Hashorn

Case study · Payment gateway · India · Growth-stage fintech

Production-grade payment gateway built for an RBI-regulated Indian PA

UniqPay needed a payment-gateway core they could put their PA licence application on top of. Hashorn built the merchant onboarding flow, payment orchestration, settlement engine, and the ops console, designed from day one for RBI audit, PCI-DSS scope reduction, and the realities of UPI traffic at scale.

Case studyPayment gateway · India · Growth-stage fintech

UniqPay

PA-licence-ready core · ongoing dedicated pod

Client

UniqPay

Engagement

Dedicated pod · ongoing

Duration

Ongoing · 4 months in

Team

6 senior engineers + 1 QA + 1 security + 1 DevOps · 1 Hashorn PM · all dedicated

ServicesDedicated TeamsAI Software DevelopmentQuality AssuranceSecurity EngineeringDevOps

Outcomes at a glance

Dedicated team

6 engineers · 1 QA · 1 security · 1 DevOps

Engagement

Ongoing · 4 months in

Payment surfaces

UPI · cards · netbanking · wallets

PCI-DSS posture

Tokenisation-only (no PAN stored)

Sprint timeline

How the engagement unfolded

  1. Wk 1-2

    Discovery + PA-licence framing

    Mapped the merchant journey, the payment surfaces (UPI, cards, netbanking, wallets), and what RBI's PA framework expects in terms of audit trail, customer-funds segregation, and incident handling. Locked the architecture before writing code.

    Architecture doc · risk register · PA-framework gap analysis

  2. Wk 3-5

    Merchant onboarding + KYB

    Merchant signup flow with KYB (PAN, GST, bank account), risk scoring hooks, and the document-vault primitives. RBI-aligned audit log written on every state change.

    Merchant onboarding live in staging

  3. Wk 6-9

    Payment orchestration core

    Idempotent payment API behind a unified surface for UPI, cards, netbanking, and wallets. Tokenisation through a PCI-compliant vendor so PAN never touches our infra. Webhook contract for merchants. Failure paths and retries by surface.

    First end-to-end transaction in sandbox

  4. Wk 10-12

    Settlement + reconciliation engine

    T+1 settlement runs, bank-file ingestion, three-way reconciliation (provider, bank, ledger). Mismatch alerts to ops. Hand-off and clawback flows for chargebacks and disputes.

    First production-shaped settlement cycle

  5. Wk 13-15

    Ops console + observability

    Internal console for risk, finance, and support: transaction lookup, refund authorisation, dispute timeline, merchant 360. OpenTelemetry tracing across every payment surface. Runbooks for the top ten ops scenarios.

    Ops console live · runbooks in Notion

  6. Wk 16

    Hardening + audit prep

    Playwright suite across the critical payment flows, security review (OWASP + PCI scope assertion), and an audit-rehearsal walkthrough of the RBI PA evidence trail with UniqPay's compliance team.

    Audit-ready evidence pack

Architecture

The stack we shipped on

Public API

Idempotency keys, signed webhooks, per-merchant rate limits

  • NestJS
  • Fastify adapter
  • TypeScript
  • Zod

Payment orchestration

PAN never touches our infra; tokenisation handled via PCI-compliant vendor

  • Surface adapters (UPI, cards, netbanking, wallets)
  • State machine
  • Retry policy per surface

Settlement + ledger

T+1 settlement; hash-chained audit log on every ledger entry

  • Double-entry ledger in Postgres
  • Bank-file ingestion
  • Three-way reconciliation

Merchant + ops console

  • React
  • TanStack Query
  • TailwindCSS
  • Role-based access

Async + events

  • Kafka
  • Redis (idempotency + rate limit)
  • Worker pool

Cloud

Data residency in India for RBI compliance

  • AWS ap-south-1
  • RDS
  • EKS
  • Secrets Manager
  • KMS
  • CloudWatch + OpenTelemetry

Risks we actively managed

  • PCI-DSS scope reduction: PAN tokenised by a PCI-compliant vendor; our infra never receives or stores raw card data.
  • RBI PA framework audit trail: every state change writes a hash-chained, append-only audit row keyed by merchant + transaction.
  • Customer-funds segregation: settlement engine isolates merchant funds in line with RBI's escrow and nodal-account expectations.
  • UPI traffic spikes: Kafka-backed event pipeline absorbs surge, with per-merchant rate limits and circuit breakers on every external surface.
  • Reconciliation drift: three-way reconciliation (provider + bank file + internal ledger) catches mismatches before they reach finance.
Workflow

Tracked end-to-end in BuildOS.

Every meeting summary, requirement, sprint, task, and metric in this case study was rendered in BuildOS during the engagement. The customer's team had read-only access to the same workspace from week one, they saw Friday demos, weekly velocity, and AI-generated checklists without us sending status emails.

