Vendor & Integration Register
Document Owner: Daniel O'Reilly, Chief Digital Officer
Organisation: Simpaisa Holdings
Classification: Internal — Confidential
Created: 2026-04-03
Last Reviewed: 2026-04-03
Review Cadence: Quarterly (critical vendors), Annually (non-critical)
Version: 1.0
1. Purpose & Scope
This register provides a comprehensive inventory of all external vendors, payment channel integrations, technology providers, and infrastructure services upon which Simpaisa's platform depends. It serves as the authoritative source of truth for:
- Vendor management — contract ownership, renewal tracking, and commercial terms
- Integration health — monitoring the operational status of every external dependency
- Risk assessment — identifying single points of failure, concentration risk, and geo-political exposure
- Compliance — ensuring all vendors meet regulatory and security requirements across our operating markets (Pakistan, Bangladesh, Nepal, Iraq, Egypt)
- Incident response — understanding blast radius when a vendor or channel experiences an outage
Simpaisa processes 270M+ transactions worth over $1B+ annually across five markets. The reliability and governance of our vendor ecosystem is therefore a critical business concern.
Each vendor entry uses a standardised card format with the following fields:
| Field |
Description |
| Vendor |
Legal entity or brand name |
| Parent Company |
Parent or holding company, if applicable |
| Integration Type |
Category: mobile wallet, carrier billing, bank transfer, card network, technology, infrastructure |
| Markets |
Countries where this integration is active |
| Simpaisa Products |
Which Simpaisa products use this integration (Pay-Ins, Pay-Outs, Remittances, Cards) |
| API Version / Protocol |
REST, SOAP, ISO 8583, proprietary; versioned or unversioned |
| Authentication |
How Simpaisa authenticates with the vendor (API key, OAuth, mTLS, RSA, etc.) |
| Connection Method |
Public internet (TLS), VPN, AWS Direct Connect, leased line |
| SLA |
Contractual uptime and response time commitments |
| Settlement Terms |
Settlement cycle (T+0, T+1, T+2, T+3) |
| Fee Structure |
Commission rates, fixed fees, or hybrid |
| Failover Behaviour |
What happens when this channel is unavailable |
| Capabilities |
Supported operations (charge, refund, inquiry, recurring, etc.) |
| Contract Owner |
Internal owner of the commercial relationship |
| Contract Renewal |
Next renewal or expiry date |
| Integration Health |
Current status and quality rating |
| Regulator |
Regulatory body overseeing this channel |
| Risk Rating |
Business impact if this vendor becomes unavailable (Critical / High / Medium / Low) |
| Notes |
Additional context |
3. Payment Channel Integrations (Pay-In)
These are the customer-facing payment channels through which Simpaisa collects funds on behalf of merchants in Pakistan.
3.1 JazzCash
| Field |
Detail |
| Vendor |
JazzCash |
| Parent Company |
Jazz (VEON Group / Mobilink Microfinance Bank) |
| Integration Type |
Mobile Wallet |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
API key + HMAC signature |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC — target 99.5% uptime |
| Settlement Terms |
T+1 |
| Fee Structure |
1.2–1.5% per transaction |
| Failover Behaviour |
Transactions routed to alternative wallet channels (Easypaisa); customer shown channel-unavailable message with retry option |
| Capabilities |
Single charge, inquiry, refund, balance check |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — generally stable; occasional timeout spikes during peak hours |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Critical — largest wallet by user base (40M users); significant transaction volume |
| Notes |
Highest-volume wallet channel. JazzCash API has been stable but documentation quality is variable. |
3.2 Easypaisa
| Field |
Detail |
| Vendor |
Easypaisa |
| Parent Company |
Telenor Microfinance Bank (TMB) / Telenor Group |
| Integration Type |
Mobile Wallet |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
API key + HMAC signature |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC — target 99.5% uptime |
| Settlement Terms |
T+1 |
| Fee Structure |
1.8% per transaction |
| Failover Behaviour |
Transactions routed to JazzCash or bank transfer channels; customer shown alternative payment options |
| Capabilities |
Single charge, inquiry, refund |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — reliable performance |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Critical — second-largest wallet (30M users); key Pay-In channel |
| Notes |
Strong brand recognition. Higher fee than JazzCash but reliable settlement. |
3.3 HBL Konnect
| Field |
Detail |
| Vendor |
HBL Konnect |
| Parent Company |
Habib Bank Limited (HBL) |
| Integration Type |
Mobile Wallet |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
TBC |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Transactions routed to alternative wallet or bank transfer channels |
| Capabilities |
Single charge, inquiry |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — requires assessment |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Medium — supplementary wallet channel; lower volume |
| Notes |
Backed by Pakistan's largest bank. User base and fee structure to be confirmed. |
3.4 Alfa
| Field |
Detail |
| Vendor |
Alfa |
| Parent Company |
Bank Alfalah |
| Integration Type |
Mobile Wallet |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
TBC |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Transactions routed to alternative wallet or bank transfer channels |
| Capabilities |
Single charge, inquiry |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — requires assessment |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Medium — supplementary wallet channel |
| Notes |
Bank Alfalah is a major commercial bank. Integration details to be confirmed. |
3.5 JSBL Zindagi
| Field |
Detail |
| Vendor |
JSBL Zindagi |
| Parent Company |
JS Bank Limited |
| Integration Type |
Mobile Wallet |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
TBC |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Transactions routed to alternative wallet or bank transfer channels |
| Capabilities |
Single charge, inquiry |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — requires assessment |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Low — niche wallet; limited user base |
| Notes |
JS Bank digital wallet. Lower priority channel — integration details to be confirmed. |
3.6 Telenor DCB
| Field |
Detail |
| Vendor |
Telenor Pakistan |
| Parent Company |
Telenor Group (Norway) |
| Integration Type |
Carrier Billing (DCB — Direct Carrier Billing) |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
API key + shared secret |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC — target 99.0% uptime |
