Design a Payment System

PCI DSS (Payment Card Industry Data Security Standard) prohibits storing raw PAN, CVV, or PIN data. Violation results in fines up to $100,000/month, loss of card processing privileges, and mandatory forensic audits after a breach. Practically: storing raw card data makes your entire database a high-value target — a single SQL injection exposes every customer's card. The solution is tokenisation: the PSP converts the raw PAN into an opaque token (e.g., tok_1Abc23XYZ) that is useless to an attacker because it can only be charged through your PSP account. The token is safe to store, log, and transmit.

An idempotency key is a UUID generated once per payment intent, included as a header (Idempotency-Key: uuid) on every mutating API call. The server stores a mapping of idempotencyKey → result in a fast store (Redis). If the same key arrives again — from a client retry after a network timeout — the server returns the stored result immediately without reprocessing the payment. Without idempotency keys, a network timeout during a successful charge causes the client to retry and the customer is charged twice. With them, the retry returns "already charged" with the original transaction ID, and the customer is never double-billed.

The intent extras returned by the UPI app (Status=SUCCESS, txnRef=...) are populated by third-party applications running on the user's device. A modified or malicious UPI app could return Status=SUCCESS for a payment that never happened — or was intentionally failed. On a rooted device, an attacker could intercept and modify the intent. The correct pattern is: parse the intent only to extract the txnRefId (a reference ID provided by NPCI), then immediately call your server with that ID. Your server queries NPCI's payment status API to get the actual bank debit confirmation. Only after the server verifies the debit do you update the transaction to SUCCESS. The client's intent result is a hint, not a fact.

Every transaction state is persisted in Room as it changes. On Application.onCreate(), PaymentSdk.init() calls recoverPendingTransactions(), which queries Room for any transactions in PROCESSING or PENDING_VERIFY state older than 5 minutes. For each, it calls PaymentTransport.pollStatus(txnId) to fetch the current status from the payment gateway. The result updates Room. When the user next sees the payment screen, they see the correct final state — success, failure, or an actionable "resume payment" prompt — rather than a stuck spinner. The 5-minute threshold avoids incorrectly recovering a transaction that is still actively processing in a background thread.

Two-layer guard: (1) UI layer — disable the Pay button immediately on first tap and restore it only on completion or failure. This prevents most duplicate taps. (2) SDK layer — CheckoutOrchestrator holds a Mutex. Every startCheckout() call attempts mutex.tryLock(). If the lock is already held (checkout in progress), the call returns CheckoutState.AlreadyInProgress and nothing is executed. Even if the UI layer fails (configuration change, programmatic duplicate call), the Mutex ensures at most one checkout executes at a time. On the server side, the idempotency key provides a third layer: even if two charge requests reach the server, the second is deduplicated.

Certificate pinning means your app only trusts a specific TLS certificate (or its public key hash), rather than any certificate signed by a trusted CA. A standard HTTPS implementation trusts hundreds of CAs — if any of them is compromised or issues a rogue certificate for your domain, an attacker can perform a MITM attack and intercept your payment requests. With certificate pinning, the app rejects any certificate not matching its pinned hash, even if it's CA-signed. For payment apps this is critical because a MITM attack against a payment endpoint exposes transaction amounts, card tokens, and payment method details. OkHttp implements pinning via CertificatePinner. The pin is the SHA-256 hash of the certificate's public key — changing the certificate but keeping the same key pair allows you to rotate the certificate without updating the pin.

Floating-point numbers (Float, Double) cannot represent most decimal fractions exactly in binary. For example, 0.1 + 0.2 in IEEE 754 floating point equals 0.30000000000000004. Across thousands of transactions, these rounding errors accumulate into real financial discrepancies — a ₹0.01 error per transaction across 10 million transactions is ₹100,000. The solution is to store all monetary values in the smallest currency unit as a Long: ₹199.50 is stored as 19950 paise. All arithmetic is exact integer arithmetic. The decimal representation is only computed at the display layer, formatted once as a string. Never pass monetary values through Float/Double — use BigDecimal for display formatting if needed, but persist and compute on the integer representation.

A split payment is a distributed transaction — two separate deductions that must either both succeed or both roll back (atomicity). The classic solution is the Saga pattern: execute each step sequentially with compensating transactions for rollback. Step 1: deduct ₹200 from wallet (immediate, server-side). Step 2: initiate ₹800 UPI payment. If Step 2 fails, execute compensation: refund ₹200 to wallet. The saga coordinator lives server-side, not on the client. The client submits a single "split payment" request with the amounts per method. The server orchestrates the two deductions. The idempotency key covers the entire saga — a retry of the split payment request replays only the steps that haven't yet succeeded. Never attempt to coordinate a split payment entirely client-side — network failures between steps leave you in an inconsistent state with no way to guarantee compensation.

