Design a Payment System

Building a payment processing platform that handles card transactions, bank transfers, and digital wallets with PCI DSS compliance, idempotent processing, and real-time fraud detection. Payment systems operate under unique constraints: zero tolerance for duplicate charges, regulatory mandates (PCI DSS), and sub-second fraud decisions. This design covers the complete payment lifecycle—authorization, capture, settlement—plus reconciliation, refunds, and multi-gateway routing.

Payment system architecture: Client apps submit payments through an idempotent API, fraud engine scores in real-time, smart router selects optimal processor, authorization flows through card networks, and all movements are recorded in a double-entry ledger.

Abstract

Payment system design revolves around four competing constraints:

Exactly-once processing — Network failures and retries must never result in duplicate charges. Idempotency keys + request fingerprinting make every operation safely retriable.
PCI compliance scope reduction — Cardholder data (PAN, CVV) must never touch your servers if avoidable. Tokenization at the edge (via Stripe Elements, Adyen Web Components) keeps sensitive data out of your environment.
Latency under fraud scrutiny — Fraud decisions must complete in <100ms to avoid checkout abandonment, while evaluating 1000+ signals per transaction.
Financial accuracy — Every fund movement (authorization hold, capture, refund, chargeback) must be recorded in a double-entry ledger. Reconciliation ensures external settlements match internal records.

The mental model: tokenize → authorize → capture → settle → reconcile. Each stage has distinct timing, failure modes, and rollback procedures.

Design Decision	Trade-off
Edge tokenization	Removes PAN from scope; adds client SDK complexity
Idempotency keys	Safe retries; requires key management and storage
Smart routing	Higher auth rates; multi-processor operational overhead
Async settlement	Handles scale; delayed confirmation visibility
Double-entry ledger	Audit-ready; write amplification

Requirements

Functional Requirements

Feature	Scope	Notes
Card payments	Core	Visa, Mastercard, Amex via card networks
Bank transfers	Core	ACH (US), SEPA (EU), wire transfers
Digital wallets	Core	Apple Pay, Google Pay (tokenized)
Authorization + Capture	Core	Separate or combined (auth-capture)
Refunds	Core	Full and partial, with reason codes
Recurring payments	Core	Subscription billing with retry logic
Multi-currency	Extended	FX conversion at capture time
Split payments	Extended	Marketplace payouts
Disputes/Chargebacks	Extended	Evidence submission, representment
3D Secure	Core	SCA compliance for EU/PSD2

Non-Functional Requirements

Requirement	Target	Rationale
Availability	99.99%	Revenue-critical; Stripe maintains 99.999%
Authorization latency	p99 < 2s	Card network round-trip + fraud scoring
Fraud decision latency	p99 < 100ms	Inline with authorization; cannot delay checkout
Duplicate charge rate	0%	Non-negotiable; idempotency required
Data consistency	Strong	Financial data requires ACID guarantees
PCI DSS compliance	Level 1	Required for >6M transactions/year
Settlement accuracy	100%	Reconciliation must match external records

Scale Estimation

Traffic Profile:

Metric	Typical	Peak (Black Friday)
Transactions/day	10M	50M
TPS (average)	115 TPS	580 TPS
TPS (peak)	500 TPS	2,000 TPS
Auth requests/sec	1,000 RPS	5,000 RPS

Reference: Visa processes 1,700-8,500 TPS average, with peak capacity of 65,000+ TPS.

Storage:

1
Transactions: 10M/day × 2KB = 20GB/day
2
Yearly: 7.3TB
3
With 7-year retention: ~50TB
4

5
Ledger entries: 10M × 4 entries (avg) × 500B = 20GB/day
6
Event stream: 10M × 1KB = 10GB/day

Latency Budget:

1
Total authorization: 2000ms budget
2
├── API processing: 50ms
3
├── Fraud scoring: 100ms
4
├── Tokenization lookup: 20ms
5
├── Network to processor: 50ms
6
├── Processor to card network: 500ms
7
├── Issuer decision: 800ms
8
├── Response path: 480ms

Design Paths

Path A: Integrated Payment Gateway (Build In-House)

Best when:

High transaction volume (>$1B annually)—interchange savings justify engineering cost
Regulatory requirements demand data residency
Unique payment flows that don’t fit third-party APIs

Architecture:

Key characteristics:

Direct acquiring bank relationships
Full control over routing decisions
In-house tokenization and vault
Custom fraud rules and ML models

Trade-offs:

✅ Lower per-transaction cost at scale (save 0.1-0.3%)
✅ Full customization of payment flows
✅ Data residency control
❌ PCI DSS Level 1 scope (audit, penetration testing, quarterly scans)
❌ 12-18 month build time minimum
❌ Requires dedicated security and compliance team

Real-world example: Shopify built Shop Pay in-house, processing $12B+ in GMV (2023). Justified by volume and unique merchant financing features. Required dedicated payments engineering team of 50+.

Path B: Third-Party Payment Platform (Stripe, Adyen)

Best when:

Speed to market is critical
Transaction volume <$500M annually
Engineering focus should be on product, not payments infrastructure

Architecture:

Key characteristics:

PCI scope reduced to SAQ-A (minimal questionnaire)
Built-in fraud detection (Stripe Radar)
Payment method coverage (cards, wallets, BNPL)
Automatic card network compliance updates

Trade-offs:

✅ Days to integrate, not months
✅ PCI compliance handled by provider
✅ Built-in fraud detection
✅ Global payment method coverage
❌ Higher per-transaction fees (2.9% + $0.30 typical)
❌ Less control over routing and failover
❌ Vendor lock-in risk

Real-world example: Figma uses Stripe for all payments. At their scale (~$600M ARR), the 2.9% fee is acceptable given engineering leverage—zero payment engineers needed on staff.

