System Overview
Components
API Gateway
The entry point for all requests. Handles:- TLS termination
- Authentication (API key validation)
- Rate limiting
- Request routing to internal services
Payment Gateway Service
Processes payment transactions:- Translates Orchestra’s unified API to provider-specific formats
- Routes transactions to the specified Payment Gateway Account
- Handles provider responses and normalizes them
- Manages transaction state (authorization, capture, void, refund)
Payment Gateway Accounts Service
Manages provider connections:- Stores encrypted credentials
- Validates account configuration
- Handles credential rotation
Tokenization Service
Secures card data:- Encrypts and stores card details
- Issues tokens for stored cards
- Retrieves card data for transactions (never exposed to your systems)
Data Flow: Charge Transaction
1
Request Received
Your server sends a POST to
/PaymentGateway/charge with amount, currency, payment gateway account name, and card details (or token).2
Authentication
API Gateway validates your API key and checks permissions.
3
Account Resolution
Payment Gateway Service looks up the specified Payment Gateway Account to get provider type and credentials.
4
Token Resolution (if applicable)
If you sent a
cardToken, Tokenization Service retrieves the stored card data.5
Provider Call
Payment Gateway Service translates your request to the provider’s format and sends it to the provider’s API.
6
Response Processing
Provider response is normalized to Orchestra’s format and returned to you.
Security
Data at Rest
- All sensitive data (credentials, card numbers) encrypted with AES-256
- Encryption keys managed via HSM (Hardware Security Module)
- Database access restricted to service accounts
Data in Transit
- All API traffic over TLS 1.2+
- Provider communications over their required secure protocols
- No sensitive data in URLs or logs
PCI Compliance
Orchestra is PCI DSS Level 1 compliant. When you use Orchestra’s tokenization, card data never touches your systems, reducing your PCI scope. See our PCI compliance documentation for details.Reliability
Availability
- Multi-region deployment
- Automatic failover between availability zones
- 99.9% uptime SLA
Failover
Orchestra supports two approaches for payment failure recovery: 1. Built-in Sequential Failover (Payments Library) When using the Payments Library, pass a list of fallback Payment Gateway Accounts in the session request. Orchestra tries each one in order until a payment succeeds or all fail:stripe-primary fails, Orchestra automatically tries adyen-backup, then worldpay-fallback.
2. Custom Retry Logic (REST API)
When using the REST API directly, implement your own failover logic for full control over retry conditions:
Latency
Typical response times:
Provider latency dominates transaction times. Orchestra adds minimal overhead (~20-50ms).
Related Guides
Charge Payments
Implement your first charge
Multi-Gateway Failover
Set up automatic failover
Tokenization
Securely store card data
API Reference
Full endpoint documentation