Steady Rabbit
Get in touch

Card91 Issuance-as-a-Service Platform

Building a Bank-Grade, API-First Card-Issuance Engine in 20 Weeks—Cutting Program Launch Time by 60 %,
Boosting Transaction Throughput 3.4×, and Passing PCI DSS on the First Attempt

Client
Card91
Vision

One API to issue, manage, and settle any payment instrument.

Pre-Engagement Stack

Java monolith, MySQL, nightly ACH files, manual KYC portal

Card91

Card91
Case Study

Executive Summary

Card91 set out to give banks, fintechs, and large corporates a friction-free way to launch and manage payment instruments—physical, virtual, and tokenised—without the 12-to-18-month ordeal typical of legacy processors. An early pilot proved demand but revealed hard limits: batch file integrations, manual KYC workflows, and no real-time ledger. To close a pending Series A round and onboard four anchor banks, Card91 needed a bank-grade, API-first issuance platform—PCI-certified, ISO 8583–compatible, and live in 20 weeks.

Steady Rabbit deployed a Core-Flex Micro-GCC squad that delivered, in ten sprints:

  • A multi-tenant issuer-processor on AWS EKS that handles 850 TPS (burst) with p95 latency < 120 ms
  • Real-time ledger & settlement micro-services that cut reconciliation effort 75 %
  • Automated KYC & programme-approval workflows that shrunk client go-live from 5 months to 8 weeks (–60 %)
  • Tokenisation, 3-D Secure 2, and ISO 8583 bridges ready out of the box, enabling Apple Pay and Google Pay in the first release
  • A zero-downtime blue/green deployment pipeline that achieved 99.995 % availability in the first 90 days
  • PCI DSS SAQ-D certification on the first audit pass—three weeks ahead of schedule

The predictable execution helped Card91 sign₹68 crore (~US $8.2 M) in contracted ARR within two months of launch and secure a US $12 M Series A at a premium valuation.

Client Profile & Business Context

  • Client
    Card91

    Bengaluru-based FinTech disruptor

  • Founded

    2020

  • Vision

    One API to issue, manage, and settle any payment instrument.

  • Pre-Engagement Stack

    Java monolith, MySQL, nightly ACH files, manual KYC portal

  • Markets

    India, SEA, MENA (banking partners and large corporates)

Card91’s founders—ex-Visa and ex-Mastercard executives—proved market appetite by issuing 50 k prepaid cards for a marquee neo-bank. Yet scaling to enterprise volumes required a wholesale rewrite:

  • Real-time APIs for BIN sponsorship, tokenisation, and webhooks
  • Reg-tech plumbing (PCI, RBI guidelines, GDPR variants) baked into the SDLC
  • Elastic throughput for seasonal spikes (salary days, festival cashbacks)

Delay meant losing anchor banks to rival processors and jeopardising Series A valuation.

Problem Statement / Key Challenges

Critical Gap

Batch-file integrations limited throughput to 250 TPS

Impact if Unresolved

Would crumble under bank loads (~750 TPS peak)

Critical Gap

Manual programme onboarding—120+ email approvals

Impact if Unresolved

Time-to-revenue stuck at 5 – 6 months

Critical Gap

No tokenisation & 3-D Secure 2

Impact if Unresolved

Apple Pay / Google Pay deals impossible

Critical Gap

Failed PCI ROC two years running

Impact if Unresolved

Banks refuse to process until compliant

Critical Gap

Monolithic codebase blocking zero-downtime deploys

Impact if Unresolved

Release once a quarter; bug hot-fixes took hours

Critical Gap

Investor deadline—20 weeks to TechX Summit launch

Impact if Unresolved

Slip → down-round & lost anchor contracts

Our Approach

Micro-GCC Squad Structure

Layer
Roles
Mission
Core (7)
Squad Lead / PO, 2 Go micro-services engineers, Java/Kotlin ledger dev, DevOps / SRE, React-Native portal engineer, QA Automation
Re-architect platform, hit compliance, deliver APIs & client portal
Flex (2)
PCI DSS QSA / Security Architect, ISO 8583 & HSM SME
High-risk spikes: PCI readiness, scheme certification
Buffer (1)
Shadow Full-Stack (React + Go)
Absorb PTO/attrition—funded by Steady Rabbit

Shift-Left Governance & SteadCAST

  • 7 Plan-Left gates for every Jira story (Persona → Acceptance → Risk → Architecture sketch → Estimation → Capacity via SteadCAST → Test note).
  • SteadCAST dashboards tracked Risk-High WIP %, velocity forecast, capacity drift daily.
  • 30-minute weekly steering with founders & bank partner leads—no surprises.

Discovery Sprint 0 (Weeks 1 – 2)

  • Value-stream workshop—mapped 64 steps from BIN request to first live transaction.
  • Architecture blueprint—Go/gRPC micro-services, Kafka events, zero-trust VPC, AWS Nitro HSM, CloudHSM.
  • Compliance gap matrix—PCI DSS v4.0 controls, RBI Storage of Payment System Data, GDPR, PA-DSS for SDKs.