Path C: Hybrid with Payment Orchestration

Best when:

Multiple payment providers needed (regional coverage, redundancy)
Authorization rate optimization is critical
Gradual migration from one provider to another

Architecture:

Key characteristics:

Single API, multiple backend processors
Intelligent routing based on card type, geography, cost
Automatic failover on processor outage
A/B testing payment flows

Trade-offs:

✅ Redundancy and failover
✅ Route optimization (Adyen reports 26% cost savings with smart routing)
✅ Gradual provider migration
❌ Additional integration layer complexity
❌ Token portability challenges between providers
❌ Orchestration platform cost

Real-world example: eBay uses Adyen’s intelligent payment routing, achieving 26% average cost savings on US debit transactions and 0.22% uplift in authorization rates.

Path Comparison

Factor	Path A (Build)	Path B (Third-Party)	Path C (Orchestration)
Time to market	12-18 months	Days-weeks	1-3 months
PCI scope	Level 1 (full)	SAQ-A (minimal)	SAQ-A (minimal)
Per-transaction cost	Lowest at scale	Highest (2.9%+)	Middle
Engineering effort	High (50+ FTEs)	Low (1-2 FTEs)	Medium (5-10 FTEs)
Customization	Full	Limited	Medium
Best for	High-volume, unique needs	Startups, SMBs	Enterprise, multi-region

This Article’s Focus

This article focuses on Path B (Third-Party) with elements of Path C (Smart Routing) because:

Most engineering teams should not build payment infrastructure
Third-party platforms handle PCI compliance, fraud, and card network changes
Smart routing concepts apply regardless of implementation

The architecture sections show how to integrate third-party providers while maintaining control over critical concerns like idempotency, reconciliation, and ledger accuracy.

High-Level Design

Component Overview

Component	Responsibility	Technology
Payment API	Idempotent payment operations	REST API + Idempotency keys
Token Service	Map payment methods to tokens	Stripe.js / Adyen Web Components
Smart Router	Select optimal processor	Rule engine + ML routing
Fraud Engine	Real-time risk scoring	ML model (Stripe Radar)
Authorization Service	Card network communication	Processor SDK
Capture Service	Settlement initiation	Async job processor
Ledger Service	Double-entry bookkeeping	PostgreSQL + event sourcing
Reconciliation Service	Match internal vs external	Batch jobs + anomaly detection
Webhook Handler	Process async events	Idempotent consumer

Payment Lifecycle

Authorization vs Capture Timing

Pattern	Use Case	Auth Window
Auth + immediate capture	Digital goods, subscriptions	N/A (single request)
Auth then capture	E-commerce (ship then charge)	7 days (Visa), 30 days (others)
Auth with delayed capture	Hotels, car rentals	Up to 31 days
Incremental auth	Hotels (room service additions)	Within original auth window

Design note: Visa shortened online Merchant-Initiated Transaction (MIT) windows from 7 to 5 days as of April 2024. Always capture within the network’s window or risk auth expiration.

API Design

Create Payment

1
POST /api/v1/payments
2
Idempotency-Key: pay_abc123_user_456
3
Authorization: Bearer {api_key}
4
Content-Type: application/json
5

6
{
7
  "amount": 9999,
8
  "currency": "usd",
9
  "payment_method_token": "pm_tok_visa_4242",
10
  "capture_method": "automatic",
11
  "description": "Order #12345",
12
  "metadata": {
13
    "order_id": "ord_789",
14
    "customer_email": "user@example.com"
15
  },
16
  "idempotency_key": "pay_abc123_user_456"
17
}

Response (201 Created):

1
{
2
  "id": "pay_xyz789",
3
  "object": "payment",
4
  "amount": 9999,
5
  "currency": "usd",
6
  "status": "succeeded",
7
  "payment_method": {
8
    "id": "pm_tok_visa_4242",
9
    "type": "card",
10
    "card": {
11
      "brand": "visa",
12
      "last4": "4242",
13
      "exp_month": 12,
14
      "exp_year": 2025
15
    }
16
  },
17
  "captured": true,
18
  "receipt_url": "https://pay.example.com/receipts/pay_xyz789",
19
  "created_at": "2024-03-15T10:00:00Z",
20
  "metadata": {
21
    "order_id": "ord_789"
22
  }
23
}

Error Responses:

Code	Condition	Response
`400 Bad Request`	Invalid amount, currency	`{"error": {"code": "invalid_amount"}}`
`402 Payment Required`	Card declined	`{"error": {"code": "card_declined", "decline_code": "insufficient_funds"}}`
`409 Conflict`	Idempotency key reused with different params	`{"error": {"code": "idempotency_conflict"}}`
`429 Too Many Requests`	Rate limit exceeded	`{"error": {"code": "rate_limited"}}`

Authorize Only (Separate Capture)

1
POST /api/v1/payments
2
Idempotency-Key: auth_abc123
3

4
{
5
  "amount": 9999,
6
  "currency": "usd",
7
  "payment_method_token": "pm_tok_visa_4242",
8
  "capture_method": "manual"
9
}

Response:

1
{
2
  "id": "pay_xyz789",
3
  "status": "requires_capture",
4
  "amount_capturable": 9999,
5
  "capture_before": "2024-03-22T10:00:00Z"
6
}

Capture Payment

1
POST /api/v1/payments/{payment_id}/capture
2
Idempotency-Key: cap_abc123
3

4
{
5
  "amount_to_capture": 9999
6
}

Partial capture: Capture less than authorized amount. Remaining authorization is automatically released.

