Fintech on Cloud
← Back to blog
// Production Architecture · Post #5 · European Payment Series · PSP / Bank Perspective

Wero Payments — Production-Grade GCP Architecture
Pan-European Wallet on SCT Inst

Architecture for building the Acceptor PSP / Issuing Bank side of Wero. External parties (EPI Central Services, SCT Inst rail, consumer wallet) shown as dashed-border components. Click any component for a full explanation.

Wero / EPI SCT Inst GCP A2A Payments iDEAL Migration Open Banking v3 iDEAL Successor
Click any component to explore its role, GCP service mapping, failure modes and design notes

⚖ iDEAL vs Wero — What Actually Changes for Engineers

ARCHITECTURE COMPARISON · FROM NATIONAL TO PAN-EUROPEAN

iDEAL vs Wero — What Actually Changes for Engineers

ARCHITECTURE COMPARISON · FROM NATIONAL TO PAN-EUROPEAN

🇳🇱 iDEAL (legacy — sunset end 2027)

  • Dutch-only, Currence-governed scheme
  • iDEAL Hub as central clearing router
  • Redirect flow only: bank-select → auth → redirect back
  • Webhook is truth signal (redirect unreliable)
  • Transaction ID: 16-digit numeric format
  • No P2P, no cross-border, no POS
  • No purchase protection built in
  • Operated by Currence — NL only governance

🇪🇺 Wero (iDEAL successor from Q2 2026)

  • Pan-European, EPI-governed (16 banks, 1-vote-per-bank)
  • EPI Central Services as orchestration layer
  • Redirect + QR code + push notification flows
  • Webhook remains truth signal — same principle
  • Transaction ID: new format with prefix — breaking change!
  • P2P live, e-commerce 2025, POS 2026, subscriptions 2026+
  • Purchase protection + structured dispute resolution
  • Live: DE, FR, BE · NL from Q2 2026 · 50M+ users
🗓 iDEAL → Wero Migration Timeline (Netherlands)
Q1 2026 (NOW)
Co-branded iDEAL|Wero logo replaces iDEAL everywhere. Branding update required by 31 Jan 2026.
Q2–Q3 2026
First Wero transactions live. New Transaction ID format active. PSP technical migration begins.
Q4 2026
Full Wero contract replaces iDEAL contract. Advanced features: subscriptions, BNPL, QR POS.
End 2027
iDEAL brand retired completely. All traffic is Wero. Full European interoperability live.

💳 Wero E-Commerce Payment Flow

MERCHANT → PSP → EPI CENTRAL SERVICES → CONSUMER WALLET → SCT INST RAIL → SETTLEMENT

Wero E-Commerce Payment Flow

MERCHANT → PSP → EPI CENTRAL SERVICES → CONSUMER WALLET → SCT INST RAIL → SETTLEMENT

① Checkout Initiation — Merchant Side
Consumer
selects Wero
at checkout
POST /pay
Merchant Server
paymentMethod:
WERO
REST API
Acceptor PSP
Nuvei / Worldline
Axepta / PPRO
OB v3 API
EPI Central Services
scheme orchestrator
alias resolution
② Consumer Authentication — Wero Wallet Layer
EPI Central Services
routes auth req
to issuer wallet
push / redirect
Wero Wallet
standalone app
or bank-embedded
biometric SCA
Consumer
swipe to approve
Face ID / PIN
confirmed
Phone/IBAN Registry
EPI alias resolution
phone → IBAN
③ SCT Inst Settlement — <10 Seconds, 24/7
Issuing Bank
debit consumer
fund check + SCA
pacs.008
SCT Inst Rail
EBA RT1 / TIPS
<10s settlement
credit
Acquiring Bank
credit merchant
instant settlement
funds
Merchant Account
funds available
no T+1 batch
④ Confirmation — Webhook is the Source of Truth
EPI Central Services
settlement confirmed
fires webhook
COMPLETED
Acceptor PSP
verifies sig
normalises status
webhook
Merchant Backend
webhook handler
fulfill order
confirmed
Consumer
payment confirmed
in wallet + shop

