Professional Documents
Culture Documents
CardHub Technical Architecture PDF
CardHub Technical Architecture PDF
CardHub
Technical Architecture
2. CardHub Kiosk 5
2.1 CardHub Kiosk components 5
3. CardHub Server 7
3.1 Overview 7
3.2 CardHub Server Key Components 8
4. CardWizard Suite 9
4.1 CardWizard and CardHub 9
4.2 CardWizard API 9
4.3 CardWizard KGS 10
4.4 CardWizard technical documentation reference 10
7. AWS Architecture 19
7.1 Overview 19
7.2 Authentication and Authorisation 20
7.3 VPC Network Addressing 20
7.3 Scalability 21
7.4 High Availability & Failover 21
7.5 IAS Architecture - Terraform / CloudFormation 21
7.6 Logging & Monitoring - CloudWatch vs DataDog. 21
8.1 OpenVPN Cloud Server 22
8.2 Kiosk VPN management 22
8.3 VPN hardware proposal 23
8.4 VPN Key/Certificate management 23
8.4 Assigned Kiosk Addresses (to be moved to spreadsheet / db) 24
8.4.1 EDC Development Kiosk - 10.21.0.0/24 24
8.4.2 RUT950 Router - 10.21.1.0/24 25
9. Glossary 26
1. Overview
SA Systems CardHub is a hardware and software platform that allows payment cards to be
created and issued to end users automatically at a variety of locations. The platform is secure,
robust and scalable and is easily integrated into existing banking systems.
The end-user journey is straightforward and secure and can easily be integrated at an
application level:
This document describes the CardHub platform and its associated systems.
2. CardHub Kiosk
The CardHub Kiosk is a secure, remote unit that contains all the equipment necessary
for interaction with a user and issuance of a payment card. It requires only a power
source and a reliable internet connection - wired, WiFi or mobile.
QR Scanner ● TBD
Touch Screen ● Will interact with the user and allow them to choose
options.
3.1 Overview
The CardHub server is a software suite and set of APIs that manages the CardHub system.
3.2 CardHub Server Key Components
CardHub Public API ● Secure REST API for querying CardHub functions
○ Hub Locations
○ Card Stock Levels
○ Card production queries
● Microsoft TypeScript
● NodeJS server
● https://cardhub-api-docs.s3.eu-west-2.amazonaws.c
om/index.html
The current edition of CardWizard is tightly integrated with both card issuers and EDC physical
card printers. It will not directly support the features needed by CardHub. Silver Arrow Systems
will work with EDC to develop the features required.
The CardWizard Web API is a RESTful (Representational State Transfer) HTTP- based service.
It supports set up, reporting, and common card requests using CardWizard software features.
Clients can use the CardWizard Web API to:
● Build a new graphical user interface component that is used with your financial
institution’s existing application.
● Integrate CardWizard software functionality into an existing application.
● Set up the CardWizard system, generate reports, and otherwise administer CardWizard
software in a production environment.
All communication between the application and the CardWizard Web API uses HTTPS
Requests and Responses. The HTTPS protocol is used to leverage the security features built
into the protocol.
4.3 CardWizard KGS
The Entrust Datacard Kiosk Gateway Service (KGS) is a solution designed to provide all
necessary tools to kiosk vendors wanting to drive card personalization on Entrust
Datacard Solution.It is composed of several components
● The KGS,an IIS hosted,REST based, web service, centralizing all communications
between the Kiosk Application and the EDC environment
● EDC CardWizard solution (including possibly EDC Adaptive Issuance Suite), from
where the card personalization is driven but also configured.
● EDC CardWizard “CMS extensions”, ensuring communication with the bank CMS
to retrieve, if necessary, additional information about the card to personalize
While KGS is a useful and instructive layer atop the CardWizard API it is not considered
sufficiently flexible for long term use in the CardHub project. Early versions of CardHub will use
KGS but later versions will be built directly on top of the main CardWizard API.
The existing version of KGS requires a number of feature changes and bug fixes to allow its
successful use with CardHub even at an early stage. Those changes are listed in this
document.
5.1 Overview
All payment cards issued by CardHub will be created on behalf of a bank or card issuer. That
card issuer is the ultimate provider of the payment card and its associated bank account. In
order to print a card, this action must be authorised by the card issuer.
All interactions with a card issuer take place through its Card Management System (CMS). This
is a suite of software that owns and manages the lifecycle of a payment card. Interaction with a
CMS is carried out using a secure API and only by trusted systems. In the case of CardHub,
almost all interaction will be done through the EDC CardWizard software.