| Settlement Terms |
T+2 |
| Fee Structure |
2.0% per transaction |
| Failover Behaviour |
Charge fails silently; customer prompted to select alternative payment method. No cross-carrier fallback for DCB. |
| Capabilities |
Single charge, subscription billing, inquiry, cancellation |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — stable; DCB channels subject to PTA regulatory changes |
| Regulator |
Pakistan Telecommunication Authority (PTA) / State Bank of Pakistan (SBP) |
| Risk Rating |
High — 50M subscriber base; significant DCB volume; regulatory risk from PTA directives |
| Notes |
Largest DCB channel by subscriber count. DCB regulations in Pakistan are subject to frequent PTA interventions. Telenor also owns Easypaisa — shared parent company risk. |
3.7 Zong DCB
| Field |
Detail |
| Vendor |
Zong (CMPak) |
| Parent Company |
China Mobile Communications Corporation |
| Integration Type |
Carrier Billing (DCB) |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
API key + shared secret |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC — target 99.0% uptime |
| Settlement Terms |
T+2 |
| Fee Structure |
2.0% per transaction |
| Failover Behaviour |
Charge fails; customer prompted for alternative payment method |
| Capabilities |
Single charge, subscription billing, inquiry, cancellation |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — stable |
| Regulator |
Pakistan Telecommunication Authority (PTA) / State Bank of Pakistan (SBP) |
| Risk Rating |
High — 45M subscribers; second-largest DCB channel |
| Notes |
Chinese-owned operator — potential geo-political considerations. Subject to same PTA regulatory risk as all DCB channels. |
3.8 Ufone DCB
| Field |
Detail |
| Vendor |
Ufone |
| Parent Company |
Pakistan Telecommunication Company Limited (PTCL) / Etisalat Group |
| Integration Type |
Carrier Billing (DCB) |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (proprietary) |
| Authentication |
API key + shared secret |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC — target 99.0% uptime |
| Settlement Terms |
T+2 |
| Fee Structure |
2.0% per transaction |
| Failover Behaviour |
Charge fails; customer prompted for alternative payment method |
| Capabilities |
Single charge, subscription billing, inquiry, cancellation |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — generally stable; lowest volume of the three DCB channels |
| Regulator |
Pakistan Telecommunication Authority (PTA) / State Bank of Pakistan (SBP) |
| Risk Rating |
Medium — 30M subscribers; smaller DCB volume relative to Telenor and Zong |
| Notes |
State-owned parent (PTCL). Merger with Ufone 4G brand may affect API endpoints. |
3.9 IBFT (1Link / RAAST)
| Field |
Detail |
| Vendor |
1Link (Pvt) Limited |
| Parent Company |
Consortium of Pakistani banks |
| Integration Type |
Bank Transfer (IBFT — Inter-Bank Fund Transfer) / Instant Payment (RAAST) |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Ins |
| API Version / Protocol |
REST API (versioned); ISO 8583 (legacy) |
| Authentication |
mTLS + API credentials |
| Connection Method |
VPN / dedicated connectivity to 1Link switch |
| SLA |
TBC — 1Link targets 99.9% uptime for RAAST |
| Settlement Terms |
T+1 (IBFT); near-real-time (RAAST) |
| Fee Structure |
0.5% + PKR 10 per transaction |
| Failover Behaviour |
If 1Link is down, bank transfer channel is unavailable; customers directed to wallet or card channels. RAAST and IBFT provide partial redundancy for each other. |
| Capabilities |
Single transfer, inquiry, title fetch (account validation), RAAST instant payment |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — RAAST availability improving; occasional settlement reconciliation delays |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Critical — sole bank transfer rail for Pakistan (60M banked users); no alternative provider |
| Notes |
1Link is the national payment switch. RAAST (Pakistan's instant payment system) is increasingly mandated by SBP. Single point of failure for all bank-based pay-ins. API is versioned — maintain version compatibility. |
3.10 Visa (Pay-In — Acquiring)
| Field |
Detail |
| Vendor |
Visa Inc. |
| Parent Company |
Visa Inc. (USA) |
| Integration Type |
Card Network — Acquiring |
| Markets |
Pakistan (expandable to all markets) |
| Simpaisa Products |
Pay-Ins, Cards |
| API Version / Protocol |
ISO 8583 / Visa APIs; 3-D Secure 2.x for authentication |
| Authentication |
RSA + mTLS + AES encryption |
| Connection Method |
Dedicated connectivity via acquiring bank; VPN to VisaNet |
| SLA |
99.99% (VisaNet) |
| Settlement Terms |
T+3 |
| Fee Structure |
2.5% per transaction (blended acquirer rate) |
| Failover Behaviour |
If Visa network is down (extremely rare), card transactions fail; customers directed to wallet or bank transfer. Mastercard provides partial redundancy for dual-network cards. |
| Capabilities |
Authorisation, capture, void, refund, chargeback, 3-D Secure, tokenisation |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — high reliability; PCI DSS compliance maintained |
| Regulator |
State Bank of Pakistan (SBP); PCI Security Standards Council |
| Risk Rating |
Critical — primary card network; ~25M cardholders in Pakistan |
| Notes |
PCI DSS Level 1 compliance required. Annual audit and quarterly ASV scans mandatory. RSA + mTLS + AES authentication chain is complex but well-established. |
3.11 Mastercard (Pay-In — Acquiring)
| Field |
Detail |
| Vendor |
Mastercard International |
| Parent Company |
Mastercard Incorporated (USA) |
| Integration Type |
Card Network — Acquiring |
| Markets |
Pakistan (expandable to all markets) |
| Simpaisa Products |
Pay-Ins, Cards |
| API Version / Protocol |
ISO 8583 / Mastercard APIs; 3-D Secure 2.x for authentication |
| Authentication |
RSA + mTLS + AES encryption |
| Connection Method |
Dedicated connectivity via acquiring bank; VPN to Mastercard network |
| SLA |
99.99% (Mastercard network) |
| Settlement Terms |
T+3 |
| Fee Structure |
2.5% per transaction (blended acquirer rate) |
| Failover Behaviour |
If Mastercard network is down (extremely rare), card transactions fail; Visa provides partial redundancy for dual-network cards. |
| Capabilities |
Authorisation, capture, void, refund, chargeback, 3-D Secure, tokenisation |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — high reliability; PCI DSS compliance maintained |
| Regulator |
State Bank of Pakistan (SBP); PCI Security Standards Council |
| Risk Rating |
Critical — primary card network alongside Visa; ~25M cardholders |
| Notes |
PCI DSS Level 1 compliance required. Mastercard and Visa together cover virtually all card-based payments in Pakistan. |
4. Payout Provider Integrations
These are the banking and wallet partners through which Simpaisa disburses funds for Pay-Out and Remittance products.
