As a pioneer of card payments services in Finland, Solinor is driven by a mission to make online payments efficient and secure for customers. In a market where its competitors mainly offer out-of-the-box products, Solinor tailors its solutions to clients’ requirements in order to provide the best fit for their needs. Its Solinor Payment Highway software-as-a-service (SaaS) product enables customers to accept card payments online. As such, it has to comply with the Payment Card Industry Data Security Standard (PCI DSS), which governs any system that handles credit card payments from major brands including Visa, MasterCard, and American Express. Based in Helsinki and established in 2002, Solinor had a turnover of €3.5 million (USD$3.7M) in 2014, and in the same year was named as the fastest-growing company making custom digital solutions in Finland, in the Deloitte Technology Fast 50.
The firm started building its PCI-DSS-compliant solutions on physical hardware in 2005, but it proved to be a long and expensive process. “In short, it was a real pain,” says Solinor CEO Aki Koikkalainen. “Running a solution in a traditional environment required huge upfront investment and significant, time-consuming ‘heavy lifting’ just to set up the physical hardware. This took up a lot of our resources.”
In addition to the lengthy setup time and related costs, the solutions that ran on the physical infrastructure were subject to long service breaks, which occasionally affected the customer experience. “We couldn’t scale up services easily,” says Koikkalainen, “which was a big issue at times of high traffic, such as during the Christmas period, when there’s an increase in the number of payments being conducted online.” The company needed a highly scalable infrastructure that could deliver a consistent service. This would ensure that its clients’ customers could make their online payments quickly. Given the sensitive nature of the financial data that Solinor handles, both general system security and ease of PCI DSS compliance were major factors to consider in any move to the cloud.
Why Amazon Web Services
The company evaluated a number of cloud providers, but choosing Amazon Web Services (AWS) proved to be a straightforward decision for the team. “All the other major cloud providers we looked at lacked PCI DSS certification for their services. This meant they were automatically out of bounds for us,” says Terho Siikanen, Payment Highway team development lead and AWS architect at Solinor. “In addition to satisfying our security and compliance needs, we could also see that AWS had a proven record in providing cost-effective, scalable cloud services with high availability.”
Solinor uses Amazon Elastic Compute Cloud (Amazon EC2), with Elastic Load Balancing distributing loads between multiple EC2 instances, and Auto Scaling to automatically deal with capacity provision. It uses the event-driven compute service AWS Lambda to monitor system operations for a fraction of the cost of a traditional, server-based solution. System health is also tracked with Amazon CloudWatch tools. Software components in RPM Package Manager files were previously stored on a dedicated server, but these have now been moved to Amazon Simple Storage Service (Amazon S3). The managed Amazon Relational Database Service (Amazon RDS) saves the team database management time, while Amazon Route 53 provides domain name system (DNS) services.
AWS Identity and Access Management (IAM) lets Solinor control access to AWS resources for a high level of security, and with AWS CloudFormation the firm defines security groups and firewall rules. Its AWS resources sit within the Amazon Virtual Private Cloud (Amazon VPC). Amazon CloudTrail also records all of the company’s actions in the cloud to further establish compliance.
Siikanen says, “The services we offer have to be running 24/7, so knowing we could deploy servers to multiple Availability Zones and ensure consistent uptime to our customers was another major reason we chose AWS.”
Highlighting the central role that PCI DSS certification plays at Solinor, Koikkalainen says, “If we couldn’t satisfy compliance requirements, we wouldn’t have a business.” The company knows from experience the long process involved in achieving PCI DSS certification for its solutions running on physical hardware. The contrast with AWS is significant. “We were the first software company in Finland to get PCI DSS certification for online payment services. It was hugely time consuming to achieve this compliance on physical hardware,” says Koikkalainen. “Today, AWS takes care of at least 50 percent of that work. All we have to do is show the auditors the AWS documentation. That’s just awesome for us. Truly awesome.”
Working in the cloud has also allowed Solinor to move to a leaner operational model. “Today the people we hire take full responsibility for everything: writing the code, deploying the services, managing the environment. We no longer need specialist project managers or test engineers, for example. AWS enables this model. It helps each member of the team be more productive,” says Koikkalainen. “As a result, infrastructure design and setup is 90 percent faster on AWS compared to physical hardware. AWS tools have helped us streamline development processes and decrease our time to market so we can serve our customers better.”
Especially beneficial to Solinor is the reusability of the server infrastructure when it’s stored as code. “We now have a blueprint that allows us to set up environments quickly for new projects,” says Siikanen. “We launch a lot of new projects, so when we can repeat those first phases very quickly, it saves us time and money.”
While security, compliance, and operational efficiency have provided significant business advantages to the firm, it has also saved money by running Solinor Payment Highway in the cloud. “The cost structure of AWS has enabled us to innovate and get our service to market quickly,” says Koikkalainen. “With the last system that we built on physical hardware, we had to make sure we had all our resources in place from day one. The cost for the hardware was about €20,000 a month, with a three-year lease period. So we’re looking at hundreds of thousands of euros on physical hardware. With AWS we don’t need to reserve the hardware and we don’t need to pay upfront, so we save a staggering amount of money.”
Siikanen continues: “Compared to working in the cloud, the physical hardware is a nightmare to manage. For instance, if a hard drive breaks, it takes around six hours to replace it and build the databases again. With AWS, we can just get rid of the existing server and build a new one instantly. AWS has removed our fear of hardware failures because now we can build self-healing systems. Services like Amazon RDS make it so much easier to keep our databases running smoothly, and the fact that it’s managed saves us a lot of trouble.”
With its Payment Highway up and running, Solinor is now expanding its use of AWS. “We’re running all our new projects on AWS. It’s our technology of choice nowadays,” says Siikanen. The company is also spreading the word about the cloud, educating its customers and helping them migrate their services to AWS. Koikkalainen concludes, “Working in AWS enables better security practices not only for us, but our customers as well.”
“Infrastructure design and setup is 90% faster on AWS compared to physical hardware. AWS tools have helped us streamline development processes and decrease our time to market, so we can serve our customers better.”
Aki Koikkalainen, Chief Executive Officer