Refund Payment

1
POST /api/v1/payments/{payment_id}/refunds
2
Idempotency-Key: ref_abc123
3

4
{
5
  "amount": 2500,
6
  "reason": "customer_request",
7
  "metadata": {
8
    "support_ticket": "TKT-456"
9
  }
10
}

Response:

1
{
2
  "id": "ref_abc456",
3
  "payment_id": "pay_xyz789",
4
  "amount": 2500,
5
  "status": "pending",
6
  "reason": "customer_request",
7
  "estimated_arrival": "2024-03-20"
8
}

Refund timing: Card refunds take 5-10 business days to appear on customer statement. ACH refunds take 3-5 business days.

Webhook Events

1
POST /webhooks/payments
2
Stripe-Signature: t=1234567890,v1=abc123...
3

4
{
5
  "id": "evt_123",
6
  "type": "payment_intent.succeeded",
7
  "data": {
8
    "object": {
9
      "id": "pi_xyz",
10
      "amount": 9999,
11
      "status": "succeeded"
12
    }
13
  },
14
  "created": 1234567890
15
}

Critical webhook events:

Event	Action Required
`payment_intent.succeeded`	Mark order as paid, trigger fulfillment
`payment_intent.payment_failed`	Notify customer, retry logic
`charge.refunded`	Update order status, adjust inventory
`charge.dispute.created`	Alert fraud team, gather evidence
`payout.paid`	Reconcile settlement

Data Modeling

Payment Schema (PostgreSQL)


5 collapsed lines
1
-- Core payment record
2
CREATE TABLE payments (
3
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
4
    external_id VARCHAR(100) UNIQUE NOT NULL,
5
    idempotency_key VARCHAR(255) UNIQUE NOT NULL,
6

7
    -- Amount
8
    amount_cents BIGINT NOT NULL CHECK (amount_cents > 0),
9
    currency VARCHAR(3) NOT NULL,
10
    amount_captured_cents BIGINT DEFAULT 0,
11
    amount_refunded_cents BIGINT DEFAULT 0,
12

13
    -- Status
14
    status VARCHAR(30) NOT NULL DEFAULT 'pending',
15
    capture_method VARCHAR(20) NOT NULL,
16

17
    -- Payment method (tokenized reference)
18
    payment_method_id UUID REFERENCES payment_methods(id),
19
    payment_method_type VARCHAR(20) NOT NULL,
20

21
    -- Customer
22
    customer_id UUID REFERENCES customers(id),
23

24
    -- Processor details
25
    processor VARCHAR(30) NOT NULL,
26
    processor_payment_id VARCHAR(100),
27
    auth_code VARCHAR(20),
28
    decline_code VARCHAR(50),
29

30
    -- Risk
31
    risk_score INTEGER,
32
    risk_level VARCHAR(20),
33

34
    -- Metadata
35
    description TEXT,
36
    metadata JSONB DEFAULT '{}',
37

38
    -- Timestamps
39
    created_at TIMESTAMPTZ DEFAULT NOW(),
40
    authorized_at TIMESTAMPTZ,
41
    captured_at TIMESTAMPTZ,
42
    canceled_at TIMESTAMPTZ,
43

44
    -- Constraints
11 collapsed lines
45
    CONSTRAINT valid_status CHECK (status IN (
46
        'pending', 'requires_action', 'requires_capture',
47
        'processing', 'succeeded', 'failed', 'canceled'
48
    ))
49
);
50

51
-- Indexes for common queries
52
CREATE INDEX idx_payments_customer ON payments(customer_id, created_at DESC);
53
CREATE INDEX idx_payments_status ON payments(status, created_at DESC);
54
CREATE INDEX idx_payments_processor ON payments(processor_payment_id);
55
CREATE INDEX idx_payments_idempotency ON payments(idempotency_key);

Double-Entry Ledger Schema

1
-- Accounts in the chart of accounts
2
CREATE TABLE accounts (
3
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
4
    code VARCHAR(20) UNIQUE NOT NULL,
5
    name VARCHAR(100) NOT NULL,
6
    type VARCHAR(20) NOT NULL,  -- asset, liability, revenue, expense
7
    currency VARCHAR(3) NOT NULL,
8
    is_active BOOLEAN DEFAULT true
9
);
10

11
-- Ledger entries (immutable)
12
CREATE TABLE ledger_entries (
13
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
14
    transaction_id UUID NOT NULL,
15
    account_id UUID NOT NULL REFERENCES accounts(id),
16
    entry_type VARCHAR(10) NOT NULL,  -- debit or credit
17
    amount_cents BIGINT NOT NULL CHECK (amount_cents > 0),
18
    currency VARCHAR(3) NOT NULL,
19
    description TEXT,
20
    metadata JSONB DEFAULT '{}',
21
    created_at TIMESTAMPTZ DEFAULT NOW(),
22

23
    -- Reference to source
24
    payment_id UUID REFERENCES payments(id),
25
    refund_id UUID REFERENCES refunds(id),
26
    payout_id UUID REFERENCES payouts(id)
27
);
28

29
CREATE INDEX idx_ledger_transaction ON ledger_entries(transaction_id);
30
CREATE INDEX idx_ledger_account ON ledger_entries(account_id, created_at DESC);
31
CREATE INDEX idx_ledger_payment ON ledger_entries(payment_id);

Ledger Entry Examples

Authorization (hold funds):

1
Transaction: AUTH-001
2
├── DEBIT  accounts_receivable  $100.00
3
└── CREDIT authorization_hold   $100.00

Capture (recognize revenue):

1
Transaction: CAP-001
2
├── DEBIT  authorization_hold   $100.00
3
└── CREDIT revenue              $100.00

Settlement (receive cash):

1
Transaction: SET-001
2
├── DEBIT  cash                 $97.10  (after fees)
3
├── DEBIT  processing_fees      $2.90
4
└── CREDIT accounts_receivable  $100.00

Refund:

