GoCardless: Supporting a recurring payments platform that prioritizes user safety

About GoCardless

The GoCardless platform makes it easier to set up and collect Direct Debit recurring payments, perfect for invoices, subscriptions, and fees.

Industries: Technology
Location: United Kingdom

GoCardless migrates its infrastructure to Google Cloud Platform, to support the implementation of enhanced security procedures and eliminate operational work for a more agile development environment.

Google Cloud Results

  • Enables engineers to focus on development and optimizations, reducing the operational burden with services such as Container Registry
  • Speeds up app deployment and environment replication for fault-checking by creating a more agile infrastructure on GKE
  • Makes it easier to implement security procedures with Cloud Identity Aware Proxy, for VPN-free user authentication

Infrastructure costs down by 25%

The way we buy goods and services has been transformed by the move to online retail and the growth of the subscription economy, but traditional payment methods haven’t kept up. Collecting payment for invoices by bank transfer is time consuming and typically results in late payment and poor cash flow for businesses. According to Recurly, recurring payments made by credit cards typically fail 9% to 14% of the time, as cards expire and are lost or stolen. Traditional Direct Debit is difficult to access for smaller businesses and costly to manage.

GoCardless takes the pain out of getting paid for businesses that regularly invoice customers, or that offer subscription, membership, or installment plans to customers. Through a world-class API and integrations with major billing and subscription software, GoCardless allows businesses to collect payments with ease, using authorized bank debit schemes around the world, including Bacs Direct Debit in the United Kingdom, SEPA Direct Debit in Europe, BECS in Australia, and PAD in Canada. Founded in 2011, GoCardless now processes US$10 billion worth of payments a year for around 40,000 businesses from small accounting firms and media agencies to gym chains, global subscription businesses, and media houses.

"As well as solving operational challenges such as peaks in traffic, we are moving to the cloud to maintain our pace of innovation. We were looking for an ecosystem that would enable our engineers to focus on development, so we can keep ahead of the market."

Norberto Lopes, Senior Manager, Infrastructure and Systems Engineering, GoCardless

"When payments don't work, businesses suffer," says Norberto Lopes, Senior Manager, Infrastructure and Systems Engineering at GoCardless. "GoCardless helps customers collect recurring payments quickly, reliably, and cheaply. Businesses can either integrate our API into their billing software, or smaller merchants can use our dashboard to set up payments. For us, that means most of our traffic occurs during the working week, but we still need to be available on weekends, as merchants can use the system at any time."

GoCardless wanted to gain more flexibility to be able to easily expand capacity, while accelerating its security systems according to best practice. It decided to migrate from its previous hosted data center into the cloud, and Google Cloud Platform (GCP) offered the best fit.

"As well as solving operational challenges such as peaks in traffic, we are moving to the cloud to maintain our pace of innovation," says Norberto. "We were looking for an ecosystem that would enable our engineers to focus on development, so we can keep ahead of the market."

Reducing maintenance and operational tasks

The security and stability of IT systems are crucial for financial services providers, as they rely on maintaining a high level of consumer trust in order to retain clients and gain new ones. Achieving the right certifications also means being able to solve problems quickly and easily. "We process hundreds of thousands of transactions every day," says Norberto. "With our previous hosted data center, setting up new servers was time consuming and tedious, as well as being error prone, as we had to check the controls, storage, and encryption. It would take around four hours to set up a new machine after putting in a ticket and specifying all the parameters."

"Following a lot of research and iteration, we started by migrating our internal apps, then we migrated our staging environment, and finally our production environment. We took a one-hour maintenance window to divert traffic to Google Cloud Platform, but effectively, it only lasted eight minutes!"

Norberto Lopes, Senior Manager, Infrastructure and Systems Engineering, GoCardless

To gain greater agility, GoCardless migrated its applications to Google Kubernetes Engine (GKE) on GCP. "We took a phased approach, as we wanted the migration to be completely unnoticeable to our customers, and we didn't want to disrupt the workflow of our development team. Following a lot of research and iteration, we started by migrating our internal apps, then we migrated our staging environment, and finally our production environment. We took a one-hour maintenance window to divert traffic to Google Cloud Platform, but effectively, it only lasted eight minutes!"

"We run our apps on GKE and host our database on Google Compute Engine," says Norberto. "Using GKE with Container Registry has removed a lot of the operational burden and our development cycle from idea to deployment is also faster, as anyone can set up an app with a simple configuration, without the involvement of the Site Reliability Engineering Team."

"We also built an internal data processing pipeline using Cloud Pub/Sub, Cloud Storage, Cloud Dataflow, and BigQuery," he explains. "We put our pipeline together without wasting time on building. With Cloud Dataflow, we don't need to worry about the volume of data we're processing, and there isn't a capacity limit so our engineers can focus on their work, not on provisioning machines."

Focusing on security with Google BeyondCorp

Security was a key factor in GoCardless's choice of GCP as a cloud provider. "GoCardless adheres to multiple security standards including the information security management system ISO 27001 and the EU-US Privacy Shield framework that protects transatlantic data transfers, as well as GDPR and the Revised Payments Services Directive," says Norberto. "The GCP certifications align with our standards, and for us, it was crucial that security is a core part of Google Cloud."

"Moving to Google Cloud Platform removed a huge operations workload, which means we can focus on the next step for GoCardless. We would not be able to innovate in terms of security at the same pace, without the tools GCP offers."

Norberto Lopes, Senior Manager, Infrastructure and Systems Engineering, GoCardless

"Using the BeyondCorp principles as a model, we use Cloud Identity Aware Proxy to enable our team members to easily access team pages without needing to use a VPN," he explains. "They are onboarded automatically via G Suite, and are protected by two-step authentication. We also use Cloud Key Management Service for our cryptographic keys, which enables us to rotate keys automatically if we need to."

The reactivity of the Google Cloud team has also been an advantage, according to Alex Lucas, Director of Security at GoCardless: "Google Cloud has been an incredible security partner," he says. "Every time we have asked to better understand something, they have gone above and beyond to connect us with the right teams to assess the risks we are operating with. Whenever I asked them a hard security question, they listened and made sure to answer. I have been hugely impressed!"

Increasing agility, reducing costs

Moving to GCP has also helped GoCardless to reduce its infrastructure spend. "Our costs are down by around 25 percent, even though we are doing much more with our system than previously," says Norberto. "Most importantly, our system is more robust. Before, when we had a failure in the system, it would take two weeks to replicate the production cluster with the same data so we could locate the fault. On GCP, when we had a similar failure, it took us just 17 minutes to replicate the cluster, saving two weeks of data recovery work for an entire team. Whereas provisioning a server used to take four hours, it now takes a couple of minutes."

Now, GoCardless is planning to make use of the newest tools on GCP to further reduce the maintenance burden and optimize its processes. "Having finished the migration, we can now make the infrastructure more elastic, using autoscaling to automatically add instances, for example," says Norberto. "Everything's already in place for us. We're also really excited about the newest Google Cloud data services and products. Cloud Composer is in our roadmap, which will manage Apache Airflow for us. As Google Cloud is expanding its global network, it will support our plans for expansion in the upcoming months."

"Moving to Google Cloud Platform removed a huge operations workload, which means we can focus on the next step for GoCardless," says Norberto. "We would not be able to innovate in terms of security at the same pace, without the tools GCP offers."

About GoCardless

The GoCardless platform makes it easier to set up and collect Direct Debit recurring payments, perfect for invoices, subscriptions, and fees.

Industries: Technology
Location: United Kingdom