✕ Failure Modes — PSP Side Resilience

WEBHOOK TIMEOUT · IDEMPOTENCY FAILURE · FRAUD BLOCK · MERCHANT RETRY STORM · CERT EXPIRY · EPI API ERROR

✕ Failure Modes — Wero Payment Resilience

WEBHOOK TIMEOUT · IDEMPOTENCY FAILURE · FRAUD BLOCK · MERCHANT RETRY STORM · CERT EXPIRY · EPI API ERROR

// Failure 1 — Webhook timeout: EPI fires webhook but your handler times out — payment is settled at EPI but you never received confirmation — idempotency key in AlloyDB prevents double processing on retry
EPI Central
Sends webhook
COMPLETED
Webhook Handler
Cloud Run · timeout
timeout / no 200
AlloyDB
Idempotency key exists
EPI retries
Cloud Monitoring
Webhook retry rate alert
// Failure 2 — Merchant retry storm: merchant timeout on payment init → retries — Apigee idempotency pre-check caches response — prevents duplicate EPI API calls
Merchant Server
Payment init timeout
retry with same key
Apigee X
Idempotency check
← cached 200
Merchant Server
Receives cached response
alert: retry rate
Cloud Monitoring
Merchant retry rate
// Failure 3 — Fraud block: Vertex AI fraud score exceeds threshold — payment declined BEFORE EPI call — consumer never sees payment as initiated at EPI
Payment Init
Calls Vertex AI
fraud prediction
Vertex AI
Score > 0.8
HIGH RISK
Payment Init
Decline before EPI
return 403 Forbidden
Merchant Server
Shows decline message
// Failure 4 — EPI API error: Payment Init calls EPI but gets 4xx/5xx — decision point: retry with exponential backoff or surface to merchant — SCT Inst has not fired so reversal is possible
Payment Init
POST to EPI API
EPI 500 error
EPI Central
Service degradation
circuit breaker checks
Circuit Breaker
Open after 3 fails
queue for retry
Cloud Pub/Sub
DLQ · backoff
// Failure 5 — mTLS cert expiry: Apigee cert expires → EPI rejects all mTLS connections → payment outage — 30-day pre-expiry alert is critical
EPI Central
mTLS handshake
CERT_EXPIRED
Apigee X
Cert expired
30-day pre-alert
Secret Manager
Expiry monitoring
auto-rotate
Cloud Functions
Cert + Apigee reload

☁ GCP Production Architecture — Acceptor PSP Side

HOW TO BUILD YOUR WERO INTEGRATION ON GOOGLE CLOUD PLATFORM

GCP Production Architecture — Acceptor PSP Side

HOW TO BUILD YOUR WERO INTEGRATION ON GOOGLE CLOUD PLATFORM

GCP Layer 1 — Ingress & API Gateway
Consumer
mobile / web
checkout
HTTPS
Cloud Armor
WAF · DDoS
EPI IP allowlist
filtered
Apigee X
mTLS · JWT
quota mgmt
authed
Payment Init Service
Cloud Run
stateless · autoscale
GCP Layer 2 — Payment Orchestration & Events
Payment Init Service
Cloud Run
EPI API adapter
publish event
Cloud Pub/Sub
payment events
webhook ingestion
consume
Webhook Handler
Cloud Run
idempotent consumer
write state
AlloyDB
payment state
idempotency keys
GCP Layer 3 — State Machine & Reconciliation
AlloyDB
CREATED · PENDING
COMPLETED · FAILED
scheduled job
Recon Service
Cloud Run Jobs
EPI vs SCT Inst
stream
BigQuery
settlement reports
analytics · audit
archive
Cloud Storage
EPI settlement files
7yr WORM retention
GCP Layer 4 — Security, Secrets & Networking
Secret Manager
EPI API keys
mTLS certs
envelope enc
Cloud KMS
CMEK · HSM-backed
per-system keys
private path
VPC + PSC
Private Service Connect
no public EPI traffic
least priv
IAM + Workload Identity
service-to-service
no static keys