See BuildOS

The challenge

UniqPay's roadmap had a hard dependency on getting its Payment Aggregator licence from the Reserve Bank of India. The RBI's PA/PG framework (post-2022 guidelines) sets a specific bar: segregation of customer funds, auditable change control, a real reconciliation story, and security posture aligned with PCI-DSS. The team had a target review window and a payment-gateway core that needed to be production-shaped, not stitched together.

Three constraints shaped the build:

  • The audit trail had to be the spine of the product, not a feature. RBI auditors don't accept "we'll add logging later." Every ledger entry, every state change, every webhook delivery had to be appended to a tamper-evident log from day one.
  • PCI-DSS scope had to stay narrow. Storing PANs would have multiplied the security review surface and pushed the licence timeline by months. Tokenisation through a PCI-compliant vendor was non-negotiable.
  • The ops console had to land at the same time as the payments API. A working gateway without a way for ops, risk, and finance to act on it isn't ready for real merchant traffic.

How we approached it

A full nine-person dedicated pod: six senior engineers, one QA, one security engineer, one DevOps engineer, plus a Hashorn PM. Every role is dedicated to UniqPay; no shared resources, no context-switching across clients. The PM runs the weekly cadence with UniqPay's engineering lead. The engineers work in tight pairs around the major surfaces (onboarding, payment orchestration, settlement, ops console), while security and DevOps own their respective verticals across every release.

We treated the RBI PA framework as a design input, not a compliance gate to bolt on afterwards. The first week's architecture doc explicitly mapped each PA-framework expectation to a piece of the system (audit log, idempotency, segregation, incident handling, reconciliation), so by the time we shipped the payments API, the licence evidence was a by-product of the build, not extra work.

What we shipped

Merchant onboarding and KYB. PAN, GST, bank-account verification, document vault, risk-scoring hooks, RBI-aligned audit on every state change. A merchant goes from sign-up to live test-payment in a single session.

Payment orchestration. One unified, idempotent API surface in front of UPI, cards, netbanking, and wallets. Each downstream surface has its own adapter, retry policy, and circuit breaker. Webhooks signed and delivered with at-least-once semantics. Tokenisation through a PCI-compliant vendor, so UniqPay's environment never sees raw PANs.

Settlement and reconciliation. T+1 settlement runs aligned with bank cut-offs. Bank-file ingestion, three-way reconciliation between provider, bank, and internal double-entry ledger. Mismatch alerts to ops. Chargeback and dispute flows that update the ledger correctly without breaking the audit chain.

Ops console. Single internal console for risk, finance, and support: transaction lookup, refund authorisation, dispute timeline, merchant 360. Role-based access for the operations org. OpenTelemetry traces linked directly from the console so support can see the path of a failed payment in one click.

Observability and runbooks. OpenTelemetry tracing across every payment surface, structured logs to CloudWatch, and runbooks for the top ten ops scenarios (failed UPI callback, bank-file late, reconciliation drift, etc.).

The outcome (4 months in, still ongoing)

  • A production-shaped payment-gateway core covering UPI, cards, netbanking, and wallets, built in the first quarter of the engagement and now under active iteration.
  • Audit-ready by design. RBI PA-framework expectations mapped to concrete system behaviour: hash-chained audit log, segregation pattern in the ledger, reconciliation evidence, incident runbooks.
  • PCI-DSS scope held to tokenisation-only. UniqPay's own environment never holds raw card data, confirmed by the security engineer who sits inside the pod.
  • A dedicated DevOps lane. Infrastructure-as-code, CI/CD, observability, and on-call runbooks owned by one person whose only client is UniqPay.
  • An ops team that owns the product without needing engineering. Refund authorisation, dispute walk-through, merchant lookup: all in the console, all role-gated, all logged.
  • An engagement that continues to scale. The pod is the same shape four months in (same engineers, same QA, same security, same DevOps), and the relationship is set up to grow the team as UniqPay's roadmap expands.

What we'd repeat

Treating the RBI PA framework as an architecture input rather than a compliance bolt-on changed the shape of the build. The audit log, the ledger segregation, and the reconciliation engine weren't features. They were the foundation. That meant the licence evidence pack at week 16 was a query against the system, not a separate document we had to compile.

The other lesson: ship the ops console next to the API, not after it. The temptation in payment infra is to focus on the public surface and treat internal tooling as a phase-two concern. We did the opposite. By the time the first merchant went live, the ops team already had the console they'd be using daily. That removed the operational risk that usually accompanies a payment-gateway launch.

We came to Hashorn with a target: be ready for the RBI PA review without compromising on the engineering. They delivered a payment gateway core we could stand behind, not just demo. Settlement matches the bank file to the rupee, and the ops console means our team doesn't have to SSH into anything.
A

Ankit

Head of Engineering, UniqPay

Want a result like this?

Tell us what you're building, we'll tell you how we'd ship it.

Book an intro call →