4.1 1Link (Payout)
| Field |
Detail |
| Vendor |
1Link (Pvt) Limited |
| Parent Company |
Consortium of Pakistani banks |
| Integration Type |
Bank Transfer (IBFT / RAAST) |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — versioned |
| Authentication |
mTLS + API credentials |
| Connection Method |
VPN / dedicated connectivity |
| SLA |
TBC |
| Settlement Terms |
Real-time (IBFT/RAAST) |
| Fee Structure |
TBC — per-transaction fee |
| Failover Behaviour |
If 1Link is unavailable, payouts to Pakistan bank accounts are blocked. No alternative rail exists. Queue transactions and retry on recovery. |
| Capabilities |
status, titleFetch (account validation), fundTransfer |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — versioned API indicates mature integration |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Critical — sole IBFT/RAAST payout rail for Pakistan; no substitute |
| Notes |
Standard endpoint pattern. Versioned API — ensure compatibility during upgrades. Title fetch enables account validation before transfer, reducing failed payouts. |
4.2 AamarPay
| Field |
Detail |
| Vendor |
AamarPay |
| Parent Company |
AamarPay (Bangladesh) |
| Integration Type |
Payment Aggregator |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — versioned; includes /token endpoint |
| Authentication |
Token-based (OAuth-style via /token endpoint) |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to alternative BD payout providers (bKash, BRAC, Agrani, Prime). Aggregator model may cover multiple banks internally. |
| Capabilities |
token, status, fundTransfer |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
Operational — versioned API with token-based auth suggests well-maintained integration |
| Regulator |
Bangladesh Bank |
| Risk Rating |
High — key Bangladesh payout aggregator |
| Notes |
Token endpoint suggests session-based authentication — monitor token expiry handling. Versioned API is a positive signal for stability. No titleFetch — account validation not available pre-transfer. |
4.3 Agrani Bank
| Field |
Detail |
| Vendor |
Agrani Bank Limited |
| Parent Company |
Government of Bangladesh (state-owned) |
| Integration Type |
Bank Transfer |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — unversioned |
| Authentication |
TBC — likely API key or basic auth |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to alternative BD bank channels (BRAC, Prime) or wallet (bKash) |
| Capabilities |
status, titleFetch, fundTransfer |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — unversioned API is a risk; requires assessment |
| Regulator |
Bangladesh Bank |
| Risk Rating |
Medium — one of several BD bank channels; state-owned bank provides stability |
| Notes |
Standard endpoint pattern with title fetch. Unversioned API — breaking changes may arrive without warning. State-owned bank — politically stable but potentially slower to modernise. |
4.4 bKash
| Field |
Detail |
| Vendor |
bKash Limited |
| Parent Company |
BRAC Bank / Ant Group (minority stake) |
| Integration Type |
Mobile Wallet |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — unversioned |
| Authentication |
TBC — likely API key + secret |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to bank channels (BRAC, Agrani, Prime) for account-based payouts. bKash wallet payouts have no direct substitute — queue and retry. |
| Capabilities |
status, titleFetch, fundTransfer |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — requires assessment |
| Regulator |
Bangladesh Bank |
| Risk Rating |
Critical — dominant mobile wallet in Bangladesh; largest MFS provider with 60M+ users |
| Notes |
bKash is the primary mobile money channel in Bangladesh. Any outage significantly impacts BD remittance disbursements. Unversioned API is a concern for a channel of this criticality. Ant Group investment brings technology but also geo-political considerations. |
4.5 BRAC Bank
| Field |
Detail |
| Vendor |
BRAC Bank Limited |
| Parent Company |
BRAC (NGO) |
| Integration Type |
Bank Transfer |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — unversioned |
| Authentication |
TBC |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to alternative BD bank channels (Agrani, Prime) |
| Capabilities |
status, titleFetch, fundTransfer, balance |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — the presence of a /balance endpoint suggests a more mature integration |
| Regulator |
Bangladesh Bank |
| Risk Rating |
High — major BD commercial bank; parent of bKash |
| Notes |
Only payout provider with a balance endpoint — enables proactive liquidity monitoring. BRAC Bank and bKash share a parent organisation — correlated failure risk. |
4.6 Faysal Bank
| Field |
Detail |
| Vendor |
Faysal Bank Limited |
| Parent Company |
Ithmaar Holding (Bahrain) |
| Integration Type |
Bank Transfer |
| Markets |
Pakistan |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — unversioned |
| Authentication |
TBC |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to 1Link for IBFT-based payouts; Faysal-specific B2C payouts have no direct substitute |
| Capabilities |
status, titleFetch, fundTransfer, fundTransfer-b2c (B2C variant) |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — requires assessment |
| Regulator |
State Bank of Pakistan (SBP) |
| Risk Rating |
Medium — supplementary PK payout channel; 1Link provides primary coverage |
| Notes |
Unique B2C fund transfer variant (fundTransfer-b2c) suggests a specialised disbursement flow separate from standard IBFT. Bahrain-based parent — Islamic banking model. Unversioned API. |
4.7 Prime Bank
| Field |
Detail |
| Vendor |
Prime Bank Limited |
| Parent Company |
Prime Bank Limited (Bangladesh) |
| Integration Type |
Bank Transfer (NPSB + BEFTN networks) |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs, Remittances |
| API Version / Protocol |
REST API — unversioned; includes /token endpoint |
