migrate to new processing infrastructure

[chadwhitacre]

Balanced is going out of business. On #67 we've been designing our new processing infrastructure. This ticket is to coordinate implementation of our design. Here are the pieces:

• Braintree for vaulting and processing cards (migrate to Braintree #3287), settling to Citizens
• Gratipay for storing bank accounts and identity information
• Citizens for ACH credits (Citizens for ACH? #3366; possibly/probably via OpenACH, OpenACH for ACH? #3371)
• Gratipay for compliance (with professional help: find a lawyer inside.gratipay.com#193)

Here's a spreadsheet with a timeline of targets we need to hit to pull this off:

Timeline

[chadwhitacre]

To: Balanced

Greetings, friends. :-)

As June 11 approaches, we've been hard at work over here sorting out our migration plan. At this point it looks like we're not going to be moving to Stripe. Instead, we're planning to move credit card processing to Spreedly, and ACH credits and identity verification in-house to Gratipay. We're putting concrete plans together here:

#3377

At this point my question is: Will you be able to support us in this plan? Anything special we should be aware [of] in not following the well-trodden Stripe route?

[chadwhitacre]

I'm seeing two "tracks" here:

• Migrate Processing
  • start double-storing new data in Balanced and in new stores (Spreedly/Gratipay)
  • export data from Balanced to new stores
  • start processing from new stores
  • stop storing new data in Balanced
• Salvage Data: log additional information in exchanges #2443 and backfill the status, route, and ref columns of the exchanges table #2779 (depends on Add exchange routes to record-an-exchange.spt #3295, PR is Add route to record exchange spt #3356)

[chadwhitacre]

It's more important to migrate processing than to salvage data, so we should do that first. We can supposedly query transactions until October 9, but we can't process after June 11.

[chadwhitacre]

One question I have is whether we cut over to Spreedly and Citizens ACH on the same week, or different weeks. It's probably less risky to stage them. Which would we do first, all things considered?

[chadwhitacre]

We just don't have a ton of time, though.

[chadwhitacre]

Braintree is ready to go, we're still pending account setup with Citizens ACH. On the other hand, we're storing the ACH-side information in our own db, so we don't have to wait for that. I propose that we sync up double-storing for both cards and bank accounts/identity, and then take the processing migration in two steps:

• Cards first, settling to ... New Alliance? That's already a live part of our escrow system, may as well have Braintree settle there for now (how hard is it to change where charges settle? good thing to figure out: migrate to Braintree #3287 (comment))
• ACH second, once we are online with Citizens.

We can tackle escrow consolidation as a separate project, once the dust settles.

[chadwhitacre]

Today is Gratipay 152, and the last day for processing is Gratipay 158. Let's aim for this for "Phase 1: Migrate Processing":

152
153
154 process cards on Spreedly/Braintree
155 
156 process ACH on Citizens
157
158

That gives us:

• two weeks to cut over to Spreedly/Braintree
• two weeks to cut over to Citizens
• two weeks buffer

I've updated the spreadsheet with a day-by-day breakdown.

[rohitpaulk]

!m @whit537!

I'll be able to put some solid work in after 10th May, which is just in time for the Braintree/Spreedly integration.

[chadwhitacre]

From: Balanced

We can certainly pass your card tokens along to Spreedly, but cannot pass along bank account data to you guys directly I'm afraid. You'll need to find a processor with an AOC of compliance for that.

...

Scratch the AOC reference in my last email, I got some wires crossed while writing that! The AOC is only for credit card processing, but we do only pass tokens of any sort along to an accredited processor, FYI.

To: Balanced

Okay, I was confused there for a sec. :-)

So if Gratipay were PCI compliant we could receive bank accounts and SSNs from Balanced?

#3379

[chadwhitacre]

I guess I'm asking, if an AOC isn't what you would need from us, then what would you need? What exactly constitutes "an accredited processor" that you could transfer bank accounts to?

[chadwhitacre]

From: Balanced

Ok, I've been discussing this internally, and here's the deal. We do actually require an AOC for this; although it is not the industry standard, we err on the side of caution, so require a higher than normal level of compliance. You'd need an outside agency to run a compliance audit, such as CoalFire. These are expensive and time consuming, just an FYI.