Double-entry bookkeeping means every transaction creates exactly two ledger rows: a debit and a credit. For a ₹999 purchase: DEBIT ₹999 from customer_account_balance, CREDIT ₹999 to merchant_escrow_balance. Both rows share a transaction_id and are written in a single database transaction (atomic). If either write fails, neither commits. The sum of all credits must equal the sum of all debits at all times — this is an invariant enforced by the database. Double-spend is prevented because the debit reduces the customer balance before the credit reaches the merchant; any concurrent transaction reading the customer balance sees the reduced amount. For wallet payments, the debit uses optimistic locking (WHERE balance >= amount AND version = ?) to prevent two concurrent debits from both seeing sufficient balance.

Reconciliation is the process of verifying that your internal transaction records match the PSP's settlement records. Mismatches occur because: (1) your webhook receiver was down when the PSP sent the callback, (2) the PSP processed a payment but your server crashed before recording the result, (3) a refund was processed at the PSP but not in your DB. The solution is three-layer: (1) Real-time webhook with retry: make the webhook endpoint highly available and idempotent; PSPs retry for 72 hours. (2) Proactive polling: any transaction in PENDING_VERIFY for >2 minutes is polled server-side. (3) Daily batch reconciliation: download the PSP's T+1 settlement file (CSV/SFTP), compare every PSP transaction ID against your ledger, and flag discrepancies as "ghost charges" (PSP charged, you didn't record) or "phantom credits" (you recorded success, PSP didn't charge) — both require manual resolution by a payments ops team.

Retriable failures are transient — the payment might succeed on a second attempt: network timeout (IOException), 500 Internal Server Error, 503 Service Unavailable, 504 Gateway Timeout. These warrant exponential backoff with jitter (e.g. 1s, 2s, 4s + random 0–500ms) up to 3–5 retries. Non-retriable failures are permanent — retrying will produce the same result: 402 Payment Required (insufficient funds), 422 Unprocessable Entity (invalid card number, expired card), 400 Bad Request (malformed VPA), a specific PSP decline code (card blocked, suspected fraud). Retrying these wastes time, frustrates users, and in the case of fraud-blocked cards, may trigger additional fraud flags. The SDK must parse the HTTP status code and the PSP's decline code from the response body to categorise correctly, then surface a human-readable reason to the user immediately for non-retriable failures.

Card tokens (and any payment credentials) stored on-device must be encrypted using the Android Keystore System. The Keystore stores cryptographic key material in secure hardware (TEE — Trusted Execution Environment, or StrongBox on Pixel devices) that is isolated from the application processor. An attacker with root access or an ADB backup of the device cannot export the key material — they can only use it through the Keystore API, which can enforce authentication requirements (biometric/PIN required before each use). The recommended cipher is AES-256-GCM (authenticated encryption — provides both confidentiality and integrity). SharedPreferences, files, or Room without encryption are not acceptable for payment credentials — they are readable by anyone with ADB access or a rooted device. Use the EncryptedSharedPreferences or EncryptedFile Jetpack Security library as a convenience wrapper over Keystore.

PSP failover means routing a payment to a secondary PSP (e.g., Stripe) when the primary (e.g., Razorpay) returns 5xx or times out. The gateway maintains a health score per PSP: after N consecutive failures within a 60-second window, mark the PSP as degraded and shift traffic to the secondary. The risks: (1) Partial charges: if the primary processed the payment but returned a timeout, retrying on the secondary double-charges. Solution: check the idempotency store before failover — if the primary has a result stored, return it without calling the secondary. (2) Different PSP capabilities: Razorpay supports UPI; Stripe does not. Failover logic must be payment-method-aware. (3) Token incompatibility: a card token issued by Razorpay cannot be charged by Stripe — tokenisation is PSP-specific. For saved cards, maintain dual tokens if multi-PSP failover is needed. PSP failover is complex and should only be attempted for high-criticality flows where PSP downtime is unacceptable.

NPCI mandates a maximum 30-second window for a UPI transaction. If the user hasn't entered their PIN within 30 seconds, the transaction is auto-expired at the NPCI layer. The client-side handling: set a 30-second timer when the UPI intent is launched. If onActivityResult hasn't returned by 30 seconds and there's no valid txnRefId, update the local transaction to TIMED_OUT. Show the user: "Your UPI payment expired. Please try again." The user can initiate a new transaction with a fresh idempotencyKey. On the server, poll the timed-out transaction once more — occasionally the UPI app returns late and the transaction did succeed within the window. If the server confirms success, update to SUCCESS immediately even though the client had already marked it timed out. The Room state update propagates to the UI via Flow.