Velocity forecast: 115 SP per sprint; launch date locked for Week 20 (two weeks pre-TechX Summit).

Solution Delivered

Event-Driven Issuer-Processor Core

  • Go + gRPC services for Programme, Card, Wallet, Auth, Settlement.
  • Kafka event bus; Kafka Streams for real-time fraud signals.
  • p95 latency 1.8 s → 120 ms under 850 TPS burst.

Real-Time Ledger & Reconciliation

  • Double-entry ledger in CockroachDB (geo-replicated).
  • Settlement jobs in AWS Step Functions; reconciliation reports auto-emailed every 15 minutes.
  • Ops effort –75 %; error rate < 0.01 %.

Tokenisation & Security

  • Fireblocks HSM for key management; Detokenisation API latency 90 ms.
  • 3-D Secure 2 integration with network access control server (NACS); liability-shift success 99.7 %.

Programme-Onboarding Workflow

  • Low-code BPMN engine (Camunda) for KYC, sandbox, BIN assignment.
  • Onboarding time 5 months → 8 weeks (–60 %).

Developer Portal & Sandbox

  • Next.js portal—API keys, docs (OpenAPI), webhook tester.
  • Average dev self-serve time to first auth 18 minutes.

Blue/Green & Observability

  • Terraform Cloud IaC pipelines; EKS node groups (blue & green).
  • OpenTelemetry traces to Grafana; SLO dashboard (latency, error, TPS).
  • Releases every sprint; downtime 0 s across six prod cut-overs.

Compliance Automation

  • AWS Macie, GuardDuty, IAM Access Analyzer feed evidence bucket.
  • PCI ROC pass—zero critical findings; auditor note: “mature DevSecOps.”

Execution Journey

Sprint
Deliverables
KPI Shift
Predictability
Sprints 0
Discovery, backlog, threat model
Baseline latency 1.8 s
100 % gate pass
Sprints 1
EKS cluster, auth service MVP
p95 1.8 s → 1.1 s
Risk-High WIP 16 %
Sprints 2
Kafka ingest, ledger schema
Reconciliation cycle 48 h → 12 h
Buffer unused
Sprints 3
Camunda onboarding, Dev portal skeleton
Onboard 5 m → 14 wks
Flex PCI 24 h
Sprints 4
Tokenisation PoC, CockroachDB cluste
p95 lat 1.1 s → 320 ms
No slip
Sprints 5
3-DS2 ACS, webhook emulator
Auth success 92 % → 97 %
Hot-fix 0
Sprints 6
Settlement auto-email, blue/green dry run
Downtime 30 m → 0 s
Budget +4 %
Sprints 7
Fraud signal stream, SDK PA-DSS prep
Fraud false-positive –19 %
--
Sprints 8
Multi-language docs, iOS SDK
Dev TTFB 35 m → 18 m
--
Sprints 9
PCI audit, bank pilot sandbox
PCI pass (0 crit)
--
Sprints 10
Production launch, TechX demo
TPS 850, p95 120 ms
Delivered 1 day early
Sprints 11
Hardening, Series A data-room support
AUM $10 M → $15 M
All sprints green

Buffer dev covered a Go engineer (COVID) in Sprint 6—velocity dip 0 SP.

Business Outcomes & Impact

Programme launch time 5 months → 8 weeks (–60 %)

p95 API latency 1.8 s → 120 ms (15× faster) at 850 TPS burst

Transaction throughput 250 TPS → 850 TPS (3.4×)

Reconciliation effort –75 %, error rate < 0.01 %

Adoption: 4 anchor banks & 7 fintechs signed in first 60 days → ₹68 crore ARR

PCI DSS v4.0 ROC pass on first attempt; zero critical findings

99.995 % uptime during first 90 days; 6 blue/green releases 0 s downtime

Predictability premium (~8 % rate uplift) paid back in one quarter via revenue acceleration & avoided delay penalties

Why Steady Rabbit?

Core-Flex Micro-GCC

On-demand access to PCI and ISO 8583 SMEs within
48 h; Buffer bench erased PTO risk.

SteadCAST Predictability

Capacity & risk analytics delivered 98 % sprint adherence over 20 weeks.

Shift-Left Governance

Seven Plan-Left gates cut re-work 41 %, adding < 2 h per sprint.

Deep Reg-Tech DNA

Team combined HSM ops, payment scheme certification, and Go micro-services.

Outcome-Linked Engagement

KPIs (latency, onboarding time, ARR) tied to squad incentives—no vanity metrics.

Transparent Partnership

Weekly demos, Slack war-room, open burn charts—zero surprises.

Client Testimonial

Steady Rabbit

Co-Founder & CEO

Card91

Steady Rabbit took us from monolith to bank-grade processor in five months flat. PCI pass on first attempt, no downtime, and our first customers live before TechX. Their Core-Flex model is how FinTechs win.