Wading Into Serverless
Payments professionals who have tested the cloud-computing waters explain the benefits and challenges of serverless computing
By Michael Coleman
These days, pretty much anyone with a smartphone or an internet connection is familiar with using remote servers to store and manage computer data, a practice called cloud computing. But the cloud isn’t just for saving family photos or sharing work documents anymore. Increasingly, businesses, including payment processors, are turning to a cutting-edge cloud function—serverless computing—to handle a litany of tasks traditionally handled by in-house computer architecture.
In a nutshell, serverless computing is a cloud-computing model in which a cloud provider, such as Amazon, Google, or Microsoft, runs the server and relies on code written by client developers to perform specific tasks. Prices are typically based on the amount of resources consumed by an application, rather than on capacity purchased in advance.
When a predetermined event, such as a payment transaction, activates the code, the serverless platform executes the task. The client doesn’t need to tell the serverless provider how many times these events or functions will occur. Typically, serverless clients spend a fraction of a penny each time a function is executed.
Embracing Serverless Technology
Serverless is relatively new to the payments industry, but payment processors are increasingly turning to this new technology for help in managing their data. Some payments industry professionals who have jumped into the serverless end of the information technology pool say that the decision has helped them manage traditional computer workloads and made it easier to comply with the rigorous PCI Data Security Standard.
Kevin Shamoun, chief technology officer for Zeamster, a payments gateway that allows merchants to swipe credit cards and run transactions from any location, says his company has gone almost completely serverless. The company started the transition slowly with Amazon Web Services, a serverless computing provider, six years ago. “Zeamster is an API-first platform that is using serverless to handle all our requests, including transactions and reporting,” Shamoun explains. “During peak transaction times, our application scales automatically. Being serverless allows us to focus on being nimble and developing faster—rather than worry about server capacity and availability.”
But Zeamster didn’t reach this point overnight. “We started slow by design,” says Shamoun, who also is vice chair of the ETA Technology Committee. “It’s a difficult process to convert your mindset to serverless—it’s easier said than done.”
While serverless certainly offers an array of attractive IT services, the transition can be difficult for legacy companies that already have extensive in-house computer architecture in place, Shamoun says. Because his company is only eight years old, “we kind grew up with Amazon,” he says, explaining that Zeamster added serverless functions as Amazon’s offerings became more sophisticated. “We had the luxury of growing up with [Amazon Web Services], and most don’t have that luxury.” Older payments companies, says Shamoun, “have all kinds of legacy data centers and agreements in place,” which make it more complicated for those companies to make the transition.
For startups entering the payment processing realm, on the other hand, Shamoun believes the decision to adopt remote serverless computing instead of buying traditional in-house architecture is easy. “For anybody starting up, I would definitely say it is by far the way to go,” he says. “Otherwise, you’re going to be stuck in a situation where you have to do some rewriting. You’re eventually [going to] want to get to serverless, so why deal with rewriting and migrating software when you can just start that way?”
The Nuts and Bolts of Serverless
The term “serverless computing” is a bit misleading. Serverless still requires servers to process requests and deliver data over a network connection, but the servers are owned by an outside company and operated away from the client’s brick-and-mortar business. Server management and capacity planning decisions are completely hidden out of sight, if not always out of mind.
Fayaz Makhani is director of operations for SecureTrust Compliance Services, a division of global cybersecurity giant Trustwave. He says dynamic, nimble, and growing companies are increasingly looking to serverless options to avoid high capital costs.
“This is an emerging area that is rapidly growing,” explains Makhani. “The serverless cloud offering is at every major cloud provider now, and many of the smaller providers have put together a service for serverless computing, too. It is something that many of our clients are looking to move toward because it relieves them of a lot of overhead from the day-to-day operations.”
The main advantages to going serverless for businesses, including for merchants and payment processors, are cost and scalability. Businesses can often avoid the whopping price tag for computer architecture, instead contracting out for the exact amount of computing they need.
Serverless computing also permits businesses to ramp up rapidly if they need more computing firepower. This could be a helpful solution for a merchant that anticipates doubling or tripling sales around the holidays but doesn’t need all that tech firepower on a daily basis.
