TL;DR

We are open sourcing our Payment SDK – Stash!. It helps us cut down the amount of tedious work that usually comes with integrating payment into mobile apps. At the time of writing, the open source version supports 3 payment service providers (Adyen, BS Payone, Braintree), handles 3D Secure 2, and includes a well-thought UI for both Android and iOS.

Introduction

Paying with the smartphone was the founding idea of MobiLab back in 2012. Our aim was to get rid of the wallet carrying all credit and debit cards with us and storing those on the device which accompanies us on the daily basis: the smartphone. We developed a payment SDK for Android and iOS (we called it Stash!) to enable developers to integrate payment with a single line of code into their applications. 

Since mobile payment was and is a recurring theme in our projects and we have been tasked with integrating payments into quite a few apps we further developed our SDKs over the years and integrated different payment service providers (PSPs) to interact with the SDKs.

PSPs are the processors which comply with some strict security requirements to store credit card (and in general payment information) data. By doing so they also reduce the legal risk an online merchant has to carry otherwise (e.g. by storing sensitive information which might get lost). 

The Stash! SDK

To the dismay of developers, the decision as to which PSP to use is usually not driven by the ease of using their APIs. Instead, it might be based upon which PSP offers the lowest rates to the business. We do not intend to do payment service providers injustice here. Some are reluctant to evolve their APIs, because anything that might break compatibility for their existing clients is a significant risk to them. Also, because their APIs are very stable, the pains of implementing payment are only felt once and then forgotten (check out this cool youtube video of Adyen explaining the complexities PSPs are facing).

However, as contractors, we performed these integration tasks too often for our taste. This is how we came to invent our own payment SDK, which does its best to hide the nasty details of the PSP APIs it supports. Thanks to the SDK, we only have to deal with each individual API only once. Once that is done, every developer can work against our common API, not caring much about which PSP they have to work with.

Even better, we implemented reusable UI components for iOS and Android, which can either be used as they are, or serve as a template, saving a bit of repetitive work.

Architecture

The Stash! SDK consists of Android & iOS client libraries, a backend, and a neat web dashboard.

The backend and dashboard can serve multiple tenants (merchants), if required. It can be hosted on Google Cloud Platform without any vendor-specific features. Kubernetes and PostgreSQL are all that is strictly needed to run it. We provide Terraform scripts & Kubernetes resources that work for Google Cloud Platform; adjusting them to other providers should not be too difficult.

Client Libraries

We highly recommend to try out the UI components provided by our Android and iOS client libraries. We have taken great care to make them user-friendly and save you time to re-invent the wheel. Note, that the components we provide for Android are currently based on a newer design than those for iOS.

If you want to (or have to) implement a custom UI, you can use our client API to make that task easier for you.

Web Dashboard

Alongside the SDKs we also provide the Stash! dashboard which is a web-based platform and allows merchants to configure their account, set up their PSP configuration and generate API keys. Merchants can also have an overview of their ongoing transactions in real-time. They can filter the list of transactions and issue refunds, capture a transaction or reverse it on the go. There are probably much more features which can go into the web dashboard, but we will leave it to the community to come up with great ideas and bring the web dashboard to the next level.  

Security & Compliance

The Stash! SDKs do not store any sensitive data, we leave that to the PSPs. Compared to integrating a PSP directly, the SDKs do not change anything in terms of security and compliance. A merchant who accepts credit cards will have to ensure they are PCI DSS SAQ A-EP compliant.

As of September 2019, the European Union introduced the PSD2 directive which enforces higher security measures for online payments, and affects how credit card payments are done online. Most importantly, 2-factor-authentication – also called strong customer authentication – has become  mandatory. Exceptions can be made if the paid amount is small, or if a transaction is considered safe for other reasons (e.g. if the same credit card is used repeatedly at the same merchant and a recent payment was authenticated successfully). 3D Secure 2 is how the credit card industry implements PSD2.

The strong customer authentication (SCA) will be enforced by 31 December 2019, so payment flows that do not yet comply with the new law may still work for some time. However, the actual behavior of banks may be different and we recommend to use a compliant payment flow already. Apps and web pages that use non-compliant flows should be migrated as soon as possible. In the worst case, legitimate transactions may be declined otherwise, causing revenue loss and dissatisfied customers.

As we wanted to share already a future compatible solution, the Stash! SDKs support 3D Secure 2. But the current open source release includes the implementation for Adyen only, as all other PSPs were not providing full documentation in how they have implemented those measures on their side. 

Getting Started

Having now shared with you all information on Stash! it is  time to get started and checkout our open sourced repositories. Visit the Stash! projects on Github for the instructions. 

We have spent a lot of time with our team on Stash! and hope that we can save you time whenever you are dealing with payments on mobile devices. Even though a lot of energy and time went into the design and implementation of Stash! it is probably not perfect. So please let us know your feedback, by either leaving your comments on GitHub or writing to: stash@mobilabsolutions.com


WRITTEN BY

Nikolaj

Nikolaj is a Software Engineer & People Manager at MobiLab. When he is not writing blog posts, he builds services for customer around mobility and data integration.