Steady Rabbit
Get in touch

Form3 Secure Payments SDK

Delivering a PSD2-Compliant Golang + Python SDK That Cuts Partner Integration Time 50 % and Handles 2×
Transaction Throughput—All in 18 Weeks with Steady Rabbit’s Core-Flex Micro-GCC Model

form 3 logo
Client
Form3
Core Platform

Fully managed, real-time payment processing for FPS, SEPA, BACS, SWIFT

Strategic Goal

Speed partner integrations, cut onboarding cost, and expand indirect revenue channels

Form3

Form3
Case Study

form3 mobile app

Executive Summary

Form3—Europe’s leading cloud-native payments processor—powers instant clearing for Tier-1 banks and high-growth fintechs. As demand from enterprise partners exploded, the company needed a battle-tested Software Development Kit (SDK) that would let customers connect to Form3’s REST APIs in days, not months, without exposing them to PCI risk or PSD2 penalty.

Steady Rabbit spun up a six-person Micro-GCC squad, added flexible security and payments SMEs, and in just 18 weeks delivered:

  • Production-hardened Golang & Python SDKs generated from OpenAPI 3.0 specs
  • Built-in OAuth 2.0 + mTLS flows that pass PSD2 RTS checks out-of-the-box
  • An automated conformance-test harness that slashed time-to-first-payment from 12 weeks → 6 weeks (50 % faster)
  • Async streaming callbacks (webhooks + WebSockets) handling 2× peak TPS with p95 latency < 140 ms
  • A zero-downtime CI/CD pipeline that ships signed SDK artifacts to PyPI & GoProxy every sprint
  • PCI DSS SAQ-A and ISO 27001 control alignment, enabling Form3 to onboard two global system integrators immediately

The result: Form3’s partner funnel accelerated, support tickets fell 37 %, and the company closed £5.4 million ARR in new partner deals within a quarter of launch—all without a single missed sprint milestone.

form 3 logo form 3 mobile app

Client Profile & Business Context

  • Client
    Form3

    London-based cloud payment-technology provider

  • Founded

    2016

  • Core Platform

    Fully managed, real-time payment processing for FPS, SEPA, BACS, SWIFT

  • Pre-Engagement Stack

    REST APIs (OpenAPI specs), Java/Kotlin micro-services, AWS-based multi-region mesh

  • Strategic Goal

    Speed partner integrations, cut onboarding cost, and expand indirect revenue channels

Market Pressures

  • PSD2 & UK Open Banking mandate secure, standardised interfaces—partners expect SDKs that “just work.”
  • Competitors launched first-party libraries; Form3 relied on docs alone → integration time > three months.
  • Two global SIs offered revenue-share deals—conditional on a hardened, audit-ready SDK before Q3 industry events.

Form3’s engineering leadership needed an elite team that could own the SDK roadmap end-to-end while internal squads focused on core clearing rails.

Problem Statement / Key Challenges

Long Partner Ramp-Up

Average time-to-first-payment ≈ 12 weeks; heavy solution-architect hand-holding.

Compliance & Security Debt

Partners built their own clients—mixed mTLS, token handling errors, PSD2 RTS non-conformities.

Throughput & Reliability

Existing community Go client crashed beyond 350 TPS; target partners need > 700 TPS peak.

Multi-Language Expectations

Top partners demanded Golang (micro-services) and Python (data/ML) libraries at launch.

Aggressive Timeline

Six-month commercial OKRs: SDK GA by Week 18 or lose SI contracts worth £5 m ARR.

Internal Capacity Crunch

Form3 dev teams tied up with SEPA instant rollout; no bandwidth for SDK rewrite.

Our Approach

Core-Flex Micro-GCC Squad

Layer
Roles
Mandate
Core (6 FTE)
Squad Lead/PM, 2 SDK Engineers (Go/Python), Documentation Engineer, DevOps/SRE, QA Automation
End-to-end SDK delivery & predictable cadence
Flex (2)
PSD2 Security Architect (CISSP), Payments SME (ISO 8583, webhook idempotency)
High-risk spikes: OAuth 2.0 flows, message integrity
Buffer (1)
Shadow SDK Engineer (Go)
PTO / attrition coverage—funded by Steady Rabbit

Shift-Left Governance

  • Seven Plan-Left gates enforced in Jira: Persona → Acceptance → Risk label → Architecture Sketch → Estimation → Capacity (SteadCAST) → Test Note
  • SteadCAST dashboards surfaced lead indicators (Risk-High WIP %, Test-Note coverage) every morning.
  • 30-minute steering with Form3’s Head of Developer Experience each Friday—demo + KPI review.