1
Transaction: REF-001
2
├── DEBIT  revenue              $50.00
3
└── CREDIT accounts_receivable  $50.00

Token Vault Schema

1
-- Minimal schema for tokenized payment methods
2
-- Actual PAN/CVV stored in PCI-compliant vault (Stripe, external)
3
CREATE TABLE payment_methods (
4
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
5
    customer_id UUID NOT NULL REFERENCES customers(id),
6
    processor VARCHAR(30) NOT NULL,
7
    processor_token VARCHAR(100) NOT NULL,  -- Stripe pm_xxx
8

9
    -- Non-sensitive metadata
10
    type VARCHAR(20) NOT NULL,  -- card, bank_account, wallet
11
    card_brand VARCHAR(20),     -- visa, mastercard, amex
12
    card_last4 VARCHAR(4),
13
    card_exp_month INTEGER,
14
    card_exp_year INTEGER,
15
    card_funding VARCHAR(20),   -- credit, debit, prepaid
16

17
    -- Billing
18
    billing_name VARCHAR(100),
19
    billing_country VARCHAR(2),
20
    billing_postal_code VARCHAR(20),
21

22
    -- Status
23
    is_default BOOLEAN DEFAULT false,
24
    is_active BOOLEAN DEFAULT true,
25

26
    created_at TIMESTAMPTZ DEFAULT NOW(),
27
    updated_at TIMESTAMPTZ DEFAULT NOW(),
28

29
    UNIQUE(customer_id, processor_token)
30
);

PCI scope note: This schema stores only tokens and non-sensitive metadata. The actual card numbers (PAN) are stored by Stripe/Adyen in their PCI-compliant vaults. Your database never sees or stores raw card data.

Database Selection Matrix

Data	Store	Rationale
Payments	PostgreSQL	ACID, complex queries, audit requirements
Ledger entries	PostgreSQL	Strong consistency, immutable append-only
Idempotency keys	Redis + PostgreSQL	Fast lookup (Redis), durable record (PG)
Payment method tokens	PostgreSQL	Referential integrity with customers
Event stream	Kafka	High throughput, replay capability
Reconciliation snapshots	S3 + Parquet	Cost-effective analytics storage
Rate limiting	Redis	Sub-ms counters

Low-Level Design

Idempotency Implementation

Idempotency prevents duplicate charges when clients retry failed requests. Stripe’s implementation serves as the industry reference.

Request flow:

Implementation:


14 collapsed lines
1
import { Redis } from "ioredis"
2
import { createHash } from "crypto"
3

4
interface IdempotencyRecord {
5
  key: string
6
  request_hash: string
7
  response: any
8
  status: "processing" | "complete" | "error"
9
  created_at: Date
10
  expires_at: Date
11
}
12

13
const redis = new Redis(process.env.REDIS_URL)
14
const IDEMPOTENCY_TTL = 24 * 60 * 60 // 24 hours (Stripe's window)
15

16
export async function checkIdempotency(
17
  key: string,
18
  requestBody: object,
19
): Promise<{ exists: boolean; response?: any; conflict?: boolean }> {
20
  const requestHash = hashRequest(requestBody)
21

22
  // Check Redis first (fast path)
23
  const cached = await redis.get(`idem:${key}`)
24

25
  if (!cached) {
26
    // Key doesn't exist, allow processing
27
    return { exists: false }
28
  }
29

30
  const record: IdempotencyRecord = JSON.parse(cached)
31

32
  // Key exists, check if parameters match
33
  if (record.request_hash !== requestHash) {
34
    // Same key, different request = conflict
35
    return { exists: true, conflict: true }
36
  }
37

38
  // Same key, same request
39
  if (record.status === "processing") {
40
    // Request in flight, return 409 to trigger retry
41
    return { exists: true, conflict: true }
42
  }
43

44
  // Return cached response
45
  return { exists: true, response: record.response }
46
}
47

48
export async function startIdempotentRequest(key: string, requestBody: object): Promise<boolean> {
49
  const requestHash = hashRequest(requestBody)
50

51
  // Atomic set-if-not-exists
52
  const result = await redis.set(
53
    `idem:${key}`,
54
    JSON.stringify({
55
      key,
56
      request_hash: requestHash,
57
      status: "processing",
58
      created_at: new Date(),
59
    }),
60
    "EX",
61
    IDEMPOTENCY_TTL,
62
    "NX", // Only set if not exists
63
  )
16 collapsed lines
64

65
  return result === "OK"
66
}
67

68
export async function completeIdempotentRequest(
69
  key: string,
70
  response: any,
71
  status: "complete" | "error",
72
): Promise<void> {
73
  const cached = await redis.get(`idem:${key}`)
74
  if (!cached) return
75

76
  const record: IdempotencyRecord = JSON.parse(cached)
77
  record.response = response
78
  record.status = status
79

80
  await redis.setex(`idem:${key}`, IDEMPOTENCY_TTL, JSON.stringify(record))
81

82
  // Also persist to PostgreSQL for durability
83
  await db.idempotency_records.upsert({
84
    key,
85
    request_hash: record.request_hash,
86
    response: JSON.stringify(response),
87
    status,
88
    expires_at: new Date(Date.now() + IDEMPOTENCY_TTL * 1000),
89
  })
90
}
91

92
function hashRequest(body: object): string {
93
  return createHash("sha256").update(JSON.stringify(body)).digest("hex")
94
}

Payment controller with idempotency:


7 collapsed lines
1
import { checkIdempotency, startIdempotentRequest, completeIdempotentRequest } from "./idempotency-service"
2

3
export async function createPayment(req: Request): Promise<Response> {
4
  const idempotencyKey = req.headers.get("Idempotency-Key")
5

6
  if (!idempotencyKey) {
7
    return errorResponse(400, "idempotency_key_required")
8
  }
9

