Vincere.dev Vincere
Fintech Production System

ESA

Digital Bill Payment & Top-Up Platform for Cross-Border Transactions

ESA
5
Suppliers
ECPay
Gateway
10 min
Reconciliation
State Machine
Architecture

Executive Summary

We built ESA, a production digital-payments platform delivered as a LINE Mini App that lets customers in Taiwan pay Indonesian utilities and buy digital goods sourced from Indonesian suppliers. The backend treats payment and fulfillment as a verifiable state machine — orchestrating cross-border, real-money transactions across five fulfillment suppliers and a Taiwan payment gateway with no double-charges, no lost orders, and automatic recovery when a supplier fails.

The Problem

ESA processes real-money, cross-border transactions where every order debits a customer in Taiwan and triggers a fulfillment call to an Indonesian supplier. A single checkout touches a payment gateway (ECPay), one or more fulfillment suppliers (IAK, BillFazz, Redision, Lapak Gaming, Pulsa IF), and an asynchronous webhook return — any of which can time out, return ambiguously, or succeed silently. Key challenges included preventing double-charge and double-fulfillment under retries and duplicate webhooks, treating supplier failure as a normal condition requiring automatic fallback, comparing supplier costs across IDR and NTD through live exchange-rate conversion, integrating five heterogeneous provider contracts with distinct auth schemes and payload formats, and keeping every order fully answerable from stored record.

5
Fulfillment Suppliers
2
Currencies
10 min
Reconciliation
Services Delivered
Dedicated Team

Digital Bill Payment & Top-Up Platform for Cross-Border Transactions

Architecture Overview

Data Layer
PostgreSQL Prisma
Backend & Orchestration
NestJS Cron Jobs
Frontend
LINE Mini App Admin Dashboard
Infrastructure

Key Technical Decisions

System Design

A NestJS + Prisma/PostgreSQL backend serves as the single transactional core for two frontends: the customer-facing LINE Mini App and an internal admin dashboard. The payment domain is modeled as an explicit state machine — payments move PENDING → PAID → SUCCESS/FAILED while items carry their own lifecycle — and fulfillment is delegated through a provider-abstraction layer that routes each request to the correct supplier behind a uniform contract. ECPay handles gateway payments with signed webhook returns, and reconciliation runs continuously via scheduled jobs: a 10-minute cron detects stuck payments and alerts operators via LINE, while a 12-hour cron syncs supplier catalogs with per-supplier isolation so one provider's failure cannot block the rest.

Key Decisions

Payments were modeled as a state machine rather than a flag, making idempotency and recovery decidable rather than ad hoc. A provider abstraction isolates the transaction core from supplier specifics — suppliers can be added or swapped without touching payment logic. Suppliers are ranked by effective cost with automatic fallback: on failure the engine advances to the next viable supplier instead of failing the order. Order creation wraps payment, items, history, and promo usage in a single Prisma transaction, with non-reversible side effects deferred until after commit so a rolled-back transaction can never leak partial state. Provider requests, responses, and extracted artifacts are stored in structured JSON columns, absorbing per-supplier schema differences without constant migrations.

Implementation Highlights

Idempotency by state inspection short-circuits reprocessing, so duplicate webhooks and retries cannot cause a second fulfillment. ECPay callbacks are validated via CheckMacValue (AES-128-CBC) before any state transition, rejecting forged or malformed callbacks. Order creation returns immediately while item fulfillment is dispatched asynchronously, keeping checkout responsive while settlement proceeds. Live currency conversion through stored exchange rates feeds cost comparison and margin logic across IDR and NTD. A full audit trail — payment history, item process records, and raw provider exchanges — makes every order reconstructable for support and compliance, and bounded provider concurrency protects third-party APIs during bulk catalog sync.

Results & Validation

Shipped to production as the transactional backbone for a live LINE Mini App serving Taiwan-based customers buying Indonesian digital products.

State-machine-enforced lifecycles and idempotency structurally prevent double-charging and double-fulfillment.

Automatic multi-supplier fallback across five fulfillment providers, so a single supplier outage degrades cost — not customer experience.

Self-healing reconciliation detects and surfaces stuck payments within minutes, eliminating silent transaction loss from missed webhooks.

Provider-agnostic integration layer lets new suppliers be onboarded without modifying core payment logic.

End-to-end auditability — every order is fully reconstructable from persisted state and provider history, meeting the traceability bar required for financial transactions.

Key Insights

Correctness treated as a first-class design goal: idempotency, atomic writes with deferred side effects, and state-machine modeling structurally prevent double-charge and double-fulfillment rather than patching them after the fact.

Resilience baked into the happy path — supplier failure triggers automatic, cost-aware fallback rather than a customer-visible error.

Clean separation of volatile dependencies: five heterogeneous suppliers with distinct auth and payload contracts isolated behind one interface, so the business core stays stable as integrations change.

Self-healing operations through continuous reconciliation — the system recovers from missed webhooks and provider hiccups without manual intervention.

A key insight: in money-moving systems, final state often depends on asynchronous webhooks that may be delayed or dropped — correctness must be enforced through reconciliation, not assumed at request time.

Who This Applies To

This architecture is directly applicable to payment platforms and marketplaces orchestrating transactions across multiple third-party providers, cross-border commerce requiring multi-currency cost optimization, and any money-moving system where idempotency, automatic failover, and auditability are non-negotiable. It is particularly relevant for products built on super-app ecosystems such as LINE Mini Apps.

Fintech Payments Multi-Supplier Cross-Border LINE Mini App

Technologies Used

Backend

NestJS Prisma

Frontend

LINE Mini App

Data & Integrations

PostgreSQL ECPay Webhooks

Patterns & Techniques

State Machine Idempotency Provider Abstraction Reconciliation Jobs Multi-Currency Audit Trail

Tools

GitHub

Building something similar?

We specialize in dedicated team for fintech companies. If you're facing challenges like the ones we solved for ESA, let's talk.

Book a Free Consultation → View All Case Studies
30 minutes · No commitment · We respond within 24h