FinTech Series B Payments Platform

PHP Monolith to Microservices: Payment Platform Modernization

Replaced a fragile PHP monolith handling €40M annual payment volume with an event-driven microservices architecture — achieving PCI-DSS Level 1 compliance and unblocking a €12M Series C.

68% reduction in transaction latency
PCI-DSS Level 1 certified post-launch
€12M Series C unblocked
Zero payment processing incidents in 12 months post-launch
PHP Monolith to Microservices: Payment Platform Modernization

The Problem

The client’s PHP monolith was processing €40M in annual payment volume across three EU markets, but it was accumulating critical technical debt faster than the team could address it. Transaction failures during peak hours were averaging 2.3%, payment reconciliation was manual (4 hours/day), and PCI-DSS Level 1 certification — required to close the Series C — was blocked because the monolith’s architecture could not be scoped for PCI compliance.

The Constraints

No downtime tolerance. The platform was processing live payment volume across three EU markets. A big-bang rewrite was not an option — any migration approach had to keep payment processing available throughout, with no window for a hard cutover.

PCI-DSS Level 1 as a hard external deadline. The Series C timeline was set. PCI-DSS Level 1 certification was the prerequisite. Architecture decisions had to produce a certifiable system within a fixed timeframe, not just a technically improved one.

Limited test coverage in the legacy codebase. The PHP monolith had sparse automated tests and undocumented implicit dependencies between components. Before any service could be safely extracted, the behaviour of the existing system had to be understood well enough to specify what the replacement was supposed to do — and verified against the existing output.

Our Approach

We used a strangler fig pattern to migrate the monolith incrementally, routing new payment flows through the new microservices architecture while keeping the legacy system running in parallel. This eliminated big-bang rewrite risk and meant payment processing was never interrupted.

Key decisions:

  • Event sourcing for the payment ledger — every state change is an immutable event, making audits trivial and reconciliation automatable
  • Separate services for authorization, settlement, reconciliation, and fraud detection — each independently deployable and independently auditable for PCI-DSS cardholder data environment scoping
  • End-to-end encryption with dedicated key management (AWS KMS)
  • Automated reconciliation pipeline replacing the 4-hour manual daily process

Stack: Node.js, TypeScript, Apache Kafka, PostgreSQL, Redis, AWS EKS, Terraform.

Solution architecture and data flow

The Outcome

  • Transaction latency down 68% (P95: 340ms → 108ms)
  • Payment failure rate: 2.3% → 0.07%
  • PCI-DSS Level 1 certification achieved 6 weeks ahead of schedule
  • Series C closed at €12M two months after certification
  • Reconciliation fully automated — zero manual hours

Team

Engagement: 7 months, 4 engineers (2 backend, 1 infrastructure, 1 security).

Let's build something that matters.

Tell us what you're building. We'll tell you if we're the right team to build it.

Book a 30-min technical call
Press Esc to close