| Authentication |
Token-based (via /token endpoint) |
| Connection Method |
TBC |
| SLA |
TBC |
| Settlement Terms |
Real-time (NPSB); T+1 (BEFTN) |
| Fee Structure |
TBC |
| Failover Behaviour |
NPSB and BEFTN provide internal redundancy — if real-time (NPSB) fails, batch (BEFTN) can be used. Route to alternative BD banks (BRAC, Agrani) if Prime is fully down. |
| Capabilities |
token, status, titleFetch, fundTransferNPSB (real-time), fundTransferBEFTN (batch) |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — dual-network support is architecturally sound |
| Regulator |
Bangladesh Bank |
| Risk Rating |
High — provides access to both BD payment networks (NPSB real-time + BEFTN batch) |
| Notes |
Only BD provider with split endpoints by network type. NPSB (National Payment Switch Bangladesh) provides real-time transfers; BEFTN (Bangladesh Electronic Funds Transfer Network) provides batch settlement. This dual-rail approach offers built-in resilience. Token-based auth via /token endpoint. |
4.8 PayMob
| Field |
Detail |
| Vendor |
PayMob |
| Parent Company |
PayMob (Bangladesh entity) |
| Integration Type |
Payment Aggregator |
| Markets |
Bangladesh |
| Simpaisa Products |
Pay-Outs |
| API Version / Protocol |
REST API — unversioned |
| Authentication |
TBC |
| Connection Method |
Public internet (TLS 1.2+) |
| SLA |
TBC |
| Settlement Terms |
TBC |
| Fee Structure |
TBC |
| Failover Behaviour |
Route to alternative BD payout channels (bKash, BRAC, Agrani, Prime) |
| Capabilities |
status, fundTransfer |
| Contract Owner |
TBC |
| Contract Renewal |
TBC |
| Integration Health |
TBC — limited endpoint set (no titleFetch) is a concern |
| Regulator |
Bangladesh Bank |
| Risk Rating |
Medium — aggregator with limited capabilities; supplementary channel |
| Notes |
No titleFetch endpoint — cannot validate recipient account before transfer, increasing failed/misdirected payout risk. Most limited API surface of all payout providers. Consider whether this integration adds sufficient value. |
5. Card Network Integrations
5.1 Visa — Acquiring
| Field |
Detail |
| Vendor |
Visa Inc. |
| Parent Company |
Visa Inc. (NYSE: V) |
| Integration Type |
Card Network — Acquiring |
| Markets |
Pakistan (primary); expandable |
| Simpaisa Products |
Pay-Ins, Cards |
| API / Protocol |
ISO 8583 / Visa APIs; 3-D Secure 2.x |
| Authentication |
RSA + mTLS + AES (triple-layer) |
| Connection |
Dedicated connectivity via acquiring bank partner |
| Compliance |
PCI DSS Level 1 — annual ROC audit; quarterly ASV scans |
| SLA |
99.99% (VisaNet global availability) |
| Settlement |
T+3 |
| Fees |
2.5% blended acquirer rate |
| Failover |
Mastercard provides partial redundancy for dual-branded cards |
| Capabilities |
Auth, capture, void, refund, chargeback, 3DS, tokenisation, recurring |
| Risk Rating |
Critical |
| Notes |
PCI DSS scope includes all systems that store, process, or transmit cardholder data. Annual compliance audit is a mandatory cost centre. Network tokenisation adoption should be prioritised to reduce PCI scope. |
5.2 Mastercard — Acquiring
| Field |
Detail |
| Vendor |
Mastercard International |
| Parent Company |
Mastercard Incorporated (NYSE: MA) |
| Integration Type |
Card Network — Acquiring |
| Markets |
Pakistan (primary); expandable |
| Simpaisa Products |
Pay-Ins, Cards |
| API / Protocol |
ISO 8583 / Mastercard APIs; 3-D Secure 2.x |
| Authentication |
RSA + mTLS + AES (triple-layer) |
| Connection |
Dedicated connectivity via acquiring bank partner |
| Compliance |
PCI DSS Level 1 — annual ROC audit; quarterly ASV scans |
| SLA |
99.99% (Mastercard network global availability) |
| Settlement |
T+3 |
| Fees |
2.5% blended acquirer rate |
| Failover |
Visa provides partial redundancy for dual-branded cards |
| Capabilities |
Auth, capture, void, refund, chargeback, 3DS, tokenisation, recurring |
| Risk Rating |
Critical |
| Notes |
Similar compliance obligations as Visa. Both networks must be maintained in parallel — dropping either would significantly reduce card acceptance coverage. |
6. Technology Vendor Register
6.1 Cloudflare
| Field |
Detail |
| Vendor |
Cloudflare, Inc. |
| Products/Services |
CDN, WAF, Workers (edge compute), Pages (static hosting), R2 (object storage), DNS |
| Category |
Infrastructure / Security / Edge Compute |
| Licensing Model |
SaaS — Enterprise plan |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
Critical — all inbound traffic routes through Cloudflare; WAF provides DDoS protection; DNS resolution depends on Cloudflare |
| Data Handling |
Processes all HTTP traffic (headers, payloads in transit); R2 stores static assets; Workers execute edge logic. Cardholder data should NOT transit Workers without PCI scoping. |
| Compliance Implications |
Cloudflare is PCI DSS compliant as a service provider. Ensure WAF rules align with OWASP Top 10. Data residency considerations for traffic routing through non-operating-market PoPs. |
6.2 KrakenD
| Field |
Detail |
| Vendor |
KrakenD (by Lura Project / API Gateways SL) |
| Products/Services |
API Gateway |
| Category |
Infrastructure / API Management |
| Licensing Model |
Open Source (Community) / Enterprise licence |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
Critical — all API traffic routes through KrakenD; single point of failure if not deployed in HA configuration |
| Data Handling |
Processes all API request/response payloads in transit; does not persist data |
| Compliance Implications |
Must be configured to mask/redact sensitive fields in logs. Rate limiting and auth validation at gateway level. |
6.3 SurrealDB
| Field |
Detail |
| Vendor |
SurrealDB Ltd (UK) |
| Products/Services |
Multi-model Database |
| Category |
Data / Storage |
| Licensing Model |
Open Source (BSL) / Cloud SaaS |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Critical — primary data store; total platform failure if unavailable |
