Skip to main content

Cloud Microservices Architecture Remediation


UK Technology Vendor



Asset Class

Retail Payments




9 months

The Ask

The client, a pre-revenue FinTech payments and mobile commerce start-up acquired the technology assets from another firm and wished to bring a new offering to market in the mobile commerce and payments space within a 9-month timeframe. The assets acquired, however, were limited by a number of architectural short-comings:

  • Insecure and poorly implemented API authentication framework.
  • REST-based microservices architecture that was not scalable.
  • No multi-tenancy capability, requiring a new production environment per client ecosystem.
  • Insufficient encryption and perimeter security provisions, policies and governance to meet security best practices for payment card data requirements (PCI DSS).


GreySpark deployed a partner to fulfil the role of Chief Architect and interim CTO, to accelerate the remediation of these issues in order to make the platform client-ready. The delivery approach was as follows:

  • Investigate and recommend appropriate technology solutions to handle the scalability requirements of a B2C internet business of this type.
  • Deploy industry standard OAUTH2 authentication infrastructure as the API perimeter in order to allow authentication to be managed properly, and in one place.
  • Redesign the data-models in the system to support multiple tenants in a single environment whist ensuring data segregation was maintained.
  • Create a Card Data Environment (CDE) with appropriate encryption, firewall, and associated security policy, controls, and governance frameworks required to obtain a PCI DSS auditor certification.


GreySpark delivered the following during the engagement:

  • A new approach to infrastructure based on DevOps best practices, that included the use of Docker and Kubernetes to provide internet scale and availability to the platform.
  • The introduction of an API Gateway solution that enabled the deployment of OATH2 REST API authentication at the perimeter.
  • A new network and security architecture that successfully passed a PCI DSS 3.2 audit.
  • Changes to micro-service data models to support multi-tenancy.
  • A much improve Continuous Integration and Continuous Delivery approach which resulted in multiple production deployments occur per week.

GreySpark Delivered Benefits

  • PCI DSS certification was an essential pre-requisite to enable this pre-revenue start-up to start to sign up clients.
  • The deployment of Docker and Kubernetes effectively ensured that the infrastructure (AWS-based) could be elastically scaled to support the loads predicted by the largest global clients.
  • Hosting and infrastructure costs were significantly minimised through the deployment of a new multi-tenancy capable platform.

Do you have a similar project that you need help with?