Overview
Building a payment system means creating the infrastructure that processes financial transactions—from simple checkout flows to complex multi-currency platforms. This encompasses payment processing, fraud detection, reconciliation, refunds, subscriptions, and compliance with financial regulations.
Unlike general backend development, payments engineering requires domain expertise that takes years to develop. Engineers must understand card network protocols, payment processor APIs, PCI-DSS requirements, fraud patterns, and the financial edge cases that can cost millions when handled incorrectly.
The critical first decision is build vs. integrate. Most companies should use payment platforms like Stripe, Adyen, or Braintree rather than building from scratch. Building custom payment infrastructure only makes sense when processing billions in volume, requiring unique functionality, or when payment processing is your core product. This guide covers both approaches and how to hire for each.
What Success Looks Like
Before diving into hiring, understand what successful payment systems achieve. Your payment infrastructure is the revenue engine of your business—failures here directly impact the bottom line.
Characteristics of High-Performing Payment Systems
1. High Authorization Rates
Great payment systems achieve 95%+ authorization rates. Every 1% improvement in auth rate directly increases revenue. This requires smart retry logic, proper error handling, and understanding of card network rules.
2. Low Fraud Rates
Balance fraud prevention with customer friction. Target <0.1% fraud rate while maintaining <1% false positive rate. Too strict = lost legitimate customers. Too loose = chargebacks and losses.
3. Fast Settlement
Money should move predictably. Clear visibility into when funds will be available, accurate reconciliation, and minimal float time. For marketplaces, efficient payouts to sellers.
4. Compliance Confidence
Pass audits without scrambling. PCI-DSS compliance is maintained continuously, not achieved annually. SOC 2 controls are embedded in processes, not bolted on.
5. Operational Excellence
Issues are detected before customers report them. Monitoring catches payment failures in real-time. On-call engineers can diagnose and resolve issues quickly.
Warning Signs of Struggling Payment Systems
| Warning Sign | Impact | Root Cause |
|---|---|---|
| Auth rates below 90% | Lost revenue, customer frustration | Poor error handling, no retry logic |
| Rising chargebacks | Direct losses, processor warnings | Weak fraud detection |
| Reconciliation errors | Accounting nightmares, audit failures | Data integrity issues |
| PCI compliance gaps | Regulatory risk, breach liability | Security deprioritized |
| Manual intervention required | Engineering time, error-prone | Poor automation |
| Slow international expansion | Missed markets, competitive disadvantage | Inflexible architecture |
The Build vs. Integrate Decision
This decision shapes your entire hiring strategy. Get it right before you start building your team.
When to Integrate (Most Companies)
Use payment platforms (Stripe, Adyen, Braintree, PayPal) when:
- Processing under $100M annually
- Standard use cases (e-commerce, SaaS, marketplaces)
- Need to launch quickly (weeks, not months)
- Don't have payments domain expertise
- Payment processing isn't your competitive advantage
Integration team requirements:
| Role | Count | Focus |
|---|---|---|
| Senior Backend Engineer | 1-2 | Payment platform integration |
| Frontend Engineer | 1 | Checkout experience |
| DevOps/Security | 0.5 | PCI compliance, infrastructure |
Total: 2-4 engineers, $400K-800K annually
Benefits of integration:
- Faster time to market (weeks vs. months)
- Built-in fraud detection and compliance
- Platform handles PCI-DSS burden
- Automatic updates for regulations and card rules
- Lower engineering investment
When to Build Custom (Rare)
Build custom payment infrastructure when:
- Processing $100M+ annually AND margins matter
- Unique requirements platforms can't support
- Payment processing IS your product (fintech)
- Need direct acquiring relationships
- Global scale with specific regional needs
Custom build team requirements:
| Role | Count | Focus |
|---|---|---|
| Payments Tech Lead | 1 | Architecture, compliance |
| Senior Backend Engineers | 2-3 | Core processing, integrations |
| Security Engineer | 1 | PCI-DSS, fraud, encryption |
| Data Engineer | 1 | Reconciliation, reporting |
| QA Engineer | 1 | Payment flow testing |
Total: 6-8 engineers, $1.5M-2.5M annually
Hybrid Approach (Common Path)
Most successful companies evolve through stages:
Stage 1: Pure Integration
- Use Stripe/Adyen for everything
- Focus engineering on core product
- Accept platform fees as cost of speed
Stage 2: Optimize Integration
- Build abstraction layer over payment platform
- Add custom fraud rules
- Optimize checkout conversion
Stage 3: Selective Building
- Direct acquiring for high-volume regions
- Custom fraud models
- Multi-processor routing
Stage 4: Full Control (Rare)
- Payment facilitator (PayFac) model
- Direct card network connections
- Full compliance ownership
Roles You'll Need
For Integration-Focused Teams
Senior Backend Engineer (Payments Focus)
This is your first payments hire. They own the integration with payment platforms and ensure reliable transaction processing.