[chadwhitacre]

To: Balanced

Been doing some research over here as well. I'm looking at Visa's compliance program for service providers, and I'm seeing they have two levels based on volume. They require a third-party AOC for Level 1, and a self-assessment questionnaire for Level 2. Both levels also require a quarterly network scan from an approved scanning vendor. Gratipay is in Level 2.

If Gratipay were certified Level 2 by Visa or another card network, would that be satisfactory? Would it be sufficient for us to provide the SAQ-D and network scan directly to Balanced?

[chadwhitacre]

To: Balanced

Looks like the SAQ includes an AOC at the end. In other words, PCI DSS provides for self-certification, and it's the prerogative of the entity requiring the certification to accept a self-certified AOC instead of a third-party AOC in some circumstances. In Visa's case, they accept a self-administered AOC for service providers that process less than 300,000 transactions per year. The bottom line for us here is that it really is up to Balanced to decide what it will accept in terms of compliance validation.

Above you said we'd "need an outside agency to run a compliance audit." We have less than a thousand bank accounts on file, and we're only processing ~500 bank transactions per year. In view of our smaller size (and Visa's precedent), would Balanced be willing to accept a self-assessed AOC from Gratipay? We'd be happy to also conduct a network scan with an approved scanning vendor.

[chadwhitacre]

Balanced convo picks up at #3379 (comment).

[blrhc]

Can Gratipay manage the liability of holding users' bank and identity information?

[techtonik]

What were the options to outsource bank and identity information management? PCI is an awesome idea, but it looks expensive to put a checkmark, and maybe even not feasible to implement some crypto/security layers on top of what we have now if they are required.

I'd avoid the risk of management of bank and identity info if possible.

[chadwhitacre]

What were the options to outsource bank and identity information management?

You can see the options I surfaced starting at #67 (comment). Let's pick up this thread over there ...

[chadwhitacre]

If cards are at Braintree before we land gratipay/inside.gratipay.com#192, which ideally is next Thursday, then we can run payday from Braintree. Right now Braintree is pointing to Citizens Operations, which is no good. We have a sales meeting with Citizens ACH next Thursday so there's no way we'll have that ready before then. We should settle Braintree to New Alliance for next Thursday: #3287 (comment).

If cards are not at Braintree and/or Braintree isn't settling to New Alliance then we'll need to run payday on Balanced. Any new cards that were added after redirecting vaulting to Braintree won't be included next week, which is acceptable.

[chadwhitacre]

Migrating cards reticketed as #3391.

[chadwhitacre]

Seems like the timeframe on card migration is too tight for next Thursday, so let's plan to run on Balanced next Thursday (without whatever cards are added/updated after we switch to vaulting on Braintree ... oooh, updates introduce a race condition as well ...).

[chadwhitacre]

And let's try to run on Braintree the week after that.

152
153
154 
155 process cards on Braintree
156 process ACH on Citizens
157
158

[rohitpaulk]

so let's plan to run on Balanced next Thursday

@whit537 - We couldn't run on Balanced today, what's going to change before next Thursday that'll make it possible?

[chadwhitacre]

We couldn't run on Balanced today

We couldn't run on Balanced today for legal reasons. There was no technical reason we couldn't.

what's going to change before next Thursday that'll make it possible?

Here's what we need to pull off from a legal standpoint to run payday next week: gratipay/inside.gratipay.com#192 (comment). We'll need some technical changes as part of that but they're minor compared to this ticket.

[chadwhitacre]

Basically, we're tackling two huge challenges right now:

1. Replacing our processing infrastructure, under pressure of Balanced going out of business.
2. Shoring up our legal foundation, under pressure of exposure due to our openness.

These two are only circumstantially related, in that we received a disclosure from Stripe as part of (1) that cascaded into (2). They're orthogonal in terms of the work required.

