The Payment Island

HomeAway's acquisition-based growth brings with it many relationships with payment gateways and processors. Additionally, each individual Brand protects customer financial information (e.g. credit card numbers) differently. These concerns bring "fan-out" difficulties to attaining PCI Compliance; in response, HomeAway created the "HomeAway Payment Island", a PCI Compliant application suite that presents a common (REST-based) payment interface to the Brands, all hosted in a hardened PCI Compliant data center. Individual brands convert to using the Island which helps to removes those Brands from PCI scope. HAPI (the Payment Island) has been a success.

Payment Island Money Flow
Payment Island Money Flow

The above figure shows the amount of money (USD, but the Island handles many currencies) moving through the Payment Island on daily (cardinal line) and cumulative (gold line) bases (the dashed cardinal line is the 14 day moving average of the daily numbers). This chart does not differentiate between payments and refunds - it uses the magnitude of the money. The Island moves money between HomeAway and its customers, as well acts as a payment facilitator between two third-parties. The sharp knee in the gold line and the jump in the cardinal line represents an onboarding of one particular service; other onboardings become evident when the an observer inspects the chart. Natural growth presents itself as well as the general "up and to the right" tendency.

Payment Island User Activity
Payment Island User Activity

This chart shows the number of clients of the Payment Island (individual colors and strata), along with the daily number of requests those clients make. The orange swath from left-to-right has been with the Island from the beginning, as has the "cast of thousands" shown by the multi-colored smear at the bottom. Onboardings become much more obvious with this chart - the brown and blue bands onboarded concurrently. One can see the green band at the top make some small requests about a thirds from the left as this brand slowly integrated. The big green spikes occurred when this brand migrated significant volume of stored data to the Island, which was then used for the right third. Weekly patterns become obvious by the periodic peaks and valleys in the color field.

Each request through the Island is PCI Compliant, which goes a long way toward protecting customer data. Future posts will present the Island's services and architecture, and discuss some of the unique challenges faced by HomeAway when designing and deploying the system.