Key responsibilities:
- Integrate with payment platforms (Stripe, Adyen, etc.)
- Build checkout flows and payment orchestration
- Handle webhooks, retries, and error states
- Implement subscription and recurring billing logic
Must-have experience:
- 5+ years backend development
- Payment platform integration experience
- Understanding of asynchronous processing
- Idempotency and data consistency patterns
Checkout/Frontend Engineer
Owns the payment user experience—the last step before conversion.
Key responsibilities:
- Build checkout flows with conversion optimization
- Implement payment forms with proper security
- Handle payment method storage (tokenization)
- Mobile payment experiences (Apple Pay, Google Pay)
Must-have experience:
- Strong frontend skills (React, Vue, etc.)
- PCI-compliant form handling
- A/B testing and conversion optimization
- Accessibility for payment flows
For Custom Build Teams
Payments Technical Lead
The architect who understands both technology and financial domain.
Key responsibilities:
- Payment system architecture and roadmap
- PCI-DSS compliance ownership
- Vendor relationships (processors, acquirers)
- Technical due diligence on payments decisions
Must-have experience:
- 8+ years with 3+ in payments specifically
- Built payment systems at scale
- Deep compliance knowledge (PCI-DSS, SOC 2)
- Experience with multiple payment processors
Security Engineer (Payments)
Payments require specialized security beyond general AppSec.
Key responsibilities:
- PCI-DSS compliance and audit preparation
- Encryption key management
- Fraud detection integration
- Secure payment data handling
Must-have experience:
- PCI-DSS implementation experience
- Hardware security modules (HSMs)
- Tokenization and encryption patterns
- Fraud prevention systems
Data Engineer (Payments)
Financial data requires exceptional accuracy and auditability.
Key responsibilities:
- Payment reconciliation pipelines
- Financial reporting and analytics
- Audit trails and compliance reporting
- Settlement and payout calculations
Must-have experience:
- Financial data modeling
- Reconciliation systems
- High-accuracy data pipelines
- Regulatory reporting
Compliance Considerations
PCI-DSS: The Non-Negotiable
Payment Card Industry Data Security Standard (PCI-DSS) compliance is mandatory if you handle card data. The level of compliance depends on transaction volume and how you handle data.
Compliance levels:
| Level | Volume | Requirements |
|---|---|---|
| Level 4 | <20K transactions/year | Self-Assessment Questionnaire (SAQ) |
| Level 3 | 20K-1M transactions | SAQ + quarterly scans |
| Level 2 | 1M-6M transactions | SAQ + quarterly scans |
| Level 1 | >6M transactions | Annual on-site audit (QSA) |
Hiring implications:
Using payment platforms (Stripe, etc.):
- Platform handles most PCI burden
- You're responsible for SAQ-A or SAQ-A-EP
- Need engineer who understands secure integration
- Security review of your integration points
Building custom:
- Need dedicated security engineer (or team)
- Annual QSA audits ($50K-200K)
- Ongoing compliance maintenance
- Security training for all engineers touching payments
Beyond PCI-DSS
Other compliance requirements to consider:
| Regulation | Scope | Hiring Impact |
|---|---|---|
| SOC 2 | Security controls | Security engineer + processes |
| GDPR/CCPA | Data privacy | Data handling procedures |
| PSD2/SCA | European payments | Strong authentication implementation |
| State money transmitter | US money movement | Legal + compliance expertise |
| AML/KYC | Fraud/compliance | Identity verification systems |
Team Structure
Small Team (Integration Focus)
Engineering Lead
├── Senior Backend Engineer (Payments)
│ └── Owns: Integration, webhooks, billing
├── Frontend Engineer
│ └── Owns: Checkout, payment UX
└── DevOps/Security (shared)
└── Owns: PCI compliance, infrastructure
Total: 3-4 engineers
Budget: $500K-900K annually
Medium Team (Growing Payments)
Payments Engineering Manager
├── Senior Backend Engineer × 2
│ └── Owns: Core processing, integrations
├── Frontend Engineer
│ └── Owns: Checkout experience
├── Security Engineer (0.5-1 FTE)
│ └── Owns: PCI, fraud rules
└── Data Engineer (0.5 FTE)
└── Owns: Reconciliation, reporting
Total: 5-6 engineers
Budget: $1M-1.5M annually
Large Team (Custom Build)
VP/Director of Payments
├── Payments Engineering Manager
│ ├── Tech Lead (Architecture)
│ ├── Senior Backend × 3
│ │ └── Owns: Core processing, routing, settlement
│ └── Mid-Level Backend × 2
│ └── Owns: Integrations, operational tools
├── Security Team
│ ├── Security Engineer (Payments)
│ │ └── Owns: PCI, HSM, encryption
│ └── Fraud Engineer
│ └── Owns: Detection, rules, ML models
├── Data Team
│ ├── Data Engineer
│ │ └── Owns: Reconciliation, pipelines
│ └── Analytics Engineer
│ └── Owns: Reporting, metrics
└── Frontend Engineer
└── Owns: Checkout, payment UX
Total: 10-12 engineers
Budget: $2.5M-4M annually
Common Pitfalls
1. Building Before You Should
The trap: "We'll save money by building our own payment system."
