TransferGo Gets PCI Compliant 10x More Easily than DIY

Also optimizes payments by breaking free of vendor lock-in

Case Study Summary

Case Study LogoCase Study

Client

Over 2.5 million customers trust TransferGo to send money to over 160 countries worldwide. High speeds, low fees and hassle-free service keep people coming back and recommending the service, with a 4.8 out of 5 rating on Trustpilot.

Client Photo

Oleg Murasko
VP of Engineering

Region

Global

Industries

FinTech, Payments

Goal

Use multiple PSPs for push card payments, through a simple interface, for a new API-based product.

Challenge

Find a way to work with raw card details (PAN), without risk. Reduce dependency on existing single PSP.

Solution

PCI DSS Level 1 Certification and Payment Optimization

Result

With VGS, TransferGo secured PCI DSS Level 1 compliance with 10x less manpower – just 35 days vs. 350 days – than it would have taken them to do it in-house, and are projecting a savings of 90% of the manpower it would take annually for on-going PCI maintenance. They also secured the ability to work directly with card data, without storing it in-house, and optimized payments by breaking lock-in to one PSP.

Background Img

Background

TransferGo offers rapid international remittance solutions that make it easy to send funds abroad, without the exorbitant fees charged by dominant players in the market. With money transfers that can be completed in minutes or even seconds, TransferGo provides a quick and transparent alternative to slow and expensive global remittance companies.

Though historically focused on the B2C market, TransferGo recently launched a new enterprise API-based product for organizations to make mass payments to customers, suppliers and employees. When developing the product, they researched how to do push card payments through the API and ran into a serious constraint with their existing Payment Service Provider (PSP) that led them to search for a way to work with raw card data.

Challenge

Though the team was relatively happy with their PSP, as their product portfolio grew, they ran into the inevitable constraints that come along with vendor lock-in – they had to work the way that one PSP worked. Neither could they easily use other PSPs, which meant they had no bargaining power, no fail over, and no way to balance transaction volume between different partners.

The first issue to solve was that TransferGo’s PSP only supported tokenized cardholder data. Oleg shared, “That additional token operation would be just additional pain for our customers in terms of using API. We wanted a very simple interface.” To keep it simple, they needed to operate on the raw data, and isolate tokenization from the PSP. They began exploring a classic path to own the data – going through the full PCI DSS certification process and keeping the data themselves in-house.

TransferGo is an AWS house, so they reviewed the AWS reference architecture for building an in-house PCI DSS compliant environment, including building their own cardholder data environment (CDE). “We evaluated how much it would cost to set up and run and, in the end, it came down to opportunity cost. We are a small team. All that time it would take to build the infrastructure and go through the PCI DSS audit on our own, we could be spending on building a better product or launching into new markets,” said Oleg.

“All that time it would take to build the infrastructure and go through the PCI DSS audit on our own, we could be spending on building a better product or launching into new markets.”

Oleg Murasko
VP of Engineering

Solution

“It was amazing how as part of helping us go through the PCI DSS audit, VGS helped implement necessary technical controls in our infrastructure with VGS Vault. It’s the first time I’ve seen someone take this really boring part of compliance and make it very close to engineering first – helping me as an engineer understand and integrate compliance into my landscape.” - Oleg Murasko, VP of Engineering

Once the team decided not to build out PCI infrastructure in-house, they began searching for a solution that would allow them to process payments data securely, without giving up control of their data.

After evaluating several vendors, TransferGo selected Very Good Security to accelerate their PCI DSS Level 1 compliance certification and remove their data security burden. In addition, using VGS allowed their API to work with full card details while insulating their enterprise customers – and TransferGo – from seeing or touching that data.

There were several reasons the team selected VGS over the competition.

Support

Other solutions considered were lacking in support of custom certificates, DPM, and quality of technical support. In comparison, Oleg was impressed with the VGS pilot and subsequent implementation, “VGS provided a better engineering experience and it just worked as we expected. The technical support team was amazing, and that was a really important decision point for us. Our team wasn’t sitting around stuck and waiting during integration because of the great turnaround time and the quality of communication. Documentation was also easy to find and understand. Surprisingly other vendors were not shining from a support perspective which was really... I expected a bit better.”

Features & Engineering-focused User Experience

During implementation, Oleg and team found VGS to be extremely flexible. “It is like a set of Lego blocks that are flexible and modular, so you can play around and configure it quickly. Conceptually, it’s a small and simple building block that you can use within your existing architecture. We could easily treat it as part of our core infrastructure,” said Oleg. He went on to explain that it has “c-line, better monitoring, proper role-based access. This is what I would expect as an engineer in a service I am buying for my core infrastructure. It's not a black box; this is what I like.”

Soution Img

Results

“Our estimate to build PCI DSS infrastructure in-house and go through the audit was 350 engineering days. With VGS, we cut that manpower 10x and were certified PCI Level 1 in just a few weeks. We’re also projecting a savings of 90% of the manpower it would take annually for on-going PCI maintenance. These are huge time savings that let me focus the team on activities to help grow the business.” - Oleg Murasko, VP Engineering

For an experienced VP of Engineering like Oleg, building a solution in house just didn’t make sense when he compared it to the lost opportunity. For him, “It was all about reducing the effort required from our engineering guys who had to focus on product instead of compliance.”

With VGS, TransferGo was able to save over 300 days of engineering time and get to market 11 months faster than if they’d built their own PCI solution in house.

Just as importantly, they’ve removed themselves from the liability that comes with storing sensitive data while retaining ownership and the ability to work with that data in its original form.

“VGS is best-in-class security and compliance infrastructure for payments, that’s really built for engineers.” - Oleg Murasko, VP Engineering

Results Img