Security issues prolong PayHound .Net migration

Anyone who uses eBay regularly is probably aware of PayPal. The US payment processing intermediary provides a secure conduit between consumers and retailers -- so effectively that it was recently acquired by the astronomically successful online marketplace.

UK-based PayHound competes in the same area but has kept a lower profile as it mainly provides an anonymous or 'white label' service to banks, adopting the branding of the particular financial institution licensing its technology.

The company has also offered a live person-to-person payment service for the last two years in the UK -- with around 100,000 users -- that allows account holders to transfer money to merchants, banks or individuals through their online PayHound account.

The company's current product, Enterprise Payment Platform 3 (EEP3), was built using Microsoft's .Net architecture to take advantage of Web services and to ease integration with other banks' and merchants' systems.

Nikhil Rajwade, PayHound's principal architect, said that one of PayHound's main customers, ING bank in Amsterdam, is a major .Net user, which played a part in the company's decision to move to the platform.

"Our product is a payment engine that allows you to process money from one account to another very seamlessly. But it's a stand-alone product and requires integration into other services, which can be done fairly easily with .Net," he said.

PayHound did look at building their platform using J2EE technology from Sun and IBM but found that their development costs would have been too high.

"One of the major influencing factors behind our decision to choose Microsoft was that the cost of the infrastructure required to develop and maintain a secure enterprise solution in J2EE, including the costs of WebSphere and supported services, were too prohibitive," said Rajwade. "We were able to get a working .Net prototype within three months. The initial projections for J2EE were more like eight months. That was quite remarkable."

PayHound would have begun developing in .Net from the day the company first launched in 2000 but the immaturity of the platform meant it wasn't robust enough for the security levels required by the financial services industry.

"Security reasons, the fact that it hadn't been tested enough in the market and audits from our main auditor security consultants, NTA Monitor, prevented the company from moving to .Net immediately," said Rajwade.

PayHound's initial product, Enterprise Payment Platform 2 (EEP2), launched two years ago, had to be built around Com+ -- Microsoft's object-oriented programming architecture and precursor to .Net. But the company used Microsoft-certified consultants to help design the initial platform close to the .Net vision to ease future migration.

But despite being part of Microsoft's early adopter programme, and actually writing its original code with the express intent of migrating to .Net, Rajwade claimed that the migration process wasn't quite as smooth as Microsoft had promised.

"While Microsoft does say it's supposed to be very easy -- it's not as easy as it sounds. Our application was completely done in VB6 with Soap toolkit so there were third party dependencies. Moving to .Net wasn't easy as all of it needed to be code that .Net was able to understand," he said.

Although tools in Visual Studio.Net helped to get PayHound started, Rajwade said there was still a lot of work to be done including training staff to use the new platform.

"We had two choices: either send developers off to a training session and then use them to re-train internally, but this would have taken too long and cost too much money, or hire consultants," he explained.

The company opted for the latter. Through the Microsoft early adopter programme Payhound was able to get two high-level Microsoft developers in-house for six weeks to help with the migration.

Payhound then went back to NTA Monitor for around a month of testing to establish the security of the .Net-enabled platform.

"After we felt a sufficient amount of confidence from the market, we went to our auditors with our prototype again to see it if it was going to run. It turned out very well and within three months we were able to move our existing code base to .Net," said Rajwade.

Compared to the previous Com+ based system, .Net passed with flying colours, he said. "There are a fair amount of security considerations to take into account when deploying a Microsoft-based solution but that is true with any other platform. We did not find a huge cost difference in our security analysis where a Microsoft-based platform was less secure than a J2EE or Linux-based solution," he added.

Microsoft security has improved dramatically recently, according to PayHound. Rajwade explained that the .Net platform runs on Window Server 2003, which he claimed is a good example of Microsoft's new approach.

"Windows Server 2003 comes in default lock-down model, so you have to enable it to do what you want it to," he explained.

.Net has improved the company's productivity by at least 40 to 45 percent and a lot of code that needed to be written in earlier applications could be bypassed using .Net, Rajwade claimed. The company also implemented Microsoft Biztalk 2002, which allows enterprise-level application integration.

"Going on .Net and being completely XML-based, the push to enable EAI for the organisation became much easier as we had standard protocols throughout the organisation and we could seamlessly change protocols as we integrated third-party services into our organisation."