Reality: Payment platforms charge 2.9% + $0.30, but building custom costs $1.5M+ in year one alone. At $10M GMV, platform fees = $290K. You're not saving money until $50M+ volume, and that ignores ongoing maintenance.
Better approach: Integrate first. Build abstraction layer. Migrate to custom only when volume justifies it AND you have payments expertise.
2. Underestimating Compliance
The trap: "PCI compliance is just a checklist."
Reality: PCI-DSS is ongoing, not one-time. Failed compliance means losing ability to process cards. Breaches mean fines, lawsuits, and reputation damage.
Better approach: Hire someone with compliance experience. Budget for audits and tooling. Build compliance into engineering culture from day one.
3. Ignoring Edge Cases
The trap: "We'll handle the happy path first, edge cases later."
Reality: Payments edge cases cause real financial losses: duplicate charges, failed refunds, currency conversion errors, partial captures. Each edge case is a potential customer escalation or revenue leak.
Better approach: Hire engineers who've seen payments at scale. Document and test edge cases thoroughly. Build monitoring for financial anomalies.
4. Underinvesting in Fraud
The trap: "We'll add fraud prevention when we need it."
Reality: Fraudsters find you fast. High chargeback rates trigger processor warnings, fee increases, or termination. Reactive fraud prevention means losses have already occurred.
Better approach: Use platform fraud tools from day one. Monitor fraud metrics continuously. Add custom rules as patterns emerge.
5. Poor Error Handling
The trap: "Card declined? Show an error and move on."
Reality: Vague errors frustrate customers. Missing retry logic loses revenue. Poor error logging makes debugging impossible.
Better approach: Specific, actionable error messages. Smart retry with exponential backoff. Comprehensive logging for every transaction state.
Budget Reality Check
Integration Approach (Most Companies)
| Cost Category | Year 1 | Ongoing |
|---|---|---|
| Engineering team (3-4 FTE) | $500K-800K | $500K-800K |
| Payment platform fees* | 2.9% + $0.30 | 2.9% + $0.30 |
| Infrastructure | $5K-15K | $5K-15K |
| Security/compliance tools | $10K-30K | $10K-30K |
| Total (excluding platform fees) | $515K-845K | $515K-845K |
*Platform fees scale with volume: $10M GMV = ~$290K fees
Custom Build Approach
| Cost Category | Year 1 | Ongoing |
|---|---|---|
| Engineering team (8-10 FTE) | $1.5M-2.5M | $1.5M-2.5M |
| PCI-DSS audit (QSA) | $100K-200K | $50K-100K |
| Security infrastructure | $50K-150K | $30K-80K |
| Processor relationships | $50K-100K | Varies |
| Insurance and reserves | $25K-75K | $25K-75K |
| Total | $1.7M-3M | $1.6M-2.8M |
When Custom Makes Financial Sense
Break-even analysis (simplified):
- Platform fees at $100M GMV: ~$2.9M
- Custom build cost: ~$2.5M ongoing
- Break-even: roughly $85M-100M+ GMV
But financial break-even ignores:
- Engineering opportunity cost
- Compliance risk
- Time to build (12-18 months)
- Ongoing maintenance burden
Recommendation: Don't build custom until volume exceeds $100M AND you have strategic reasons beyond cost savings.
Recruiter's Cheat Sheet
Key Questions to Ask Candidates
| Question | What You're Assessing |
|---|---|
| "Walk me through a payment you processed end-to-end" | Domain understanding |
| "How would you handle a duplicate charge scenario?" | Edge case thinking |
| "What's your experience with PCI-DSS?" | Compliance awareness |
| "How do you approach idempotency in payment systems?" | Technical depth |
| "Tell me about a payments bug you debugged" | Real-world experience |
Red Flags in Payments Candidates
- No understanding of idempotency ("charge only once")
- Treats compliance as someone else's problem
- No experience with async processing/webhooks
- Can't explain payment flow from user click to settlement
- Dismissive of edge cases or error handling
Green Flags in Payments Candidates
- Has seen payment systems fail and knows what breaks
- Understands compliance is engineering responsibility
- Thinks about financial accuracy obsessively
- Experience with multiple payment platforms
- Can explain card networks, processors, and acquirers