Fintech Platform Build

Overview

A regional banking institution with over $4 billion in assets and 200,000+ merchant relationships was hemorrhaging market share. Their payment processing infrastructure — built piecemeal over 15 years — couldn't keep pace with fintech disruptors offering real-time settlement, modern APIs, and seamless developer experiences.

The bank's leadership knew they needed to modernize. They'd already burned through two consulting engagements that produced strategy decks but no working code. They came to Aspen Grove because we don't just advise — we quarterback the build.

Industry: Financial Services / Payments
Engagement: 14 months
Team Lead: Ron Christensen (Strategy), Danny Parker (Compliance & Legal), Tracy Wineland (Technical Execution)

The Challenge

The client faced a compounding set of problems that were eroding their competitive position month over month:

• Legacy batch processing. Transactions were settled in 24-48 hour batches. Merchants expected real-time. The bank's largest competitor had already shipped same-day settlement, and their sales team was losing deals on this issue alone.
• Fragmented systems. The payment stack consisted of five separate vendor systems stitched together with custom middleware written by developers who had long since left the organization. Nobody fully understood the dependency chain.
• Compliance gaps. A recent PCI DSS audit had flagged 23 remediation items. The bank was operating on a conditional compliance certificate with a 90-day deadline. Failure to remediate meant losing their processing license.
• No API strategy. Third-party integrators — ISVs, POS vendors, e-commerce platforms — had to go through a manual onboarding process that took 6-8 weeks. Competitors offered self-service API keys in minutes.
• Merchant attrition. The bank had lost 12% of its merchant base in the previous fiscal year. Exit interviews consistently cited slow onboarding, unreliable uptime, and lack of modern integrations.

The executive team had budget approval for a modernization initiative, but they lacked the internal expertise to execute it. Their IT department was stretched thin maintaining the existing systems, and they'd been burned by prior consultants who couldn't bridge the gap between strategy and implementation.

Our Approach

Aspen Grove assembled a cross-functional team that combined deep payments industry knowledge with hands-on technical execution. Ron Christensen led the engagement — his experience building Swipe USA from a regional processor into a national brand with partnerships across U.S. Bank, Elavon, and Shop Pay meant he understood the specific technical and business challenges at play.

Phase 1: Infrastructure Assessment (Weeks 1-4)

Before writing a single line of code, we conducted a comprehensive audit of the existing payment stack. This wasn't a surface-level review. Our team embedded with the client's operations, engineering, and compliance teams to map every transaction flow, every vendor dependency, and every failure mode.

• Mapped all 47 integration points across the five legacy vendor systems
• Identified 14 single points of failure in the middleware layer
• Documented the full PCI DSS remediation backlog and prioritized by risk severity
• Benchmarked transaction processing times against industry standards and direct competitors
• Interviewed 15 merchant partners to understand their integration pain points firsthand

Phase 2: Architecture Design (Weeks 5-8)

We designed a modernization roadmap that could be executed incrementally — no big-bang migration that would put the bank's processing at risk. The architecture centered on three principles:

• API-first. Every capability would be exposed through a well-documented REST API. Internal systems and external partners would use the same APIs, ensuring consistency and reducing maintenance burden.
• Event-driven processing. Replace batch settlement with event-driven transaction processing. Every transaction would be processed in real time, with settlement happening continuously rather than in overnight batches.
• Compliance by design. PCI DSS controls would be baked into the architecture from day one — tokenization, encryption at rest and in transit, automated audit logging, and role-based access controls.

Phase 3: Build and Migration (Weeks 9-48)

Tracy Wineland led the technical execution. The build happened in two-week sprints with the client's team embedded alongside ours. This wasn't a handoff — it was a co-build that ensured knowledge transfer happened in real time.

Danny Parker ran compliance in parallel, working directly with the bank's legal counsel and their PCI QSA (Qualified Security Assessor) to ensure every architectural decision and code deployment met regulatory requirements. By the time we reached the compliance audit, there were no surprises.

Phase 4: Rollout and Optimization (Weeks 49-60)

We migrated merchants in cohorts, starting with the bank's 50 highest-volume accounts. Each cohort went through a parallel-run period where transactions were processed on both the legacy and new systems simultaneously, with automated reconciliation to catch any discrepancies before cutover.

The Solution

The final platform included:

• Custom payment gateway. A unified gateway that consolidated the five legacy vendor connections into a single, redundant processing path. The gateway supported card-present, card-not-present, ACH, and real-time payments through a single API.
• Real-time transaction engine. Event-driven architecture replaced batch processing entirely. Transactions were authorized, cleared, and settled in real time, with merchants receiving funds within hours instead of days.
• Developer portal. Self-service API documentation, sandbox environments, and automated key provisioning. Third-party integrators could go from signup to first test transaction in under 15 minutes.
• PCI DSS compliance framework. End-to-end tokenization, HSM-backed encryption, automated vulnerability scanning, continuous compliance monitoring, and audit-ready reporting. The framework didn't just pass the audit — it set a new baseline for the bank's security posture.
• Merchant dashboard. Real-time transaction monitoring, settlement tracking, dispute management, and analytics — replacing the legacy system's static daily reports with a live operational view.
• Automated onboarding. New merchant provisioning reduced from 6-8 weeks to 48 hours for standard accounts, with risk-based underwriting automation handling 80% of applications without manual review.

Results

The numbers speak for themselves:

• 60% faster transaction processing. Average authorization time dropped from 3.2 seconds to 1.2 seconds. Settlement moved from T+2 to same-day for 94% of transactions.
• 99.97% uptime. In the 12 months following full deployment, the platform exceeded the 99.9% SLA target. The legacy system had averaged 99.4% — the difference translating to roughly 26 fewer hours of downtime per year.
• Full PCI DSS Level 1 compliance. Zero remediation items on the first audit cycle post-deployment. The QSA specifically cited the automated compliance monitoring as a best practice.
• 340 new merchant integrations. In the first year on the new platform, the bank onboarded 340 new merchant accounts through the self-service API — more than triple the prior year's acquisition rate.
• Merchant attrition cut by 68%. Annual merchant churn dropped from 12% to 3.8%, with the bank's NPS score among merchant partners increasing from 22 to 61.
• $2.1M annual infrastructure savings. Consolidating five vendor systems into one platform, combined with reduced manual processing overhead, saved the bank $2.1M annually in vendor fees and operational costs.

Key Takeaways

• Strategy without execution is expensive theater. The client had already paid for two strategy engagements that produced recommendations but no working systems. Aspen Grove's value was bridging that gap — our team designed the architecture and built it.
• Compliance is not a phase — it's an architecture decision. Bolting PCI DSS compliance onto a finished system is expensive and fragile. Building it into the architecture from day one is cheaper, more reliable, and produces better audit outcomes.
• Incremental migration beats big-bang every time. The cohort-based rollout approach meant zero downtime for merchants during the transition. Every migration step was reversible, which gave the bank's risk committee the confidence to approve each phase.
• Industry expertise accelerates everything. Ron's relationships across the payments ecosystem meant we could navigate vendor negotiations, regulatory conversations, and partnership structures in weeks instead of months. You can't Google your way through PCI compliance or payment network rules.