A migration story: How NCR & Opus delivered Card Management to Google Cloud
Corporate Vice President, Banking Product Management, NCR Corporation
Solutions Architect, Opus Consulting
Migrating legacy systems to the cloud can be challenging for large enterprises. However, migration to the cloud also ensures higher performance, scalability, and availability in the long run. This blog highlights the collaboration between NCR Corporation and Opus Consulting Solutions and their success story of effectively migrating their Card Management Solution (NCR Authentic Cards), to Google Cloud.
NCR Authentic Cards, part of NCR’s transaction processing platform, offers financial institutions (FIs) the ability to flexibly deploy and customize new card programs and services using APIs - and is now available on Google Cloud. This blog is the first of a series that covers the migration project in detail. Here, we will look at how the teams worked together to define the scope, the high-level architecture employed, and the additional functionality that is available to customers. Future blogs will provide rich insights into the infrastructure and the monitoring components associated with this Google Cloud-based solution.
What is NCR Authentic Cards?
NCR Authentic Cards offers its customers advanced capabilities in card management services like debit card issuing. APIs are provided to easily manage “bank issued” cards and support the operation of multiple channels within the FI; all the APIs are hosted in Google Cloud.
NCR Authentic Cards provides high-end functionality for clients to thrive in the ever-evolving payments ecosystem:
Card Product Experience APIs: Giving card-issuing financial institutions the ability to customize a Card Product and deliver enhanced and personalized self-service options to their customers.
Card Issuance Experience APIs: Providing endpoints for the issuance of cards once a consumer account is opened.
Card Management Experience APIs: Enriching customer experience through a “Digital First” model by exposing services for the management of cards including activation, PIN creation/change and card renewal.
Personalized Experience APIs: Empowering FIs’ customers with advanced personalized services including buy now pay later, travel notifications for seamless transaction approvals while on vacation, merchant categorization to control spending, secure and paperless Green pin, virtual cards and cryptocurrency capabilities.
Who are the key stakeholders in a cloud migration project?
Given the multi-faceted requirements within a financial institution, it is vital to identify and understand the needs of each of the key stakeholders who play a central role in cloud migration projects:
Building cloud-based architecture
Migrating a card issuing system is a task that requires careful planning with a myriad of elements to be considered:
Management of external APIs that are accessible by users including NCR's systems, customers, and partners and the need to control how workloads connect regionally and globally.
Routing branch and front office operations
A robust, reliable backend to handle a high volume of transactions
Secure communication between services that perform linked operations.
Security and compliance standards common in financial services solutions
Besides all this, business requirements also call for faster time to market with innovative use cases and upcoming features.
Opus assisted NCR and Google Cloud's ISV Centre of Excellence on these challenges by designing and testing an architecture that could support organizational requirements and the application complexity around accessibility, security, scalability, and reliability.
The first step was hosting the NCR Authentic Cards application on Google Cloud VPC network, which spans multiple regions without communicating across the public internet, allowing shared connections between VPC and on-premise resources and maintaining a shared private IP space for more restricted services. For enhanced security, a set of regulated Firewall Rules further protects the components from corrupting each other in case of a rainy day.
Cloud NAT is also a key part of the architecture, restricting access to components behind the gateway, which have been assigned private IPs, making them inaccessible and invisible from outside the VPC and meeting security requirements. Additionally, Cloud NAT provides network address translation for all subnets in the VPC region with a single gateway with high availability.
To address requirements around scalability and DevOps, services are containerized and hosted in Google Kubernetes Engine which provides benefits like reducing management overhead, tenant isolation, efficient resource usage, infrastructure monitoring and automated development rollouts. This design allows the application to run as an autonomous microservice with its own horizontal POD autoscaler. Also, it implements internal service routing and inter-POD communication via HTTP/REST required by the application and offers high availability across zones via a regional cluster. The use of namespaces and service grouping enables multi-tenant cost optimization. CI/CD pipelines for Google Kubernetes Engine allow the development team to easily build, test and deploy updates.
The services are exposed via a globally accessible Cloud Load Balancer that handles SSL translation and DDoS protection. This component scales as users and traffic grow and handles unexpected spikes, which is crucial for card services availability. Additionally, the services are protected by a Cloud Armor layer that allows only “Allow-Listed” IPs and customers from specific regions to access them. External APIs are routed via the Load Balancer to Apigee, which provides full API lifecycle management capabilities that support the always evolving and expanding card services integration ecosystem while offering the option to monetize API products. This allows for the solution to constantly offer new endpoints and a wider set of connectors for internal and external systems.
The fully-managed database service, Google Cloud SQL is used to provide data storage capabilities in High Availability mode. The architecture also includes a Memorystore instance to provide caching capabilities to the product rendering faster response time on the services. Finally, the entire infrastructure and services report constantly to logging and monitoring tools.
The project was executed in the following phases within a short span of two months:
Google Cloud Architecture Framework Review
Infrastructure as Code production to automate infrastructure provisioning and application deployment
Verifying and running Terraform scripts to create the infrastructure
Running the helm charts to deploy the application
Benchmarking and Testing
Setting up Logging & Monitoring
Setting up CI/CD
With NCR’s guidance on the product strategy, Opus assisted NCR in execution by facilitating a cohesive collaboration between the infrastructure and the development teams. This further helped address issues reported during the benchmarking phase in an expedited manner. With Opus participation, NCR carried out an iterative review process with Google Cloud Solution Architects from the ISV Center of Excellence to maintain compliance during production stages and to ensure that the work was done following the best practices detailed in the Google Cloud Architecture Framework. During the execution phase, NCR and Opus shared in-depth insights into the payments domain, ensuring that industry benchmarks were always adhered to amidst the migration activity. Day-to-day needs of the payment industry like encryption of data, allow-and-deny list of IPs, use of private IPs were always kept in the forefront while designing and deploying the product in the cloud.
The impact of this migration can be seen in the following benefits:
The entire infrastructure is automated and built using Terraform scripts, and the services are deployed using Helm charts ensuring that new environments can be produced on demand, in no time.
With strong participation from the solution developers and with previous experience in the cloud, we achieved an accelerated migration process.
Alignment to NCR’s CI/CD pipeline using Harness Tool for automated deployments of the product.
Modernizing a complex Cards Management System and migrating it to the cloud can be challenging. The mix of NCR’s product and domain experience combined with Opus’ specialized cloud development resources delivered a world-class solution in the Google Cloud. Today, NCR Authentic Cards is a validated product in Google Cloud and its services are readily accessible to financial institutions upon onboarding.
About Opus Consulting: Backed by years of experience in building highly innovative payment solutions and products for the digital age, Opus Consulting Solutions is at the forefront of shaping the future of the FinTech and Payments Technology landscape. Opus combines its deep technology proficiency with unmatched domain expertise in Payments and FinTech to deliver unparalleled quality and value in their work. For more information, visit: https://opusconsulting.com/contact/
About NCR: NCR Corporation (NYSE: NCR) is a leading enterprise technology provider that runs stores, restaurants and self-directed banking. NCR helps financial institutions bridge digital and physical operations so that they can connect with consumers anytime, anywhere. Through innovative solutions, NCR simplifies and optimizes banking experiences for customers and staff alike. NCR provides a modern and efficient end-to-end infrastructure for customers to connect to the broader enterprise and fintech ecosystem to run self-directed banking. NCR is headquartered in Atlanta, Ga., with 38,000 employees globally. NCR is a trademark of NCR Corporation in the United States and other countries.