Dual-VPC payment processing architecture with strict network segmentation separates internal payment logic from external bank integrations using firewalls, VPN gateways, and DMZ zones. Data flows from ERP through SFTP ingestion, encryption via KMS, client signature collection through WAF-protected API Gateway, and admin signing before transmission to multiple Israeli banks via secure SFTP outbound. The design enforces least-privilege access across four subnets in VPC 1 (DMZ, App Tier, Data Tier, Client Access, Admin) and three in VPC 2 (DMZ, Payment Service, SFTP Outbound, Bank Access), with encrypted database and key management isolating sensitive payment data. Security architects can fork this diagram to customize firewall rules, add additional banks, or adapt the signing workflow for compliance frameworks like PCI-DSS or local banking regulations. The architecture demonstrates defense-in-depth through network isolation, encryption at rest and in transit, and role-based access control between payment processing and administrative functions.