[chadwhitacre]

Didn't quite make Braintree (#3287) today, and Citizens (#3366) is getting pushed dangerously back. Current targets:

152
153
154 
155
156 process cards on Braintree
157
158 process ACH on Citizens

[chadwhitacre]

We are live on Braintree as of 156. Huge thanks to @rohitpaulk for nailing the PR: #3470.

Alright Citizens! Let's do this! 💃

[chadwhitacre]

Current targets:

157
158
159 process ACH on Citizens

:-(

[chadwhitacre]

Alright, climbing back out of a serious 🐰 hole. I am now much more expert on compliance, regarding both BSA/AML and PCI DSS.

Our primary objective is to process ACH payouts on June 18, Gratipay 159. Our current best option is still Citizens, but we have a lot of work to do to get online with them.

Here's what we have to pull off, in two streams:

• strengthen our infosec (beef up the infosec portion of our risk program inside.gratipay.com#223)
  • migrate to AWS (migrate to AWS #3505), and/or
  • build a vault (build a vault #3504)
  • join the U.S.-{EU,Swiss} Safe Harbor (join the U.S.-{EU,Swiss} Safe Harbor inside.gratipay.com#222)
  • ❓❓❓
  • PCI SAQ-D (implement a PCI self-assessment program inside.gratipay.com#214)
• clear Balanced underwriting (get PCI certified by Balanced #3379)
• migrate data from Balanced into our vault

---

• strengthen our AML (establish a proper AML program inside.gratipay.com#119)
  • CIP (implement a customer identification program (CIP) #3289)
  • CCD (establish a customer due diligence (CDD) program inside.gratipay.com#219)
  • ❔
• clear Citizens underwriting (Citizens for ACH? #3366)
• code up the integration with Citizens

---

• run ACH on Citizens 💃

[chadwhitacre]

Honestly? The reality is that we only have a handful of customers to pay out via ACH at this point. Even if we slip a week or two while implementing Citizens, that would not be the total end of the world. Let's recall that when we first launched, we went 12 weeks before we started paying out.

[blrhc]

What's happening in terms of PayPal?

On 1 Jun 2015, at 20:44, Chad Whitacre [email protected] wrote:

Honestly? The reality is that we only have a handful of customers to pay out via ACH at this point. Even if we slip a week or two while implementing Citizens, that would not be the total end of the world. Let's recall that when we first launched, we went 12 weeks before we started paying out.

—
Reply to this email directly or view it on GitHub.

[chadwhitacre]

@benhc123 Good point: PayPal is no problem. Let's keep that in our back pocket as an option for users in case it looks like we'll slip on migrating ACH.

[chadwhitacre]

From: Balanced
Subject: Final days on Balanced

Hi everyone,

This is a notice that time is running out for Balanced customers to migrate.

June 11, 2015 at 11:59pm PST

• Debiting customers
• Reversing credits
• Tokenizing cards
• Initiating data migration

June 18, 2015 at 11:59pm PST

• Crediting sellers
• Tokenizing bank accounts

October 9, 2015 at 11:59pm PST

• Refunding debits
• Fighting disputes
• Debits from and credits to the marketplace's bank account
• Querying API
• Use of dashboard

[chadwhitacre]

Interesting. We have an extra week for ACH. :)

[chadwhitacre]

From: Balanced

This is a notice that we're changing our pricing for refunds on Thursday, June 11, 2015 at 11:59pm PST.

Previously, we returned the variable component of the debit (2.9% in standard pricing); however, we will no longer return the fees of the debit when performing a refund. We've worked hard to manage our finances during the wind-down and need to continue to do so through mid-October. This pricing change will allow us to make our costs more predictable.

[techtonik]

How does that affect us?

[chadwhitacre]

@techtonik Well, we're planning to refund remaining Gratipay 1.0 balances in August, so this means we won't be able to refund the variable component of the fee.

[chadwhitacre]

Here's a ticket for the Big August Refund: #3539.

[chadwhitacre]

Today is the last day for Balanced ACH. I'm not sure we're going to pull off Zipmark by next week (#3491), because we're getting mired in AML program implementation (#2449).

[chadwhitacre]

"Off Balanced"