In this section we are including some recommendations about how to define the architecture of your connector to make it as efficient as possible. Also, to avoid regulatory delays and overcosts, we are putting together this basic architecture proposal.
If you are integrating with Toqio:
- In Toqio we use Clean Code and DDD as our code standards. In our CD/CI process we have integrated Sonar and we require internally, for any service, a test coverage over 80%. Also, all dependencies are evaluated and any security alert or vulnerability must be addressed before merging the code to any main branch. We strongly recommend to follow a similar approach as we are dealing with very sensitive data. In addition, under DORA, we will get in touch with you on a regular basis to ensure you are compliant with the regulation.
- You must have a mechanism that allows you to deploy your code to production without causing any service interruption. In the case of causing any downtime you must communicate to Toqio and our joint customers, with at least 15 days notice so we can plan and warn the merchants appropriately.
- For ACCOUNTS and PAYMENTS there are not specific requirements, beyond considerations that are explicit for other services. In general terms we recommend to split the services to enable separated deployments and a simpler code lifecycle management.
If you are integrating CARDS:
- If you are integrating a banking provider that offers Cards to their customers and you are adding the feature to the integration catalogue in the connector you must be PCI compliant. As we are PCI compliant any provider we are connected to must be PCI compliant as well. We will provide you with all the support and contacts to make this process clean and easy. During the PCI audit process, depending on the way you handle the PAN of the cards, you will need to accomplish different levels of PCI compliance.
- Regardless of the compliance level aforementioned, if you fully separate the code that handles cards in a different service, the audit process will be simpler and you will need to comply with PCI requirements in that service only.
If you are integrating COMPLIANCE:
- If the Banking provider is also the compliance provider OR if you are integrating also a compliance provider, our suggestion is to split this code also in a different service of the Accounts and Payments one as mentioned above.