ezidebit payment solution for Salesforce Sales Cloud
How we got our Salesforce App through 2 Security Reviews. 1st time.
(or How we went from OMG to WTF with skedupay)
Every story always has a few things in common. Some actors. A story arc. A Journey. And a twist that no-one saw coming. Along the way, the actors discover more about the world around them and about themselves. But the thing that makes a story great over an average one is how much the actors persevere and never give up irrespective of the challenges. In the immortal words of Dale Kerrigan [The Castle], "This is out story".
Our story began in 2017 whilst we were working on a Pardot / Sales Cloud project with a client in the manufacturing sector. One of their core requirements was they needed to be able to process ezidebit payments directly inside Salesforce & it had to cover the entire life cycle from 'Opportunity - Closed Won' to 'Paid In Full'.
We figured it would be a simple case of finding an affordable solution on the Salesforce AppExchange, install it in their org, hook up their ezidebit merchant account, do some simple configuration & they would be processing payments in no time at all.
So, we set out on our journey and decided to stop by the most obvious place, Salesforce's AppExchange to find our solution. Sure, there were some solutions that were ok, but most of them were really, really expensive or they just didn't have the functionality that our customer needed.
So, it was back to First Principles. If we couldn't find a suitable pre-built solution, we would just have to build it ourselves.
The scope of the solution was simple and clear (or so we thought):
1) It had to drop straight into Salesforce Sales Cloud
2) It had to integrate seamlessly with ezidebit's payment gateway
3) It had to be intuitive and incorporate a 'mobile first' user design & experience, and;
4) It had to close the loop between 'Opportunity-Closed Won' & 'Paid in Full'
How hard could it be, right? We'd done it before and this tiny app would be a breeze.
Wrong. Very, very wrong. This is our story about how we went from "OMG!!! How are we going to pull this off" to "What the f**k? Seriously?" with skedupay.
The OMG Moment
Like all AppExchange Partners, we set out with some pretty lofty goals for the app that would eventually become skedupay. But firstly, we had to design and build it conceptually before we actually built the real thing. Fortunately at that time, we had enough bandwidth to meticulously design the solution from the ground up.
We came up with some incredible functionality, we POC'ed a pretty slick user interface, and created a seamless user experience. We then gave it a right royal flogging in testing and we felt we were in a good spot to submit it for Security Review with Salesforce.
Then, almost overnight, everything changed. Lightning Ready became mandatory for all new AppExchange Apps and we finally realised that integrating Salesforce with a complex, highly secure, PCI-DSS complaint payment gateway wasn't going to be as easy and it would also require a second security review by ezidebit's Australian Security Compliance Team.
This was our "OMG Moment" and to be honest, it was the point where we were considering binning the whole project. But like all #salesforcetragics, we decided against it because taking that route would be like selling stock market shares when they hit rock bottom - it becomes a realised loss.
Instead, we put our heads down/bums up and got on with making it a reality.
The technical stuff was the (only) easy part
The first & easiest step was to make skedupay Lightning-Ready so we rebuilt every single screen and feature to make it compliant and cleaner. Yes, it was a pain, but it was worth the effort as skedupay now looks awesome and the Lightning Design System introduced some great new features that enhanced the overall user experience. In retrospect, it was a small price to pay for such a big win.
We had nailed the functionality, the code was rock solid and had good code coverage, the business logic and automation was comprehensive and the integration capabilities were holding up well under different test scenarios. For months, we were throwing different types of transactions at ezidebit's trying to break their integration API's. It was a #salesforcetragics idea of paradise. Later, we even got permission to launch a large-scale flood of requests against their API's to ensure their safety mechanisms kicked in when we needed them to. They did.
Very, very cool fun, but the (techo) party was over. Game face back on.
Setting the stage
With the app built, the code tougher than Walker - Texas Ranger, & a user interface that was slicker than Ted Bullpitt's Kingswood [Google it], it was time to find out just how well-built skedupay actually was.
It was time to submit it for security assessments by both Salesforce and ezidebit. Dual Security Reviews in other words.
Knowing what we up against, the first thing we did was very carefully bundled up skedupay into a Managed - Release 'package', which was a scary moment as there is no turning back from here.
Go take a look at the ISV Force Guide to learn about the different types of packages you can create when building apps for the Salesforce Platform. Trailhead's Build Apps as an AppExchange Partner Trail also offers a good high-level overview of the process.
It's Showtime (or Security Review * 2)
Back to the story. We had all our [documentation] ducks in a row now and we had collated the results from the various scans and parceled up the results from our tests against ezidebit's API's.
When we hit the Submit buttons, we knew this was going to be our 'Opening Night'. It was the point where we got to find out if our apps development 'kung fu' was strong or whether we were just kidding ourselves. Guess we would find out soon enough as skedupay was now officially in the queue for Salesforce's comprehensive and very tough Security Review and ezidebit's equally rigorous PCI-DSS Compliance Review.
Our fate sealed, so we sat back that 45-degree afternoon and enjoyed some well-earned raspberry lemonades with the spare change we had left over from the application fee and awaited the call up for Security Review * 2. We didn't have to wait long.
Great. Let's do this. Butts clenched. Game faces on. We had a plan and we were ready for it this time. Rework the code, repackage the app, re-test every-bloody-thing to within an inch of its life, and re-submit it. Rinse & Repeat till we got it right.
The Results are In
After an anxious,nail-biting week, the results were in from both security assessments and our only reaction was, "WTF? Seriously?"
skedupay had been passed firs time by both Salesforce AND ezidebit.
Now, skedupay isn't our first AppExchange App. ecoSIStem, our OEM Student Administration System for K-12 schools, takes that honor, but that took 2 attempts to get it approved. However, for anyone who is not familiar with the Security Review process, nailing it first time is quite a rare achievement, but passing first time on 2 disparate technology platforms is about as hard as impeaching Donald Trump.
For a Salesforce AppExchange Partner, it is like winning the AFL/NRL Minor Rounds AND the Grand Final (on the same day in our case) and is the best outcome you could ever hope for.
The After Party
No Salesforce AppExchange partner ever expects to achieve such a remarkable result, but by the time we'd finished productising skedupay, we had:
1) A really happy client that didn't have to support a heavily customised payment management solution or complex integration services with ezidebit. Our client just installed skedupay, connected it to their ezidebit Merchant Account & started processing payments that day
2) Built a powerful ezidebit payment management solution for Salesforce Sales Cloud that was generic enough to support invoicing and billing across both B2B and B2C business models & virtually every industry sector, and;
3) Established our little company as one of the most capable Salesforce AppExchange Partners in Australia.
Epilogue - Would we do it again?
Short answer: Hell yes.
Long Answer: As complete #salesforcetragics, we love building innovative and cool apps for the Salesforce Platform. Its addictive and financially rewarding. Sure, not every app will be get you into #lambos and #tothemoon, but the more apps you make, the more likely you are to hit upon a winner and the process DOES get easier each time.That's why we won't stop making apps that help customers succeed on the Salesforce Platform.
And that is our story about how we got our Salesforce app through 2 Security Reviews. First Time. Or how we went from OMG to WTF with skedupay.
Thank you for reading.
Want to know more about skedupay?
Watch skedupay in action, download a data sheet, check out some of skedupay's screens & features & learn how we can adapt it to your unique sales processes