10
  // Check for existing request
11
  const check = await checkIdempotency(idempotencyKey, req.body)
12

13
  if (check.conflict) {
14
    return errorResponse(409, "idempotency_conflict")
15
  }
16

17
  if (check.exists && check.response) {
18
    // Return cached response (including errors)
19
    return new Response(JSON.stringify(check.response), {
20
      status: check.response.status_code || 200,
21
      headers: { "Idempotent-Replayed": "true" },
22
    })
23
  }
24

25
  // Start processing (atomic lock)
26
  const acquired = await startIdempotentRequest(idempotencyKey, req.body)
27
  if (!acquired) {
28
    // Another request is processing, retry later
29
    return errorResponse(409, "request_in_progress")
30
  }
31

32
  try {
33
    // Process payment
34
    const payment = await processPayment(req.body)
35

36
    // Cache successful response
37
    await completeIdempotentRequest(idempotencyKey, payment, "complete")
38

39
    return successResponse(201, payment)
40
  } catch (error) {
41
    // Cache error response (prevents retry storms)
42
    await completeIdempotentRequest(idempotencyKey, { error: error.message }, "error")
43

44
    throw error
45
  }
46
}

Design decisions:

Decision	Rationale
24-hour TTL	Matches Stripe; long enough for debugging, short enough to not accumulate
Hash request body	Detects different requests with same key
Cache errors too	Prevents retry storms for permanent failures
Redis + PostgreSQL	Redis for speed, PostgreSQL for durability and audit

Fraud Detection Pipeline

Real-time fraud scoring must complete within 100ms to avoid impacting checkout latency.

Scoring architecture:

Feature examples (1000+ per transaction):

Category	Features
Velocity	Transactions/hour from this card, IP, device
Historical	Days since first transaction, avg transaction amount
Geolocation	Distance from billing address, IP geolocation mismatch
Card	BIN country, funding type (credit/debit/prepaid)
Device	Browser fingerprint, screen resolution, timezone
Behavioral	Time on page before purchase, mouse movement patterns

Stripe Radar reference:

0-99 risk score (0 = lowest risk)
Default block threshold: 75
Elevated risk threshold: 65
Decision time: <100ms
False positive rate: ~0.1%
Evaluates 1000+ characteristics per transaction
Models retrained monthly (0.5% recall improvement per retraining)

3D Secure integration:


9 collapsed lines
1
interface ThreeDSResult {
2
  authentication_status: "success" | "failed" | "attempted" | "not_supported"
3
  liability_shift: boolean
4
  eci: string // Electronic Commerce Indicator
5
}
6

7
export async function handle3DSChallenge(
8
  paymentIntentId: string,
9
  returnUrl: string,
10
): Promise<{ requires_action: boolean; redirect_url?: string }> {
11
  const pi = await stripe.paymentIntents.retrieve(paymentIntentId)
12

13
  if (pi.status === "requires_action") {
14
    // 3DS challenge required
15
    return {
16
      requires_action: true,
17
      redirect_url: pi.next_action?.redirect_to_url?.url,
18
    }
19
  }
20

21
  return { requires_action: false }
22
}

3D Secure 2.0 flows:

Flow	Description	User Experience
Frictionless	Risk-based auth, no user input	Instant (invisible)
Challenge	Biometrics, OTP, push notification	10-30 seconds

3DS benefits: Visa research shows 85% reduction in checkout times and 75% reduction in cart abandonment compared to 3DS 1.0. Required for PSD2 SCA compliance in EU.

Reconciliation Service

Reconciliation ensures internal ledger matches external settlements. Discrepancies indicate bugs, fraud, or processor errors.

Reconciliation process:

Implementation:


14 collapsed lines
1
interface SettlementRecord {
2
  external_id: string
3
  amount_cents: number
4
  currency: string
5
  type: "charge" | "refund" | "chargeback"
6
  settled_at: Date
7
  fees_cents: number
8
}
9

10
interface ReconciliationResult {
11
  matched: number
12
  unmatched_internal: SettlementRecord[]
13
  unmatched_external: SettlementRecord[]
14
  amount_discrepancy_cents: number
15
}
16

17
export async function reconcileSettlement(date: Date, processor: string): Promise<ReconciliationResult> {
18
  // 1. Fetch processor settlement report
19
  const externalRecords = await fetchSettlementReport(processor, date)
20

21
  // 2. Fetch internal ledger entries
22
  const internalRecords = await fetchLedgerEntries(date, processor)
23

24
  // 3. Match by external ID
25
  const matched: string[] = []
26
  const unmatchedExternal: SettlementRecord[] = []
27
  const unmatchedInternal: SettlementRecord[] = []
28

29
  const internalMap = new Map(internalRecords.map((r) => [r.external_id, r]))
30

31
  for (const ext of externalRecords) {
32
    const internal = internalMap.get(ext.external_id)
33

34
    if (!internal) {
35
      // Transaction in processor report but not in our ledger
36
      unmatchedExternal.push(ext)
37
      continue
38
    }
39

40
    // Verify amounts match
41
    if (internal.amount_cents !== ext.amount_cents) {
42
      unmatchedExternal.push(ext)
43
      unmatchedInternal.push(internal)
44
      continue
45
    }
46

47
    matched.push(ext.external_id)
48
    internalMap.delete(ext.external_id)
49
  }
50

51
  // Remaining internal records not in processor report
52
  for (const [, record] of internalMap) {
53
    unmatchedInternal.push(record)
54
  }
55

56
  // Calculate total discrepancy
57
  const externalTotal = externalRecords.reduce((sum, r) => sum + r.amount_cents, 0)
58
  const internalTotal = internalRecords.reduce((sum, r) => sum + r.amount_cents, 0)
59

