Design a Secure Payment Gateway

Functional Requirements:

• Allow merchants to accept online payments from customers via credit/debit cards and digital wallets.
• Support payment authorization, capture, refund, and cancellation operations.
• Provide APIs for merchants to integrate payment processing into their websites or apps.
• Securely handle sensitive payment information (e.g., card numbers, CVV) and ensure PCI DSS compliance.
• Notify merchants and customers of payment status (success, failure, pending).
• Support basic fraud detection (e.g., velocity checks, blacklisted cards).
• Allow merchants to view transaction history and payment status.

Non-Functional Requirements:

• High availability (target 99.99% uptime) to avoid lost sales.
• Low latency for payment processing (e.g., < 2 seconds per transaction under normal load).
• Scalability to handle peak loads (e.g., Black Friday sales spikes).
• Strong security: encrypt data in transit and at rest, prevent unauthorized access.
• Compliance with regulatory standards (e.g., PCI DSS, GDPR for user data privacy).
• Auditability: log all payment transactions and access for compliance and troubleshooting.
• Rate limiting and abuse prevention to protect against DDoS and brute-force attacks.
• Disaster recovery: ability to recover from data loss or system failure within a reasonable time frame.