City Permits

A UK Parking Enforcement Operator

In the space of three months, City Permits faced two separate threats to their ability to take payments online. A failing PCI compliance scan and the forced shutdown of their payment gateway arrived back to back. Both were resolved before either caused a disruption to the business.

Custom PHP Parking & Traffic Management Emergency Rescue

The Situation

City Permits operates a live transactional platform handling parking ticket payments and permit applications in Leeds, West Yorkshire. The site had been running reliably for years, processing payments through Barclays ePDQ without issue. Nothing was broken. Nothing felt urgent.

Then two things happened in quick succession.

In November 2025, an independent compliance scan carried out by SecurityMetrics returned a fail. The maximum vulnerability score was 10.0, the highest possible rating. PCI DSS, the Payment Card Industry Data Security Standard, is the security framework set by Visa and Mastercard and enforced in practice by the acquiring bank. It requires any business taking card payments online to maintain a minimum level of infrastructure security. The scan showed the site was running on software that had been unsupported for years, a PHP version with no security patches since 2016, alongside an outdated operating system, web server, and frontend library, each carrying known vulnerabilities. The site had never been compromised, but the exposure was real and formally documented. Continued non-compliance gives the acquiring bank grounds to raise fees, impose penalties, or ultimately suspend the merchant account and stop card processing entirely.

The upgrade work to bring the site into compliance was already underway when a second issue landed. Barclays sent notification that their ePDQ payment gateway service was being permanently terminated, with a hard cutoff of March 2026. City Permits was already mid-project on one critical problem and now had a second one running alongside it.

What We Did

We were already engaged on the compliance upgrade when the Barclays notice arrived. Rather than treat them as separate projects, we sequenced them tightly and ran the two workstreams together.

Phase one was the infrastructure and code upgrade. The application was migrated from a PHP version with no security support since 2016 to PHP 8.2, the current supported release. The application framework was rebuilt to modern standards, the frontend library was updated to remove documented security vulnerabilities, and the site was moved to a modern hosting environment, resolving the server-level issues identified in the scan. Security headers were added, an exposed source directory was locked down, and hardcoded credentials were removed from the codebase and moved to environment configuration. The SecurityMetrics compliance scan ran again on February 4, 2026. Maximum score: 0.00. Zero vulnerabilities. Passing.

With compliance confirmed, phase two began immediately. We migrated the payment integration from Barclays ePDQ to Stripe Checkout, completing the cutover ahead of the March 2026 deadline. The new integration uses webhook-based payment confirmation, which is significantly more reliable than the redirect-based callbacks the old gateway depended on. Stripe handles 3D Secure authentication natively, supports Apple Pay and Google Pay, and gives the City Permits team direct visibility into every transaction through the Stripe dashboard. There are no monthly gateway fees, only a per-transaction charge on successful payments.

Across both phases, the work delivered:

  • PHP upgraded from an unsupported 2016 release to PHP 8.2
  • Application framework rebuilt to modern standards
  • Frontend library updated to remove documented security vulnerabilities
  • Migrated to modern hosting, resolving server-level compliance failures
  • Security headers added, exposed source directory locked down, hardcoded credentials moved to environment configuration
  • SecurityMetrics compliance scan re-run: score 0.00, passing
  • Payment integration migrated from Barclays ePDQ to Stripe Checkout, ahead of the March 2026 cutoff
  • Webhook-based payment confirmation implemented, replacing fragile redirect callbacks
  • 3D Secure, Apple Pay and Google Pay enabled

The Outcome

City Permits went from a failing compliance scan and a gateway facing forced shutdown to a fully compliant, modernised payment platform, with both problems resolved before either caused a disruption to the business. The SecurityMetrics pass report, dated February 4, 2026, shows zero vulnerabilities detected. The Stripe migration completed before the Barclays deadline.

The timing of these two issues arriving so close together was coincidence. The fact that neither resulted in downtime, suspended payments, or a missed deadline was not.

If you operate a transactional website and cannot remember the last time your infrastructure was independently assessed, that is worth sitting with. Platforms like this can run quietly for years with exposure accumulating underneath. The question is not whether a scan would find something. It is whether you would rather find it first.

What the business has as a result:

  • PCI DSS compliance achieved and formally confirmed, February 4, 2026
  • Zero vulnerabilities detected on re-scan, maximum score 0.00
  • Gateway migration completed before the Barclays hard deadline
  • No payment downtime at any point during either project
  • Modern payment methods now supported: 3D Secure, Apple Pay, Google Pay
  • Full transaction visibility through the Stripe dashboard
  • Per-transaction pricing only, no monthly gateway fees

We delivered. Here is the evidence.

Visit the live site →
We knew we had to act when the compliance report landed, but the Barclays shutdown notice arriving so soon after made it feel like everything was happening at once. Expression 37 kept both things moving without it becoming a project management burden on our side. The compliance scan passed, we were on Stripe before the Barclays deadline, and we didn't lose a single payment throughout the whole process. That is exactly what you want from a technical partner when the pressure is on.

Russell Hancock, Operations Director ~ City Permits Ltd
A UK Parking Enforcement Operator

Recognise this situation?

A custom PHP application on ageing infrastructure is a liability that tends to get worse quietly. A payment integration that does not work reliably costs the business every time someone cannot complete a transaction. Neither is something you can afford to leave unresolved. These are the two services most relevant to the situation described above.

PHP Application Maintenance Stripe Integration & Support

Can we help?

Most clients come to us when their site has started to feel like a risk rather than an asset. Whether the agency relationship has ended, an upgrade has been delayed, or the site has simply grown beyond what it can handle, a conversation costs nothing.

Get in touch with Karl

Trusted by established businesses and growing brands across the UK

Expression 37 works with a small number of clients at any one time. These are some of them.

Respecting Client Confidentiality

Much of our work involves long-term support and maintenance arrangements for business-critical sites. A significant portion of that work is covered by non-disclosure agreements to protect client confidentiality, so we are unable to show every project publicly.

If you would like to discuss your ExpressionEngine or Craft CMS requirements, get in touch directly, Karl will respond personally.

About Karl

Karl Bowers ~ ExpressionEngine & Craft CMS Specialist

Karl is the founder of Expression 37 Ltd and has been working exclusively with ExpressionEngine and Craft CMS since 2007. In eighteen years he has supported more than 80 clients across the UK, from long-term retainer arrangements to emergency rescues when something has gone wrong at the worst possible moment. Every piece of work is handled personally by Karl, with no account managers or junior developers between you and the person doing it.

Find out how we work
» Get in touch