🛡️ Fraud & Risk Layer

REAL-TIME SCORING · VELOCITY CHECKS · PRE-EPI-CALL — SCT INST IS IRREVOCABLE

Fraud & Risk Layer

REAL-TIME SCORING · VELOCITY CHECKS · PRE-EPI-CALL — SCT INST IS IRREVOCABLE

Risk Services — GCP AI Platform (must run BEFORE EPI API call)
Cloud Pub/Sub
payment event stream
real-time pipeline
stream
Dataflow
streaming fraud
feature pipeline
features
Vertex AI
fraud model
<50ms prediction
velocity
Memorystore Redis
velocity checks
<5ms lookup

📊 Observability Stack

PAYMENT LATENCY SLOs · WEBHOOK HEALTH · SETTLEMENT MONITORING · RECON GAPS

Observability Stack

PAYMENT LATENCY SLOs · WEBHOOK HEALTH · SETTLEMENT MONITORING · RECON GAPS

Monitoring — GCP Operations Suite
Cloud Monitoring
payment latency
SCT Inst SLO <10s
logs
Cloud Logging
structured JSON
EPI tx audit trail
traces
Cloud Trace
end-to-end tracing
EPI + SCT Inst spans
analytics
BigQuery
payment analytics
recon dashboards

⚖ GCP vs AWS vs Azure — Honest Comparison for Wero Integration

WHERE EACH CLOUD WINS, WHERE IT LOSES — NO MARKETING SPIN

GCP vs AWS vs Azure — Honest Comparison for Wero Integration

WHERE EACH CLOUD WINS, WHERE IT LOSES — NO MARKETING SPIN

Capability GCP AWS Azure
API Gateway (mTLS) Apigee X — native mTLS, quota mgmt, analytics built-in API Gateway + WAF — requires more config for mTLS APIM — solid OAuth, good EU coverage, verbose config
Event streaming Pub/Sub — managed, push + pull, ordering keys built-in EventBridge + SQS — more moving parts, powerful integrations Event Hubs — solid, Kafka-compatible API, good for existing Kafka shops
Payment state DB AlloyDB — PostgreSQL-compat, 4x read perf, 99.99% SLA Aurora PG — battle-tested, widest ISV support, more war stories Azure DB for PostgreSQL Flexible — solid but less ecosystem depth
Serverless compute Cloud Run — instant autoscale, generous free tier, simple Lambda — 270+ native integrations, widest ecosystem Container Apps — less mature, improving fast
Fraud ML Vertex AI — online prediction, feature store, <50ms P99 SageMaker — broader model library, more MLOps tooling Azure ML — strong enterprise tooling, tight AAD integration
Secrets management Secret Manager — simple, versioned, Workload Identity integration Secrets Manager — automatic rotation, more HSM options Key Vault — tight AAD integration, good for enterprise banks
EPI / bank connectors ⚠ Fewer native bank-specific ISV integrations AWS FinSpace, more bank-specific ISVs pre-built Good EU bank relationships, but fewer native connectors
EU data residency Sovereign Controls — EU data boundary enforced contractually GovCloud EU-equivalent — complex setup for EU-only EU Data Boundary — strong compliance posture, faster for EU banks
NL / EPI latency europe-west4 (Netherlands) — optimal for EPI infra eu-central-1 / eu-west-1 — solid, well-peered West Europe (Amsterdam) — lowest NL latency for DNB oversight
EPI / Scheme Layer (external)
Bank / Rail Layer (external)
GCP Services (you build)
Analytics / Risk
Observability
External Actor
Synchronous call
Async / event-driven
Fintech on Cloud · fintechoncloud.substack.com · Post #5 — Wero Payments Architecture