60
  return {
61
    matched: matched.length,
62
    unmatched_internal: unmatchedInternal,
63
    unmatched_external: unmatchedExternal,
64
    amount_discrepancy_cents: externalTotal - internalTotal,
65
  }
66
}
67

68
// Alert on discrepancies
16 collapsed lines
69
export async function handleReconciliationBreaks(result: ReconciliationResult): Promise<void> {
70
  if (result.unmatched_external.length > 0) {
71
    await alertFinanceTeam({
72
      type: "unmatched_external",
73
      count: result.unmatched_external.length,
74
      transactions: result.unmatched_external,
75
    })
76
  }
77

78
  if (Math.abs(result.amount_discrepancy_cents) > 100) {
79
    // $1 threshold
80
    await alertFinanceTeam({
81
      type: "amount_discrepancy",
82
      amount_cents: result.amount_discrepancy_cents,
83
    })
84
  }
85
}

Common reconciliation breaks:

Break Type	Cause	Resolution
Missing in ledger	Webhook missed, race condition	Replay webhook, manual entry
Missing in processor	Auth expired, voided	Close internal record
Amount mismatch	Partial capture, FX	Verify capture amount
Duplicate	Idempotency failure	Refund duplicate
Timing	Settlement date rollover	Verify dates

Smart Routing Implementation

Smart routing optimizes for authorization rate, cost, or both by selecting the best processor per transaction.


11 collapsed lines
1
interface RoutingDecision {
2
  processor: "stripe" | "adyen" | "paypal"
3
  reason: string
4
  expected_auth_rate: number
5
  expected_cost_bps: number // basis points
6
}
7

8
interface TransactionContext {
9
  card_brand: string
10
  card_country: string
11
  card_funding: "credit" | "debit" | "prepaid"
12
  amount_cents: number
13
  currency: string
14
  merchant_country: string
15
}
16

17
export function routeTransaction(ctx: TransactionContext): RoutingDecision {
18
  // Rule 1: US debit cards - route to lowest-cost network
19
  if (ctx.card_country === "US" && ctx.card_funding === "debit") {
20
    return {
21
      processor: "adyen", // Intelligent routing for US debit
22
      reason: "us_debit_cost_optimization",
23
      expected_auth_rate: 0.96,
24
      expected_cost_bps: 50, // vs 150+ for credit
25
    }
26
  }
27

28
  // Rule 2: European cards - route to Adyen for local acquiring
29
  if (["DE", "FR", "GB", "NL", "ES", "IT"].includes(ctx.card_country)) {
30
    return {
31
      processor: "adyen",
32
      reason: "eu_local_acquiring",
33
      expected_auth_rate: 0.94,
34
      expected_cost_bps: 180, // Lower cross-border fees
35
    }
36
  }
37

38
  // Rule 3: High-value transactions - route to processor with best auth rate
39
  if (ctx.amount_cents > 100000) {
40
    // > $1000
41
    return {
42
      processor: "stripe",
43
      reason: "high_value_auth_optimization",
44
      expected_auth_rate: 0.92,
45
      expected_cost_bps: 290,
46
    }
47
  }
48

49
  // Default: Stripe
50
  return {
51
    processor: "stripe",
52
    reason: "default",
53
    expected_auth_rate: 0.9,
16 collapsed lines
54
    expected_cost_bps: 290,
55
  }
56
}
57

58
// Failover on processor error
59
export async function processWithFailover(ctx: TransactionContext, paymentData: PaymentData): Promise<PaymentResult> {
60
  const primary = routeTransaction(ctx)
61
  const processors = [primary.processor, ...getFailoverProcessors(primary.processor)]
62

63
  for (const processor of processors) {
64
    try {
65
      return await processPayment(processor, paymentData)
66
    } catch (error) {
67
      if (isRetryableError(error)) {
68
        continue // Try next processor
69
      }
70
      throw error // Non-retryable (e.g., card declined)
71
    }
72
  }
73

74
  throw new Error("All processors failed")
75
}

Routing optimization results (Adyen reference):

US debit routing: 26% average cost savings
Authorization rate uplift: 0.22%
Some merchants: 55% cost savings

Frontend Considerations

PCI Scope Reduction

The primary frontend concern is keeping card data out of your servers entirely.

Tokenization at edge:


8 collapsed lines
1
// payment-form.tsx (React example)
2
import { loadStripe } from "@stripe/stripe-js";
3
import { Elements, CardElement, useStripe, useElements } from "@stripe/react-stripe-js";
4

5
const stripePromise = loadStripe(process.env.NEXT_PUBLIC_STRIPE_KEY);
6

7
function CheckoutForm() {
8
  const stripe = useStripe();
9
  const elements = useElements();
10

11
  const handleSubmit = async (e: FormEvent) => {
12
    e.preventDefault();
13

14
    // Card data goes directly to Stripe, never touches your server
15
    const { error, paymentMethod } = await stripe.createPaymentMethod({
16
      type: "card",
17
      card: elements.getElement(CardElement),
18
      billing_details: {
19
        name: "Customer Name",
20
      },
21
    });
22

23
    if (error) {
24
      setError(error.message);
25
      return;
26
    }
27

28
    // Only the token (pm_xxx) goes to your backend
29
    const response = await fetch("/api/payments", {
30
      method: "POST",
31
      body: JSON.stringify({
32
        payment_method_token: paymentMethod.id,
33
        amount: 9999,
34
      }),
35
    });
36
  };
37

38
  return (
39
    <form onSubmit={handleSubmit}>
11 collapsed lines
40
      <CardElement />
41
      <button type="submit">Pay $99.99</button>
42
    </form>
43
  );
44
}
45