Makhani sees the growing move toward serverless computing as akin to contracting for equipment when you need it, rather than buying it. “Imagine today you are an e-commerce merchant and you’re doing 100,000 transactions on a daily basis, but we have Mother’s Day coming up and you would expect to have 300,000 orders per day,” he explains. “Before serverless, you would have to do capacity planning and ensure that you have ample servers and ample time to spin up the servers prior to your workload being generated.
“Today, with serverless, you don’t have to worry about that,” Makhani continues. “If your transactions go from 100,000 per day to 300,000 per day, the infrastructure is able to scale itself into ensuring your 300,000 orders can be addressed and not have to worry about doing the capacity planning yourself. It allows the merchant to focus on its business … rather than worry about a server stack.”
Makhani says the appeal of serverless is primarily that it frees up time and resources spent managing computer technology. In other words, the real value of serverless is not cost efficiency, but time savings. “It’s less about eliminating the cost and more about being able to focus on the task at hand,” Makhani explains. “Clients are able to focus only on their development and [do] not have to worry about the server stack and the technology stack they would need to support and upkeep to be able to deliver the service.”
A general familiarity with cloud computing is helping to win over skeptics at legacy financial companies and major credit cards issuers. “I think because serverless has come in after elastic computing, there is already a bit of familiarity of how cloud providers work, and there is a level of trust that has already been afforded to the cloud providers,” Makhani says, “so the transition isn’t as much of a paradigm shift today as it was, let’s say, five years ago.”
Challenges and Opportunities
While there are many potential benefits to adopting serverless computing, making the switch also has its challenges. As business users become increasingly reliant on a specific cloud provider, such as Amazon’s AWS Lambda, Microsoft Azure Functions, or Google Cloud Functions, they limit their options for changing course.
“As an organization adopts and matures, it can get tied-in with specific cloud services provided by that specific vendor,” explains Adam Salerno, senior director at Colorado-based cybersecurity firm Coalfire. “So, while you can pick up your code and move it easily to a new provider, the equivalent services at a new provider may not be a one-for-one, potentially creating security holes.”
Salerno says Coalfire works with plenty of companies in the payments space. “With [payments], in particular, we do see customers using [serverless computing], and it certainly shortens execution time and you’re able to gain some performance with it,” he says. “But because this is a relatively new technology, there isn’t a lot of experience with this type of workload. Organizations and merchants need to consider the new security vulnerabilities this brings up for them.”
Peter Wagener, chief technology officer at CardFlight, which provides payment acceptance solutions for small businesses, says his company has embraced serverless computing with good results, although only for a small number of specific functions.
“The uses we have for serverless right now are somewhat limited but very functional,” he says. “It very easily handles very spiky loads of requests. We can get 10 requests for a minute versus 1,000 requests in one minute—but the features that are serverless-based work the same way.”
Unlike Zeamster, CardFlight doesn’t rely on serverless computing for its PCI compliance. “The serverless [providers] actually have only recently come through with compliance-based PCI solutions,” Wagener says. “Doing things like handling card data is still relatively new for the serverless environment, so it’s not something we’ve started to use yet.
“But things like handling a device’s heartbeat [a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a computer system] and getting certain data off the device … serverless works extremely well for those types of solutions because it works for any type of load that we may have any given time during the day,” he adds.
Salerno and others say serverless offers “an endless amount of things that you can do just based on your workflow and what you want to have happen.” And it’s not necessarily an all-or-nothing approach to handling a company’s IT needs. “It’s the perfect playground for dipping your toe in because you can spin things up quickly and test them out, and then shut them down—without having to buy new server equipment to make that happen,” he says.
Wagener advises any company considering serverless to do its homework, ask lots of questions, and start small. He also says it’s important to understand what you want serverless to do and to write good code to execute those actions. He says a common misconception in the payments industry is that serverless is not secure or able to meet PCI compliance requirements.
“Both of those are incorrect,” he says. “You can build fully un-secure and fully un-compliant solutions in traditional or serverless-based solutions. You can also build fully compliant and secure solutions, as well. The biggest confusion I hear is about which problems it’s meant to solve.” TT
Michael Coleman is a contributing writer to Transaction Trends.