| Data Handling |
Stores all transactional, customer, and merchant data. Contains PII and financial records. |
| Compliance Implications |
Must support encryption at rest and in transit. Backup and disaster recovery strategy required. Relatively new database — maturity risk. Evaluate operational tooling and community support. |
6.4 Temporal
| Field |
Detail |
| Vendor |
Temporal Technologies, Inc. |
| Products/Services |
Workflow Orchestration |
| Category |
Infrastructure / Orchestration |
| Licensing Model |
Open Source (MIT) / Temporal Cloud (SaaS) |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Critical — orchestrates payment workflows, settlement, reconciliation; failure halts transaction processing |
| Data Handling |
Stores workflow state, input/output payloads. May contain transaction data and PII in workflow history. |
| Compliance Implications |
Workflow payloads should be encrypted. Temporal's data converter supports payload encryption — must be enabled. Retention policies for workflow history must align with data retention requirements. |
6.5 Meilisearch
| Field |
Detail |
| Vendor |
Meilisearch (France) |
| Products/Services |
Search Engine |
| Category |
Data / Search |
| Licensing Model |
Open Source (MIT) / Meilisearch Cloud (SaaS) |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Medium — powers search functionality; degraded UX but not a transaction-blocking failure |
| Data Handling |
Indexes searchable data — may include transaction references, merchant names, customer identifiers |
| Compliance Implications |
Ensure PII is not indexed unnecessarily. Search indices should be encrypted at rest. |
6.6 NSQ
| Field |
Detail |
| Vendor |
NSQ (open-source community project) |
| Products/Services |
Distributed Messaging / Message Queue |
| Category |
Infrastructure / Messaging |
| Licensing Model |
Open Source (MIT) |
| Status |
Proposed (target stack) |
| Contract Type |
N/A — no commercial vendor |
| Criticality |
Critical — message bus for async processing; failure causes message loss and processing delays |
| Data Handling |
Messages in transit and on disk may contain transaction data and PII |
| Compliance Implications |
No commercial support — operational risk. Messages should be encrypted. Consider message retention and purging policies. Evaluate whether a commercially-supported alternative (e.g., NATS, RabbitMQ) would reduce operational risk. |
6.7 PostHog
| Field |
Detail |
| Vendor |
PostHog, Inc. |
| Products/Services |
Product Analytics, Session Recording, Feature Flags |
| Category |
Analytics / Product |
| Licensing Model |
Open Source (MIT) / PostHog Cloud (SaaS) |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
Low — analytics platform; no impact on transaction processing if unavailable |
| Data Handling |
Collects user behaviour data, session recordings, event data. May capture PII if not properly configured. |
| Compliance Implications |
Ensure session recordings do not capture payment card data or sensitive PII. Configure PII masking. Data residency — check where PostHog Cloud stores data. Self-hosted option available for data sovereignty. |
6.8 ControlPlane.com
| Field |
Detail |
| Vendor |
ControlPlane (controlplane.com) |
| Products/Services |
Identity & Access Management |
| Category |
Security / Identity |
| Licensing Model |
SaaS |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Critical — controls authentication and authorisation for all platform access; failure locks out users and services |
| Data Handling |
Stores user identities, roles, permissions, authentication tokens |
| Compliance Implications |
Must support MFA, RBAC, and audit logging. SOC 2 compliance expected. Identity provider is a high-value target — security posture must be assessed. |
6.9 Grafana Labs
| Field |
Detail |
| Vendor |
Grafana Labs |
| Products/Services |
Observability Dashboards (Grafana), Metrics (Prometheus/Mimir), Logs (Loki) |
| Category |
Observability / Monitoring |
| Licensing Model |
Open Source (AGPL) / Grafana Cloud (SaaS) |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
High — loss of observability during an incident severely impacts mean time to recovery (MTTR) |
| Data Handling |
Ingests metrics, logs, and traces. Logs may contain transaction data and PII if not properly filtered. |
| Compliance Implications |
Log data must be scrubbed of PII/cardholder data before ingestion. Retention policies must comply with data protection requirements. |
6.10 Jaeger
| Field |
Detail |
| Vendor |
Jaeger (CNCF project) |
| Products/Services |
Distributed Tracing |
| Category |
Observability / Tracing |
| Licensing Model |
Open Source (Apache 2.0) |
| Status |
Current |
| Contract Type |
N/A — no commercial vendor |
| Criticality |
Medium — supports debugging and performance analysis; not transaction-critical |
| Data Handling |
Trace spans may contain request/response data including transaction identifiers |
| Compliance Implications |
Ensure trace data does not include cardholder data. Implement span attribute filtering. No commercial support — operational risk accepted. |
6.11 Anthropic / Claude
| Field |
Detail |
| Vendor |
Anthropic |
| Products/Services |
Claude (AI development tools, code assistance) |
| Category |
DevEx / AI Tooling |
| Licensing Model |
SaaS — API usage-based + Claude Code subscription |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
Low — developer productivity tool; no impact on production systems |
| Data Handling |
Code snippets and prompts sent to Anthropic API. Ensure no production secrets, credentials, or cardholder data are included in prompts. |
| Compliance Implications |
Review Anthropic's data retention policies. Code sent for analysis should not contain PCI-scoped data. Developer usage only — not in the transaction path. |
6.12 Stoplight
| Field |
Detail |
| Vendor |
Stoplight (SmartBear) |
| Products/Services |