46
export function CheckoutPage() {
47
  return (
48
    <Elements stripe={stripePromise}>
49
      <CheckoutForm />
50
    </Elements>
51
  );
52
}

PCI scope impact:

Approach	PCI Level	Effort
Direct card handling	SAQ-D (400+ questions)	Months of compliance work
Stripe.js iframe	SAQ-A (22 questions)	Hours
Redirect to hosted page	SAQ-A	Minimal

3D Secure Challenge Handling


9 collapsed lines
1
import { loadStripe } from "@stripe/stripe-js"
2

3
export async function handle3DSChallenge(clientSecret: string): Promise<{ success: boolean; error?: string }> {
4
  const stripe = await loadStripe(process.env.NEXT_PUBLIC_STRIPE_KEY)
5

6
  // This opens the 3DS challenge in a modal/redirect
7
  const { error, paymentIntent } = await stripe.confirmCardPayment(clientSecret, {
8
    payment_method: paymentMethodId,
9
  })
10

11
  if (error) {
12
    // 3DS failed or user canceled
13
    return { success: false, error: error.message }
14
  }
15

16
  if (paymentIntent.status === "succeeded") {
17
    return { success: true }
18
  }
19

20
  if (paymentIntent.status === "requires_action") {
21
    // Additional action needed (rare edge case)
22
    return await handle3DSChallenge(paymentIntent.client_secret)
23
  }
24

25
  return { success: false, error: "Unexpected payment status" }
26
}

Error Handling UX

1
const ERROR_MESSAGES: Record<string, string> = {
2
  card_declined: "Your card was declined. Please try a different card.",
3
  insufficient_funds: "Insufficient funds. Please try a different card.",
4
  expired_card: "Your card has expired. Please update your payment method.",
5
  incorrect_cvc: "The CVC code is incorrect. Please check and try again.",
6
  processing_error: "A processing error occurred. Please try again.",
7
  rate_limited: "Too many attempts. Please wait a moment and try again.",
8
}
9

10
export function getErrorMessage(declineCode: string): string {
11
  return ERROR_MESSAGES[declineCode] || "Payment failed. Please try again."
12
}

Infrastructure Design

Cloud-Agnostic Components

Component	Purpose	Requirements
API Gateway	Rate limiting, auth	High availability, DDoS protection
Application servers	Payment processing	Horizontal scaling, idempotent
Primary database	Payments, ledger	ACID, strong consistency
Cache	Idempotency, sessions	Sub-ms latency
Message queue	Async processing	Exactly-once, durable
Event stream	Audit, analytics	High throughput, retention
Secrets manager	API keys, encryption keys	HSM-backed, audit logging

AWS Reference Architecture

Service configuration:

Service	Configuration	Rationale
RDS PostgreSQL	db.r6g.xlarge, Multi-AZ, encrypted	ACID, HA, compliance
ElastiCache Redis	r6g.large, cluster mode, 3 nodes	Idempotency, low latency
ECS Fargate	2 vCPU, 4GB, auto-scaling 2-20	Predictable performance
SQS FIFO	3000 msg/sec	Exactly-once webhooks
KMS	Customer-managed keys	Encryption key control
CloudWatch	1-minute metrics, alarms	Observability

Self-Hosted Alternatives

Managed Service	Self-Hosted	Trade-off
RDS PostgreSQL	PostgreSQL on EC2	More control, operational burden
ElastiCache	Redis Cluster on EC2	Cost at scale
SQS FIFO	Kafka	Higher throughput, complexity
Secrets Manager	HashiCorp Vault	Full control, operational overhead

Variations

ACH/Bank Transfer Processing

ACH has fundamentally different timing and failure modes than cards.

1
interface ACHPayment {
2
  routing_number: string
3
  account_number: string // tokenized
4
  account_type: "checking" | "savings"
5
}
6

7
export async function initiateACHPayment(
8
  payment: ACHPayment,
9
  amount: number,
10
): Promise<{ status: string; estimated_settlement: Date }> {
11
  // ACH is batch-processed, not real-time
12
  const transfer = await stripe.paymentIntents.create({
13
    amount,
14
    currency: "usd",
15
    payment_method_types: ["us_bank_account"],
16
    payment_method_data: {
17
      type: "us_bank_account",
18
      us_bank_account: {
19
        routing_number: payment.routing_number,
20
        account_number: payment.account_number,
21
        account_holder_type: "individual",
22
      },
23
    },
24
  })
25

26
  return {
27
    status: "processing",
28
    estimated_settlement: addBusinessDays(new Date(), 3), // Same-day ACH: same day
29
  }
30
}

ACH timing:

Type	Submission Deadline	Settlement
Same-Day ACH	4:45 PM ET	Same day by 5 PM
Next-Day ACH	2:15 PM ET	Next business day
Standard ACH	Varies	2-3 business days

ACH failure modes:

NSF (Non-Sufficient Funds): Returns after 2-3 days
Account closed: Returns after settlement attempt
Invalid account: Returns within 24 hours

Subscription/Recurring Billing


11 collapsed lines
1
interface Subscription {
2
  id: string
3
  customer_id: string
4
  plan_id: string
5
  status: "active" | "past_due" | "canceled"
6
  current_period_end: Date
7
  payment_method_id: string
8
}
9

10
const RETRY_SCHEDULE = [1, 3, 5, 7] // Days after failure
11

12
export async function processSubscriptionRenewal(subscription: Subscription): Promise<void> {
13
  const plan = await getPlan(subscription.plan_id)
14

15
  try {
16
    const payment = await createPayment({
17
      amount: plan.amount_cents,
18
      currency: plan.currency,
19
      customer_id: subscription.customer_id,
20
      payment_method_id: subscription.payment_method_id,
21
      idempotency_key: `sub_${subscription.id}_${subscription.current_period_end.toISOString()}`,
22
    })
23