Discovery Sprint 0 (Weeks 1–2)

  • Dev-Experience Mapping – White-boarding partner journey from API key to first SEPA credit.
  • Architecture Blueprint – Swagger-codegen with custom templates, pluggable transport (mTLS, With-Proxy), streaming callback helpers.
  • Compliance Gap Analysis– Map PSD2 RTS, PCI DSS SAQ-A, ISO 27001 Annex A to SDK features & build pipeline.

Velocity baseline: 120 SP/sprint; go-live locked for Week 18.

Solution Delivered

SDK Core Generation

  • OpenAPI Generator custom templates for idiomatic Go modules + Python wheels.
  • Abstracted transport layer supports mTLS, OAuth 2.0 client-credentials, and mutual TLS on HTTP/2.
  • Build tags allow -tags mock for offline unit tests.

Secure Auth & Session Handling

  • Built-in token cache (LRU) with automatic refresh when JWT ≤ 30 s expiry.
  • PSD2 RTS AISP/PISP flows baked in; dynamic HTTP signature headers auto-generated.

Streaming & Webhooks Helper

  • WebSocket reconnect logic w/ exponential back-off; p95 latency 140 ms at 700 TPS burst.
  • Idempotency key helper ensures at-least-once semantics on retry.

Conformance-Test Harness

  • Docker-compose environment spins up mock Form3 API + golden-file test suites.
  • Partners run make test-connect → receive pass/fail JSON & coverage badge.

DevEx Portal & Docs

  • Docusaurus site auto-publishes from code comments; versioned with Git tags.
  • Swagger “try-it” embedded; onboarding wizard guides from API key to first SEPA payout in < 15 min.

CI/CD & Artifact Signing

  • GitHub Actions → OIDC-based deploy to PyPI, GoProxy mirror; artifacts signed with Cosign + Rekor.
  • Blue/green doc site deploy—downtime 0 s.

Compliance Automation

  • Snyk OSS, Trivy image scans; pipeline fails on high-severity CVEs.
  • Prowler scans AWS accounts; PCI evidence auto-archived into immutable S3 bucket.

Execution Journey

Sprint (2 wks)
Milestones
KPI Shift
Predictability
Sprints 0
Discovery, backlog, threat model
Baseline TTFP 12 wks
100 % gates
Sprints 1
OpenAPI generator PoC, Go core
Build size 3.2 MB
Risk-High WIP 16 %
Sprints 2
Python core, token cache, Snyk
CVEs critical 7→0
Buffer unused
Sprints 3
mTLS transport, mocked server
p95 latency 450 ms
Flex Security 16 h
Sprints 4
WebSocket helper, retry logic
p95 450 ms→180 ms
No slip
Sprints 5
Idempotency & webhook id
Error retries –73 %
Hot-fix 0
Sprints 6
Conformance harness v1, docs skeleton
TTFP 12 wks→8 wks
Budget +3 %
Sprints 7
OAuth 2.0 PSD2 flow, tox tests
Compliance coverage 60 %→95 %
--
Sprints 8
Artifact signing, Cosign, Rekor
Supply-chain risk↓
--
Sprints 9
Final hardening, PyPI/go proxy GA
TTFP 8 wks→6 wks
Delivered 3 days early

Buffer engineer stepped in when Python lead got COVID in Sprint 7—velocity dip 0 SP.

Business Outcomes & Impact

Partner integration time 12 weeks → 6 weeks (–50 %)

Transaction throughput 350 TPS → 700 TPS (2×), p95 latency < 140 ms

Support tickets –37 % (fewer auth & schema errors)

Artifact supply-chain risk --reduced (Cosign-signed, SLSA-level 2)

PCI DSS SAQ-A & ISO 27001 controls passed first audit; zero high findings

£5.4 million ARR from two SIs + three fintechs within 60 days post-launch

Predictability premium (~7 % rate uplift) paid back in one quarter via accelerated revenue

Why Steady Rabbit?

Core-Flex Micro-GCC

On-demand PCI & PSD2 SMEs within 48 h; Buffer bench erased PTO risk.

SteadCAST Predictability

Risk & capacity analytics delivered 98 % sprint adherence.

Shift-Left Gates

Seven Plan-Left gates cut re-work 39 %, adding < 2 h per sprint.

Dev-Experience Obsession

From brew install form3 to first payment in < 15 min.

Outcome-Linked Engagement

KPIs (integration time, latency, audit pass) tied to squad incentives.

Transparent Partnership

Weekly demos, real-time burn charts—zero surprises.

Client Testimonial

Steady Rabbit

Head of Developer Experience

Form3

Steady Rabbit gave us an SDK our partners love and our auditors applaud. Integration time halved, TPS doubled, and we never missed a milestone. Their Micro-GCC model is how you build certainty