API Design & Governance |
| Category |
DevEx / API Management |
| Licensing Model |
SaaS |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Low — design-time tooling; no production impact |
| Data Handling |
Stores API specifications (OpenAPI). No production data. |
| Compliance Implications |
API specs may reveal internal architecture — treat as confidential. |
6.13 Scalar
| Field |
Detail |
| Vendor |
Scalar |
| Products/Services |
API Documentation Portal |
| Category |
DevEx / Documentation |
| Licensing Model |
Open Source / SaaS |
| Status |
Proposed (target stack) |
| Contract Type |
TBC |
| Criticality |
Low — documentation portal; no production impact |
| Data Handling |
Serves API documentation. No production data processed. |
| Compliance Implications |
If externally accessible, ensure documentation does not expose internal-only endpoints or security-sensitive information. |
6.14 Bitbucket
| Field |
Detail |
| Vendor |
Atlassian |
| Products/Services |
Source Control (Git), CI/CD Pipelines |
| Category |
DevEx / Source Control |
| Licensing Model |
SaaS — Bitbucket Cloud |
| Status |
Current |
| Contract Type |
TBC |
| Criticality |
High — loss of source control blocks all development; CI/CD pipeline failure blocks deployments |
| Data Handling |
Stores all source code, configuration, CI/CD secrets. High-value target. |
| Compliance Implications |
Enable branch protection, mandatory code review, and audit logging. Secrets in Pipelines must use secure variables. SOC 2 compliant (Atlassian). |
7. Infrastructure Provider
7.1 Amazon Web Services (AWS)
| Field |
Detail |
| Vendor |
Amazon Web Services, Inc. |
| Parent Company |
Amazon.com, Inc. |
| Contract Type |
TBC |
| Status |
Current |
| Overall Risk Rating |
Critical — entire production platform runs on AWS |
AWS Service Inventory
| Service |
Usage |
Criticality |
Alternative if Unavailable |
| EC2 |
Application compute (instances) |
Critical |
None — primary compute; consider containerisation for portability |
| ALB |
Application load balancing |
Critical |
Cloudflare load balancing (partial); HAProxy (self-managed) |
| WAF |
Web Application Firewall (AWS-level) |
High |
Cloudflare WAF (already in place — provides redundancy) |
| RDS |
Managed relational database |
Critical |
SurrealDB (target migration); self-managed PostgreSQL |
| ElastiCache |
In-memory caching (Redis) |
High |
Self-managed Redis; Dragonfly |
| VPC |
Network isolation and security groups |
Critical |
None — foundational AWS networking |
| Parameter Store |
Secrets and configuration management |
High |
HashiCorp Vault; Doppler |
| GuardDuty |
Threat detection and monitoring |
Medium |
CrowdStrike; Wazuh (open source) |
Compliance & Data Handling
- AWS is PCI DSS Level 1 compliant as a service provider
- Data residency: Confirm AWS region selection aligns with each market's data localisation requirements
- Pakistan: SBP may require data to remain within Pakistan or approved jurisdictions
- Bangladesh: Bangladesh Bank data localisation requirements — TBC
- Encryption: EBS encryption, RDS encryption at rest, TLS in transit — all must be enabled
- Access: IAM policies, MFA for console access, CloudTrail for audit logging
Lock-in Risk
AWS lock-in is High. Key mitigations:
- Containerise workloads to enable multi-cloud portability
- Avoid proprietary services where open-source alternatives exist
- SurrealDB migration (from RDS) reduces database lock-in
- Cloudflare edge layer provides CDN/WAF independence from AWS
8. Integration Health Dashboard
| # |
Vendor |
Type |
Market |
Status |
Last Known Incident |
SLA Compliance |
Risk |
| 1 |
JazzCash |
Wallet |
PK |
Operational |
TBC |
TBC |
Critical |
| 2 |
Easypaisa |
Wallet |
PK |
Operational |
TBC |
TBC |
Critical |
| 3 |
HBL Konnect |
Wallet |
PK |
TBC |
TBC |
TBC |
Medium |
| 4 |
Alfa |
Wallet |
PK |
TBC |
TBC |
TBC |
Medium |
| 5 |
JSBL Zindagi |
Wallet |
PK |
TBC |
TBC |
TBC |
Low |
| 6 |
Telenor DCB |
Carrier Billing |
PK |
Operational |
TBC |
TBC |
High |
| 7 |
Zong DCB |
Carrier Billing |
PK |
Operational |
TBC |
TBC |
High |
| 8 |
Ufone DCB |
Carrier Billing |
PK |
Operational |
TBC |
TBC |
Medium |
| 9 |
1Link / RAAST |
Bank Transfer |
PK |
Operational |
TBC |
TBC |
Critical |
| 10 |
Visa |
Card Network |
PK |
Operational |
TBC |
99.99% target |
Critical |
| 11 |
Mastercard |
Card Network |
PK |
Operational |
TBC |
99.99% target |
Critical |
| 12 |
1Link (Payout) |
Bank Transfer |
PK |
Operational |
TBC |
TBC |
Critical |
| 13 |
AamarPay |
Aggregator |
BD |
Operational |
TBC |
TBC |
High |
| 14 |
Agrani Bank |
Bank Transfer |
BD |
TBC |
TBC |
TBC |
Medium |
| 15 |
bKash |
Wallet |
BD |
TBC |
TBC |
TBC |
Critical |
| 16 |
BRAC Bank |
Bank Transfer |
BD |
TBC |
TBC |
TBC |
High |
| 17 |
Faysal Bank |
Bank Transfer |
PK |
TBC |
TBC |
TBC |
Medium |
| 18 |
Prime Bank |
Bank Transfer |
BD |
TBC |
TBC |
TBC |
High |
| 19 |
PayMob |
Aggregator |
BD |
TBC |
TBC |
TBC |
Medium |
Status Key: Operational | Degraded | Outage | TBC (not yet assessed)
9. Dependency Map
9.1 Product-to-Vendor Dependencies
| Product |
Vendor |
Impact if Unavailable |
| Pay-Ins |
JazzCash |
~30% of PK wallet pay-ins affected |
| Pay-Ins |
Easypaisa |
~20% of PK wallet pay-ins affected |
| Pay-Ins |
HBL Konnect, Alfa, JSBL Zindagi |
Minor — supplementary wallet channels |
| Pay-Ins |
Telenor DCB |
~40% of PK DCB pay-ins affected |
| Pay-Ins |
Zong DCB |
~35% of PK DCB pay-ins affected |
| Pay-Ins |
Ufone DCB |
~25% of PK DCB pay-ins affected |
| Pay-Ins |
1Link / RAAST |
All PK bank transfer pay-ins blocked |
| Pay-Ins |
Visa |
~50% of PK card pay-ins affected |
| Pay-Ins |
Mastercard |
~50% of PK card pay-ins affected |
| Pay-Outs |
1Link (Payout) |
All PK bank payouts blocked |
| Pay-Outs |
Faysal Bank |
PK B2C payouts via Faysal blocked |
| Pay-Outs |
bKash |
All BD wallet payouts blocked |
| Pay-Outs |
BRAC Bank |
BD bank payouts via BRAC blocked |
| Pay-Outs |
