client management process, CGI has a history of helping clients achieve superior results.
In this case, a government finance ministry, which acts as a central organization that offers advice to the government in the budgetary, fiscal, economic, financial and accounting fields, wanted CGI to convert their original application-based payment gateway solution to a PCI-compliant, Web services-based one. There was just one problem – this would be the first SOA project undertaken by CGI’s Financial Services arm, and they were only being given 6 months to complete it.
CGI by the Numbers
- Founded in 1976
- Revenue run rate of CDN$3.8B
- Backlog of CDN$12.03 billion
- Approximately 27,000 employees
- More than 100 offices serving clients in 16 countries
- 45 of 50 top banks in NA and EU
- 11 of 15 largest insurers globally
- 7 of 10 largest global Telco’s
- 100’s of government agencies
Many government ministries offer some kind of fee-based service to the public, and encourage online payment for these services via credit card. For example, the public can access government web sites to pay speeding tickets, purchase recreational fishing licenses, or book national park campgrounds online. In CGI’s original solution, inputting a credit card number invoked their payment gateway at the finance ministry, which then acted as the central clearing house.
Fundamentally, the payment gateway was technologically sound, but adding new “merchants” incurred a large IT overhead. To control costs while expanding their portfolio of fee-based services, the government required a more flexible way to add new Ministries and/or new Ministry services on an ad hoc basis. Additional criteria included support for encryption and digital signing that would be part of an overall push toward PCI compliance.
After consulting with their SOA Center of Excellence, CGI proposed migrating the existing application-based payment gateway to a Web services model with the goal of creating a more secure, standards-based, PCI compliant solution that would feature a lower total cost of ownership.
For the security layer, CGI compared a number of commercial off-the-shelf vendors (as well as building a solution themselves) and decided that the Layer 7 SecureSpan SOA Gateway provided the most robust solution, offering not only centralized enforcement of security policies but also an XML VPN Client that could be easily installed at each ministry to automatically negotiate the security and credentialing handshake between the client application and the SSG, eliminating the need to recode, test and deploy each client application. Because the existing IT infrastructure varied widely from ministry to ministry, this functionality would greatly reduce the time to deploy the overall solution.
The greatest effort centered around re-creating the old API-based transaction application as a set of Web services. By carving up the monolithic application into discrete pieces of functionality, CGI could institute a series of steps required to validate and process each transaction, as well as simplify the addition of new ministries as payees. For example, one Web service converts SOAP messages to an HTML format and submits it to the existing ASP-based Web interface, which in turn submits it to a handler behind several security zones. The handler sends the response, including a transaction ID, which the client must send back to confirm the transaction, otherwise the transaction is rolled back.
The SecureSpan Gateway allows CGI to define and enforce security policies at run-time, as well as perform XML schema validation for threat protection. The Gateway’s native X.509 capabilities are used to provide an authentication/authorization framework in conjunction with the finance ministry’s existing LDAP service. The Gateway also provides message level cryptography, including signature validation and decryption of incoming content.
Today, over 20 Ministries are taking advantage of the new PCI-compliant credit card payment system, with more being added every month on an ad hoc basis.
Centralized enforcement of security policies gave CGI consistent security across all applications, thereby eliminating the time and effort associated with coding and maintaining security details in each back-end application.
The XML VPN Client allowed CGI to essentially “drop in” a software solution that would handle all encryption, digital signing and other credentialing independent of the client application while ensuring PCI compliance. This allowed CGI to avoid having to code (and subsequently test and deploy) security requirements in each of the Ministry’s client applications – a key capability in allowing CGI to meet project timelines.