Stats

Media & Entertainment

· Project Duration 1-2 months · GMV Processed >Rp8.000.000.000 · Orders Processed >10k · Zero Security or Fraud Issues

About

Our client (media & entertainment industry) has a fast-growing business of reselling virtual points/currency of popular online apps/games. A key strategy on user engagement by modern games or platforms is micro-transactions which are small financial transactions where users can purchase virtual items, features, or content for small amounts of money (usually under $10). They come in several common forms: in-game currencies: virtual money that players can buy with real money to spend on various in-game items (like "gems" or "coins") such points or coins are accumulated and spent by users on in-platform purchases or rewards.

Initially, customer orders are processed manually via WhatsApp. A single dedicated personnel takes an estimated 5 minutes per order. Assuming they work 8 hours a day (480 minutes), that would be 96 orders (no human errors or breaks in-between). In addition, orders typically do not happen in a predictably neat sequence very 5 minutes. What happens to orders submitted outside working hours? Customers would be angry or frustrated waiting too long to receive their order purchase.

The factors above pushed our client to look towards a more scalable solution i.e. business process automation.

Challenges & Requirements

Direct integration with a payment gateway provider is required to fully automate online orders & payments. Without this, humans are needed to manually verify order payments manually before proceeding with order fulfillment (virtual currency top-up or transfer)

Once the order payment is verified & completed, payment gateway notifies our app.

Our app

How it works without automation is the client has to deposit coins into a SnackVideo account and then manually transfer the exact amount ordered to their customer. Entire process for a single transaction takes 5 minutes from start to finish. If no human errors occur in between then.

‍

Our target online platform does not provide or allow any direct API for external parties to automatically transfer these online tokens from one user to another. Our client needs the app to be simple & convenient. This meant that any user of the video platform could go to the client’s webpage and purchase tokens without hassle.

Security was another major concern for the client. A previous app was built and managed by another vendor (not Delos) but some fraud happened. Our client had no choice, to stop losses they had to shut it down and revert back to manually processing customer orders.

Solutions & Outcomes

Integration with a payment gateway provider means an order can be processed immediately once we are notified that the order payment is completed.

We designed and built a simple dashboard for our client's operations team to do several things.

We had to write UI automation which talks to

our REST web-based APIs needs to be designed properly i.e. not allowing object updates but one-way status changes and validations on both frontend & backend.

The key lies in the separation in between product vs. orders vs. order payment. Clean database designs.

To solve the problem with frauds, we need to design solution to be safety-first. Our app made it mandatory for users to validate and verify the online platform user id as part of any order creation. Without a valid user id, there was no need for the system to create order. This helped filter out a lot of noise. Only serious buyers, willingly copy & paste their user id, would passed through to next steps.

To solve the problem with abusive users, we allow admins to blacklist users. [details] Having a blacklisted of users who abused the app is important.

To solve the problem with changing prices vs. past orders, we need to separate product catalog management from customer order management

Giving our client's working team a one-stop pause/resume button for the business process automation.

It needs to be a very simple webpage open to public and there was no account-based login authentication. Was login authentication really necessary for our use case?How did we secure this application without enforcing user authentication?

We defined the following infrastructure networking rules such as: only the web app could access the backend api service, and only the api service could access the database. That was it.

Next line of defense was our application design.

access management was also controlled tightly