Agrani Bank |
BD bank payouts via Agrani blocked |
| Pay-Outs |
Prime Bank |
BD NPSB/BEFTN payouts blocked |
| Pay-Outs |
AamarPay |
BD aggregated payouts blocked |
| Pay-Outs |
PayMob |
BD PayMob payouts blocked |
| Remittances |
1Link (Payout) |
PK remittance disbursements halted |
| Remittances |
bKash |
BD remittance disbursements to wallets halted |
| Remittances |
BRAC, Agrani, Prime |
BD remittance disbursements to banks degraded |
| Cards |
Visa |
Card programme partially unavailable |
| Cards |
Mastercard |
Card programme partially unavailable |
9.2 Critical Path Analysis
Pay-In (Pakistan)
├── Wallet Channel: JazzCash OR Easypaisa OR HBL/Alfa/Zindagi [redundant]
├── DCB Channel: Telenor OR Zong OR Ufone [redundant]
├── Bank Transfer: 1Link/RAAST [SINGLE POINT OF FAILURE]
└── Card: Visa OR Mastercard [redundant]
Pay-Out (Pakistan)
└── Bank Transfer: 1Link [SINGLE POINT OF FAILURE]
└── Faysal Bank (B2C variant) [supplementary]
Pay-Out (Bangladesh)
├── Wallet: bKash [SINGLE POINT OF FAILURE for wallet payouts]
├── Bank: BRAC OR Agrani OR Prime [redundant]
└── Aggregator: AamarPay OR PayMob [redundant]
Technology Stack
├── Traffic: Cloudflare → KrakenD [serial dependency]
├── Compute: AWS EC2 [SINGLE POINT OF FAILURE]
├── Data: SurrealDB (proposed) / RDS (current) [SINGLE POINT OF FAILURE]
├── Orchestration: Temporal [SINGLE POINT OF FAILURE]
└── Identity: ControlPlane [SINGLE POINT OF FAILURE]
10. Risk Assessment
10.1 Single Points of Failure
| Dependency |
Impact |
Mitigation |
| 1Link (PK) |
All bank-based pay-ins and payouts in Pakistan halt |
No alternative national switch exists. Maintain hot standby queues; implement store-and-forward for payouts. Engage SBP on contingency planning. |
| bKash (BD) |
All wallet-based payouts in Bangladesh halt |
No alternative MFS provider of comparable scale. Consider Nagad integration as a secondary wallet channel. |
| AWS (compute) |
Entire platform unavailable |
Containerise workloads for future multi-cloud. Implement multi-AZ and multi-region within AWS as interim measure. |
| Cloudflare (edge) |
All inbound traffic blocked |
Maintain DNS failover to direct-to-origin. Consider secondary CDN/WAF provider. |
| KrakenD (gateway) |
All API traffic blocked |
Deploy in HA cluster across multiple AZs. Maintain configuration for rapid failover. |
10.2 Vendor Concentration Risk
| Risk |
Detail |
| Telenor Group |
Owns both Telenor Pakistan (DCB) and Easypaisa (wallet). A group-level event affects two payment channels simultaneously. |
| BRAC ecosystem |
BRAC Bank and bKash share a parent organisation. Correlated failure risk for BD payouts. |
| AWS |
All compute, networking, and managed services on a single cloud provider. |
| Cloudflare |
CDN, WAF, DNS, edge compute, and object storage all with one vendor. |
| Card networks |
Visa and Mastercard are the only two card networks — but this is an industry-wide constraint, not a Simpaisa-specific risk. |
10.3 Geo-Political Risk
| Market |
Risk Level |
Key Concerns |
| Pakistan |
High |
Regulatory volatility (PTA interventions on DCB); SBP policy changes; FATF grey-list implications for correspondent banking; political instability |
| Bangladesh |
Medium |
Bangladesh Bank regulatory changes; political transition risks; Ant Group (bKash minority shareholder) — China exposure |
| Nepal |
Medium |
Nepal Rastra Bank restrictions on digital payments; limited infrastructure |
| Iraq |
High |
Sanctions compliance complexity; CBI regulatory environment; security concerns; limited banking infrastructure |
10.4 Technology Lock-in Risk
| Vendor |
Lock-in Level |
Mitigation |
| AWS |
High |
Containerisation; avoid proprietary services; abstract cloud-specific APIs |
| SurrealDB |
Medium |
Relatively new database — evaluate data export tooling; maintain schema portability |
| Cloudflare |
Medium |
DNS can be migrated; Workers code is somewhat portable; R2 is S3-compatible |
| Temporal |
Medium |
Open-source core; workflow definitions are code — portable in principle |
| KrakenD |
Low |
Configuration-based; can be replaced with Kong, Tyk, or similar |
| NSQ |
Low |
Standard pub/sub patterns; replaceable with NATS, RabbitMQ |
| Bitbucket |
Low |
Git is portable; CI/CD pipelines require migration effort |
11. Vendor Management Governance
11.1 Review Cadence
| Vendor Category |
Review Frequency |
Review Scope |
| Critical payment channels (JazzCash, Easypaisa, 1Link, Visa, Mastercard, bKash) |
Quarterly |
SLA compliance, incident history, contract terms, security posture |
| High-risk payment channels (DCB providers, BD banks) |
Quarterly |
SLA compliance, incident history, regulatory changes |
| Medium/Low payment channels |
Annually |
Contract terms, continued relevance, integration health |
| Critical technology vendors (AWS, Cloudflare, KrakenD, SurrealDB, Temporal) |
Quarterly |
Availability, security advisories, version currency, cost optimisation |
| Non-critical technology vendors |
Annually |
Continued relevance, licensing changes, security advisories |
11.2 SLA Monitoring Process
- Automated monitoring — uptime and response time tracking for all payment channel APIs via Grafana dashboards
- Monthly SLA reports — generated from monitoring data; compared against contractual commitments
- Breach escalation — SLA breaches trigger incident review and commercial discussion with vendor
- Quarterly business reviews — for critical vendors; includes SLA performance, roadmap alignment, and commercial review
| Vendor |
Primary Contact |
Escalation Contact |
Simpaisa Owner |
| JazzCash |
TBC |
TBC |
TBC |
| Easypaisa |
TBC |
TBC |
TBC |
| 1Link |
TBC |
TBC |
TBC |
| Visa |
TBC |
TBC |
TBC |
| Mastercard |
TBC |
TBC |
TBC |
| bKash |
TBC |
TBC |
TBC |
| AWS |
TBC (TAM) |
TBC |
TBC |
| Cloudflare |
TBC |
TBC |
TBC |
Action Required: All TBC contacts must be populated by the respective relationship owners within 30 days of this document's creation.