24
    if (payment.status === "succeeded") {
25
      await extendSubscription(subscription.id)
26
    }
27
  } catch (error) {
28
    if (isDeclinedError(error)) {
29
      await markSubscriptionPastDue(subscription.id)
30
      await scheduleRetry(subscription.id, RETRY_SCHEDULE[0])
31
      await notifyCustomerPaymentFailed(subscription.customer_id)
32
    }
33
  }
34
}
35

36
async function handleRetry(subscriptionId: string, attemptNumber: number): Promise<void> {
37
  const subscription = await getSubscription(subscriptionId)
38

39
  try {
40
    await processSubscriptionRenewal(subscription)
41
  } catch (error) {
42
    if (attemptNumber < RETRY_SCHEDULE.length) {
43
      await scheduleRetry(subscriptionId, RETRY_SCHEDULE[attemptNumber])
44
    } else {
45
      // Final attempt failed
46
      await cancelSubscription(subscriptionId, "payment_failed")
47
      await notifyCustomerCanceled(subscription.customer_id)
48
    }
2 collapsed lines
49
  }
50
}

Multi-Currency and FX

1
interface FXQuote {
2
  from_currency: string
3
  to_currency: string
4
  rate: number
5
  expires_at: Date
6
}
7

8
export async function getQuote(fromCurrency: string, toCurrency: string, amount: number): Promise<FXQuote> {
9
  // FX rates are volatile, quote expires quickly
10
  const rate = await fetchCurrentRate(fromCurrency, toCurrency)
11

12
  return {
13
    from_currency: fromCurrency,
14
    to_currency: toCurrency,
15
    rate,
16
    expires_at: new Date(Date.now() + 60 * 1000), // 60 second quote
17
  }
18
}
19

20
export async function captureWithFX(paymentId: string, quote: FXQuote): Promise<void> {
21
  if (new Date() > quote.expires_at) {
22
    throw new Error("FX quote expired")
23
  }
24

25
  // Lock in rate at capture time
26
  await capturePayment(paymentId, {
27
    fx_rate: quote.rate,
28
    settlement_currency: quote.to_currency,
29
  })
30
}

Conclusion

Payment system design requires balancing competing concerns across multiple dimensions:

Idempotency is non-negotiable — Every payment operation must be safely retriable. Idempotency keys with request hashing prevent duplicate charges during network failures or client retries.
PCI scope reduction saves engineering effort — Edge tokenization (Stripe.js, Adyen Web Components) keeps card data off your servers, reducing PCI questionnaire from 400+ questions to 22.
Fraud decisions must be fast — Sub-100ms scoring using ML models (Stripe Radar processes 1000+ features per transaction) balances security with checkout conversion.
Double-entry ledger ensures audit readiness — Every fund movement (auth, capture, refund, settlement) recorded with debits equaling credits enables reconciliation and compliance.
Smart routing optimizes cost and auth rates — Multi-processor setups with intelligent routing can achieve 26%+ cost savings (Adyen US debit routing) while improving authorization rates.

What this design optimizes for:

Zero duplicate charges (idempotency)
PCI scope minimization (edge tokenization)
High authorization rates (smart routing)
Financial accuracy (double-entry ledger)
Operational resilience (failover, reconciliation)

What it sacrifices:

Simplicity (multi-processor complexity)
Latency (fraud scoring adds ~100ms)
Cost (third-party processor fees vs in-house)

Known limitations:

Webhook reliability depends on processor—implement webhook replay mechanisms
FX rates are volatile—quote expiration must be enforced
Chargeback handling requires manual evidence gathering
ACH failures surface days after initiation

Appendix

Prerequisites

RESTful API design principles
Database transactions and ACID guarantees
Distributed systems basics (idempotency, exactly-once delivery)
Basic understanding of card payment networks

Terminology

PAN (Primary Account Number): The 16-digit card number
PCI DSS (Payment Card Industry Data Security Standard): Security standard for card data handling
SAQ (Self-Assessment Questionnaire): PCI compliance verification form
Interchange: Fee paid by acquirer to issuer on each transaction (1.4-2.6% typical)
Authorization: Hold placed on cardholder’s available credit
Capture: Finalization of authorized transaction for settlement
Settlement: Transfer of funds from issuer to acquirer to merchant
3D Secure: Protocol for authenticating card-not-present transactions
SCA (Strong Customer Authentication): EU PSD2 requirement for two-factor auth
ACH (Automated Clearing House): US bank-to-bank transfer network
Chargeback: Disputed transaction reversed by card network

Summary

Payment systems require idempotent operations with 24-hour key retention (Stripe’s standard)
Edge tokenization (Stripe.js/Adyen Web Components) reduces PCI scope from SAQ-D to SAQ-A
Fraud scoring must complete in <100ms, evaluating 1000+ features per transaction
Double-entry ledger tracks every fund movement: authorization holds, captures, refunds, settlements
Smart routing across multiple processors can achieve 26% cost savings on US debit
Reconciliation matches internal ledger against processor settlements daily
3D Secure 2.0 enables frictionless authentication with 85% checkout time reduction

References

Stripe API Documentation - Comprehensive payment API reference
Stripe: Designing robust APIs with idempotency - Idempotency key implementation patterns
Stripe Radar: Machine learning for fraud detection - ML fraud scoring architecture
PCI Security Standards Council - PCI DSS 4.0 requirements
Adyen: Intelligent Payment Routing - Smart routing cost savings data
Stripe: 3D Secure 2 Guide - 3DS implementation patterns
Nacha: How ACH Payments Work - ACH network specifications
Visa: Credit Card Processing - Card network processing details
Martin Fowler: Patterns of Enterprise Application Architecture - Double-entry accounting patterns

Read more