The RBI's Card-on-File (CoF) Tokenisation mandate (effective October 2022) prohibits merchants from storing raw card data. All saved cards must be tokenised through the card networks (Visa/Mastercard) or their certified TSPs (Token Service Providers). Key implementation changes: (1) You can no longer store even the last-4 digits and expiry date for display — these must come from the network-issued token's metadata. (2) Tokenisation must happen via the card network's API (network tokenisation), not just a PSP token. A PSP token is a network-specific alias — a Razorpay token cannot be charged through another PSP. A network token (Visa Token Service) can be charged through any Visa-certified acquirer. (3) For existing saved cards, you must migrate from PSP tokens to network tokens or delete them. (4) The RBI mandate applies to any entity storing card data for Indian cardholders, including international PSPs serving Indian merchants.

Use Kotlin coroutines' withTimeout() wrapping the entire checkout coroutine. When the timeout fires, a TimeoutCancellationException is thrown, caught in the finally block, and the transaction is marked TIMED_OUT in Room. But — and this is the critical part — cancellation must also notify the server. A locally-timed-out transaction may still be processing at the PSP. Silently abandoning it leaves a ghost transaction. On timeout, immediately call POST /cancel?txnId=&idempotencyKey=. If the PSP has already confirmed success, the cancel will fail — the server returns the existing SUCCESS status and the client corrects its local state. If the cancel succeeds, the transaction is voided at the PSP. The gateway's cancel endpoint must also be idempotent — a retry on cancel must not double-void.

Fraud scoring must happen server-side — never client-side where it can be bypassed. Placement in the flow: the fraud engine runs after order creation but before PSP call. This means a high-risk transaction is blocked before any money moves. The fraud model inputs: device fingerprint (from the Android SDK), IP address, transaction amount, payment method, merchant category, velocity (transactions per hour for this user), card BIN data. Latency target: the fraud check must complete in <200ms to keep total checkout under 3s. To hit this: (1) Pre-compute velocity features in Redis (updated on every transaction, read in O(1)). (2) Run the ML model on a low-latency inference server (e.g., ONNX Runtime) co-located with the gateway. (3) Use async scoring for post-hoc review: for borderline risk scores, allow the transaction and flag it for manual review within 2 hours — zero latency impact. Block only clear high-risk (score > 0.9). This tiered approach maximises fraud catch rate while maintaining acceptable false-positive rate.

Refunds are initiated server-side (by merchant or customer support) and are asynchronous — the actual bank reversal takes 5–7 business days for card refunds (2 hours for UPI). The UI update chain: (1) The server initiates the refund with the PSP and immediately updates the transaction status to REFUND_INITIATED. (2) A push notification (FCM) is sent to the user's device with the refund ID. (3) The SDK receives the FCM, calls transport.pollStatus(txnId), and updates Room. (4) The UI observes the Room Flow and shows "Refund Initiated — ₹999 will be credited in 5–7 days." When the actual bank reversal completes, the PSP sends a webhook (refund.processed), the server updates to REFUNDED, sends another FCM, and the UI updates to "Refund Complete". The local transaction history in Room reflects each status change as it happens — the user sees a live timeline.

Testing strategy has four layers: (1) Unit tests with fakes: FakePaymentTransport implements the same interface as PaymentTransport and returns configurable responses (success, decline, timeout). All tests in the orchestrator and repository use fakes — no network, no PSP sandbox calls, runs in milliseconds. (2) Integration tests with PSP sandbox: Each major PSP (Razorpay, Stripe) provides a sandbox environment with test card numbers that simulate specific outcomes: 4111111111111111 always succeeds, specific test cards simulate decline codes, 3DS triggers. These tests run in CI on every PR, take 30–60 seconds. (3) UPI test harness: Build a test UPI app (debug-only) that responds to the same intent with configurable status — useful for testing the no-response edge case and the "don't trust the intent" flow. (4) Chaos testing: Intercept OkHttp calls in debug builds with an interceptor that randomly drops responses, returns 500s, or delays by 5 seconds. Run the full checkout flow against the chaos interceptor to verify state recovery works correctly. Never run real transactions in automated tests.

Mid-payment network changes have two dangerous moments: (1) During the PSP charge request: if the TCP connection drops, the OkHttp call throws an IOException. PaymentTransport retries with the same idempotency key on the new network interface — the idempotency store at the server prevents double-charging. The retry succeeds transparently. (2) During the UPI intent (user is in PhonePe): if the network drops while the UPI app is processing, the UPI app may show an error and onActivityResult returns with Status=FAILURE. Your parser returns UpiIntentResult.ClientFailure — but you must still poll the server because the bank debit may have succeeded before the network dropped. Register a ConnectivityManager.NetworkCallback: when network is restored, immediately re-run the status check for any transaction in PENDING_VERIFY. The correct heuristic: on any network change, immediately poll all unresolved transactions. Never rely on a client-side timeout to discover that a transaction resolved during a network outage.