City Permits

A UK Parking Enforcement Operator

The Situation

City Permits operates a live, transactional platform handling ticket payments and permit applications for parking enforcement across the UK. When they came to us, the application had been built on PHP 5.6, a version end-of-life since 2016 and actively failing PCI compliance scans. More critically, the Barclays ePDQ payment integration contained three separate bugs that meant the system could not complete any live transaction. Every payment attempt either hit the gateway and was rejected silently, or the confirmation callback was dropped entirely.

The business was effectively unable to take payments online. There was no redundancy, no audit trail for failed transactions, and no clear path forward from within the existing codebase. The .git directory was also publicly accessible, exposing the entire version history to anyone who looked.

What We Did

We began by upgrading the entire application stack, moving from PHP 5.6 to PHP 8.2, from Slim Framework 3 to Slim 4 with modern PSR-7 architecture, and from Twig 1 to Twig 3. Alongside the framework modernisation, we introduced environment-based configuration to remove hardcoded credentials from the codebase, added all required HTTP security headers, and blocked the exposed .git directory via server configuration.

We then worked methodically through the three Barclays payment failures. The first was duplicate order ID rejection on retried payments, resolved by appending a unique identifier to each order reference. The second was an incomplete SHA signature that excluded required callback URLs from the signed parameter set, causing every transaction to fail at gateway validation. The third was a POST callback handler that silently discarded payment confirmations, meaning no successful payment was ever recorded even when one occurred. All three were diagnosed, documented, and resolved.

Once payments were working reliably, we planned and executed a full migration to Stripe Checkout. This replaced Barclays entirely with a modern, hosted payment page supporting 3D Secure, Apple Pay, and Google Pay. Payment confirmation moved from fragile redirect callbacks to webhook-based verification, with each transaction linked directly to the Stripe dashboard via stored payment intent IDs.

The Outcome

The application went from unable to complete a single payment to fully operational on Stripe, with PCI compliance achieved and all known security vulnerabilities resolved. The client now has a payment system that passes compliance scanning, supports modern payment methods including Apple Pay and Google Pay, and gives their team direct visibility into every transaction through the Stripe dashboard.

The modernised codebase runs on supported PHP with a stable framework, reducing the risk of future compliance failures and making ongoing development straightforward. What had been a liability, a platform that was visibly broken and actively exposing the business to regulatory risk, became a reliable operational asset.

We had been unable to take payments through the website for longer than I care to admit. Karl diagnosed exactly what was wrong with the payment integration, fixed it, and then moved us onto Stripe, which has been far more reliable. The whole process was clear and efficient and the result was immediate. The site now works as it should and we have no compliance concerns hanging over us.