11.4 Contract Renewal Process
- 120 days before expiry — Finance and Legal notified; renewal review initiated
- 90 days before expiry — Commercial terms reviewed; benchmarking against alternatives
- 60 days before expiry — Negotiation with vendor; CDO approval for material changes
- 30 days before expiry — Contract signed or exit plan activated
- Post-renewal — Register updated; new terms documented
11.5 Vendor Risk Assessment Criteria
New vendors and renewals are assessed against:
| Criterion |
Weight |
Assessment |
| Financial stability |
High |
Creditworthiness, funding, profitability |
| Security posture |
High |
SOC 2, ISO 27001, PCI DSS (where applicable), penetration testing |
| Regulatory compliance |
High |
Licences, registrations, sanctions screening |
| Operational reliability |
High |
Historical uptime, incident response capability, SLA terms |
| Data handling |
High |
Data residency, encryption, processing agreements |
| Strategic alignment |
Medium |
Roadmap fit, innovation, partnership potential |
| Commercial terms |
Medium |
Pricing competitiveness, flexibility, exit clauses |
| Lock-in risk |
Medium |
Portability, open standards, exit costs |
| Geo-political exposure |
Medium |
Jurisdiction, sanctions risk, political stability |
| Support quality |
Low |
Documentation, responsiveness, technical competence |
12. Appendix: Integration Inventory Summary Table
| # |
Vendor |
Type |
Direction |
Market |
Products |
API Versioned |
Settlement |
Fees |
Risk Rating |
Status |
| 1 |
JazzCash |
Mobile Wallet |
Pay-In |
PK |
Pay-Ins |
No |
T+1 |
1.2–1.5% |
Critical |
Operational |
| 2 |
Easypaisa |
Mobile Wallet |
Pay-In |
PK |
Pay-Ins |
No |
T+1 |
1.8% |
Critical |
Operational |
| 3 |
HBL Konnect |
Mobile Wallet |
Pay-In |
PK |
Pay-Ins |
TBC |
TBC |
TBC |
Medium |
TBC |
| 4 |
Alfa |
Mobile Wallet |
Pay-In |
PK |
Pay-Ins |
TBC |
TBC |
TBC |
Medium |
TBC |
| 5 |
JSBL Zindagi |
Mobile Wallet |
Pay-In |
PK |
Pay-Ins |
TBC |
TBC |
TBC |
Low |
TBC |
| 6 |
Telenor DCB |
Carrier Billing |
Pay-In |
PK |
Pay-Ins |
No |
T+2 |
2.0% |
High |
Operational |
| 7 |
Zong DCB |
Carrier Billing |
Pay-In |
PK |
Pay-Ins |
No |
T+2 |
2.0% |
High |
Operational |
| 8 |
Ufone DCB |
Carrier Billing |
Pay-In |
PK |
Pay-Ins |
No |
T+2 |
2.0% |
Medium |
Operational |
| 9 |
1Link / RAAST |
Bank Transfer |
Pay-In |
PK |
Pay-Ins |
Yes |
T+1 |
0.5% + PKR 10 |
Critical |
Operational |
| 10 |
Visa |
Card Network |
Pay-In |
PK |
Pay-Ins, Cards |
N/A |
T+3 |
2.5% |
Critical |
Operational |
| 11 |
Mastercard |
Card Network |
Pay-In |
PK |
Pay-Ins, Cards |
N/A |
T+3 |
2.5% |
Critical |
Operational |
| 12 |
1Link |
Bank Transfer |
Pay-Out |
PK |
Pay-Outs, Remittances |
Yes |
Real-time |
TBC |
Critical |
Operational |
| 13 |
AamarPay |
Aggregator |
Pay-Out |
BD |
Pay-Outs, Remittances |
Yes |
TBC |
TBC |
High |
Operational |
| 14 |
Agrani Bank |
Bank Transfer |
Pay-Out |
BD |
Pay-Outs, Remittances |
No |
TBC |
TBC |
Medium |
TBC |
| 15 |
bKash |
Mobile Wallet |
Pay-Out |
BD |
Pay-Outs, Remittances |
No |
TBC |
TBC |
Critical |
TBC |
| 16 |
BRAC Bank |
Bank Transfer |
Pay-Out |
BD |
Pay-Outs, Remittances |
No |
TBC |
TBC |
High |
TBC |
| 17 |
Faysal Bank |
Bank Transfer |
Pay-Out |
PK |
Pay-Outs, Remittances |
No |
TBC |
TBC |
Medium |
TBC |
| 18 |
Prime Bank |
Bank Transfer |
Pay-Out |
BD |
Pay-Outs, Remittances |
No |
RT/T+1 |
TBC |
High |
TBC |
| 19 |
PayMob |
Aggregator |
Pay-Out |
BD |
Pay-Outs |
No |
TBC |
TBC |
Medium |
TBC |
| 20 |
Cloudflare |
CDN/WAF/Edge |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Current |
| 21 |
KrakenD |
API Gateway |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Current |
| 22 |
SurrealDB |
Database |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Proposed |
| 23 |
Temporal |
Orchestration |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Proposed |
| 24 |
Meilisearch |
Search |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Medium |
Proposed |
| 25 |
NSQ |
Messaging |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Proposed |
| 26 |
PostHog |
Analytics |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Low |
Current |
| 27 |
ControlPlane |
Identity/Access |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Proposed |
| 28 |
Grafana Labs |
Observability |
Infra |
Global |
All |
N/A |
N/A |
N/A |
High |
Current |
| 29 |
Jaeger |
Tracing |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Medium |
Current |
| 30 |
Anthropic |
AI Tooling |
DevEx |
Global |
N/A |
N/A |
N/A |
N/A |
Low |
Current |
| 31 |
Stoplight |
API Design |
DevEx |
Global |
N/A |
N/A |
N/A |
N/A |
Low |
Proposed |
| 32 |
Scalar |
API Docs |
DevEx |
Global |
N/A |
N/A |
N/A |
N/A |
Low |
Proposed |
| 33 |
Bitbucket |
Source Control |
DevEx |
Global |
N/A |
N/A |
N/A |
N/A |
High |
Current |
| 34 |
AWS |
Cloud Infra |
Infra |
Global |
All |
N/A |
N/A |
N/A |
Critical |
Current |
End of Vendor & Integration Register
Next review due: Q3 2026