The following touchpoints will exist between CardHub and the card issuer:
● Interaction with the CardHub API to supply a token for a requested card
● Activation of a card from a CardHub Kiosk.
5.2 SAS Test Bank CMS
For development purposes, SAS will create a “dummy” Bank CMS that will provide all of the
expected functionality of a live bank system. This will interact with CardWizard and CardHub to
simulate the card issue process.
6. Cardhub System APIs
The CardHub user journey is supported by six APIs. Three of these are built and hosted by
Silver Arrow Systems and three are external.
Endpoint: kiosk.sas-cardhub.net
The Kiosk API is an API built by Silver Arrow Systems. It is hosted by the CardHub cloud server
and called only by the CardHub Kiosk. It is a REST API that provides customer verification
functions. It also provides pass-thru functions to CardWizard, removing the need for the Kiosk to
communicate directly with CardWizard
Endpoint: api.sas-cardhub.net
The Public API is an API built by Silver Arrow Systems. It is hosted by the CardHub cloud server
and called by various third parties. It is a REST API that provides external facing QR code and
kiosk location functions.
Locate Kiosk GeoLocation List of kiosk Returns a list of CardHub kiosks close to
locations the supplied location
Endpoint: admin.sas-cardhub.net
The Management API is an API built by Silver Arrow Systems. It is hosted by the CardHub cloud
server and called via a web front-end from a secure browser. It is a REST API that allows kiosk
management functions to be performed.
Update kiosk List of locations - Updates the server’s list of Kiosk locations
locations
Retrieve metrics Kiosk Id Metrics Returns the metrics list for a kiosk.
Request new App credentials Card Generates a new payment card and
card Token assigns a card id (card token) to it. This
request is made by the banking app and
initiates the card issue process. The token
is used to create a Card Request via the
public API.
Request card Card Token Card Returns payment card details and
details details personalisation details. This request is
made only by CardWizard.
This diagram describes the flow of information when a customer orders a payment card to be
issued through CardHub.
7.1 Overview
Cardhub Server will be hosted in AWS using a highly commoditized architecture.
● All services will reside in an AWS VPC behind an application load balancer
● A cluster of Docker containers will be managed by AWS Fargate
● Each container will run an individual API service.
Each kiosk will be configured with an API key, as will other third parties. Users of the
management API will log in through a Cognito front-end.
AWS allows applications to allocate IANA private IP address space to VPC (Virtual Private
Cloud) infrastructure. Each defined VPC offers complete segregation from all others by default
although peering between VPCs is available if required. Care should be taken in the planning of
VPC address space to ensure networks that might need access to each other at a future date
do not overlap.
10.0.0.0/16 Reserved
7.3 Scalability
In order to achieve transparent, reliable scalability, well architected rules should be enforced for
application build and deployment.
Once such rules are applied, scaling can take place automatically whether a docker-based
(ECS/Fargate) or server-based architecture is used.
The CardHub AWS infrastructure should be described, built and maintained using an IAS
service - either Terraform or AWS CloudFormation are preferred. Any updates to the
infrastructure should be carried out using these services.
Each kiosk will be assigned a /24 block of addresses within the 10.0.0.0/8 private address
range, and will be routable from the CardHub VPC (Virtual Private Cloud).
The TELTONIKA RUT950 LTE 4G Router is proposed to manage communications within the
CardHub Kiosk. This industrial-level unit combines LTE/WiFi/Ethernet connectivity, hardware
VPN management, router, switch and firewall within one robust package.
Feature summary:
Further details:
● http://www.rut950.com/wp-content/uploads/2015/05/RUT950-manual-v1-06.pdf
● https://www.amazon.co.uk/TELTONIKA-RUT950-LTE-4G-Router/dp/B00TKFKLCI
● VPN security keys will be managed centrally by the CardHub server and stored in AWS
Key Management Service.
● Keys will automatically be updated on a regular basis. Updates should happen without
any manual intervention
● It is proposed that a “lastresort” access is available, accessible only when authorised by
a trusted agent physically at the location of the kiosk.
Item Description
Certificate Authority (CA) Certificate Certificate that is used to sign all other
certificates that are used in the VPN
infrastructure to prove the authority of the CA
Server key Key used to sign the server certificate and fix
its identity to the server
Client Key Key used to sign the client certificate and fix
its identity to the client.
9. Glossary
Glossary of terms used in the CardHub system architecture