PT Jalin Pembayaran Nusantara sits at the center of Indonesia's national payment infrastructure. Every ATM Link transaction, across every major Indonesian bank, flows through Jalin's switching network. The company manages 945 verified physical locations nationwide, processes millions of transactions daily, and operates infrastructure that most Indonesians use without ever knowing the name behind it.
Their real-world authority? Unquestionable. The condition of their website when Arfadia first ran the audit? That was a completely different story.
PageSpeed Desktop at 42. SEO Health Score at 54 out of 100, rated "Fair." Content Security Policy headers not set. Vulnerable JavaScript libraries in active use. Domain Authority at 26, Trust Flow at 6. Bounce rate above the contract KPI threshold. And out of 945 ATM Link locations across the country, zero had been claimed or verified in Google Business Profile. Zero.
That's where the engagement started. What followed was a full-scale managed service overhaul across five dimensions simultaneously: website revamp, performance optimization, security hardening, SEO authority building, and local search at a scale most agencies don't attempt. By the time every contract KPI was measured, every single one had been exceeded.
Let's walk through the full story.
The Starting Point: jalin.co.id Before Arfadia
Before any optimization work began, Arfadia ran a complete diagnostic across five service dimensions. The findings weren't isolated issues. They were systematic, compounding problems across every layer of the website's technical foundation.
Performance and Core Web Vitals
The numbers from Google PageSpeed Insights were, well, not good. Desktop score at 42. Mobile at 33. Largest Contentful Paint clocked at 5.4 seconds, nearly nearly seven times the 800ms threshold Google considers excellent. Speed Index at 3.9 seconds. Cumulative Layout Shift at 0.46, well above Google's 0.1 threshold. The Ahrefs site audit surfaced 4,469 errors and 15,011 warnings across nine categories.
| Metric | Before | Google Threshold (Good) |
|---|---|---|
| PageSpeed Desktop | 42 | 90+ |
| PageSpeed Mobile | 33 | 90+ |
| LCP (Largest Contentful Paint) | 5.4s | < 2.5s |
| Speed Index | 3.9s | < 3.4s |
| CLS (Cumulative Layout Shift) | 0.46 | < 0.1 |
| Ahrefs Health Score | 54 (Fair) | 80+ |
The Ahrefs crawl found broken canonical tags, hundreds of images missing alt text, orphan pages with zero internal links, duplicate meta descriptions, hreflang inconsistencies. The kind of accumulated technical debt that builds up over years without systematic oversight.
Authority and Trust Signals
Domain Authority at 26. Trust Flow at 6. For a BUMN operating national financial infrastructure, those numbers weren't just an SEO problem, they were a credibility gap. The backlink profile also carried spam link signals that needed cleanup before any positive authority building could compound properly.
| Metric | Before | Contract KPI |
|---|---|---|
| Domain Authority (Moz) | 26 | 35 |
| Trust Flow (Majestic) | 6 | 20 |
| Bounce Rate (GA) | > 40% | < 40% |
| SSL Certificate | Basic | Grade A |
Security Exposure
The OWASP ZAP vulnerability assessment returned specific, documented findings. Content Security Policy headers: not set. Flagged as Medium Risk. Several JavaScript libraries in active use were outdated versions carrying known XSS vulnerabilities. For most websites these are inconveniences. For a BUMN with institutional data obligations and financial infrastructure responsibilities, they were real exposure points.
The security work wasn't optional. It was the first thing that needed to get done.
The GMB Gap
Here's the part that stands out most on the baseline audit. The ATM Link network serves 945 physical locations across Indonesia. Every single one of them, potentially visible on Google Maps to anyone searching for an ATM near them. And at project start, zero of those locations had been claimed or verified in Google Business Profile. Not one.
That's thousands of potential local search touchpoints, sitting idle.
The Approach: Five Workstreams, Fully Integrated
Arfadia structured the engagement around five parallel service dimensions, all running simultaneously, all tracked in a single integrated monthly report. The whole point was that these workstreams reinforce each other. Performance work and security don't exist in isolation from SEO. Content can't compound if the technical foundation is broken. Everything had to move at once.
Security Management: Hardening from the Ground Up
Daily monitoring and automated security scanning, with manual verification every business day. The OWASP findings got resolved one by one: Content Security Policy headers implemented, Sub-Resource Integrity attributes added, vulnerable JS libraries identified and updated. Encrypted daily backups. Every change went through staging before touching production. No exceptions.
SSL upgraded and verified to Grade A via Qualys SSL Labs. Security Headers tested to Grade A. Load testing at 1,000 concurrent users per minute: 100% success rate at 742ms average response time. Penetration test result: NOT VULNERABLE.
Application Management: The Full Redesign Story
Here's where it gets interesting. The scope wasn't routine maintenance. The entire visual system of jalin.co.id was redesigned from scratch in Figma before a single line of code was written. Not a theme refresh. Not a template. Every component, every layout pattern, every interaction designed as an original system.
The Figma file for this project is publicly accessible, with a full component library, desktop and mobile frames side by side, clickable interactive prototype. What Jalin approved in Figma is exactly what was built. That principle eliminates the most expensive type of rework: changes after delivery.
Implementation in PHP CodeIgniter with Bootstrap CSS framework. Staging-first deployment for every change, including the smallest ones. MACD requests (Move, Add, Change, Delete) handled without additional charges. In the engagement period: zero production incidents from deployment errors.
Performance Optimization: Targeting Every Core Web Vital
Technical performance work ran in parallel with the visual rebuild. Image optimization, render-blocking resource elimination, cache configuration, server response tuning, monthly database cleanup. All measurements conducted from Asia-region servers (Singapore and Jakarta) per contract specs. Not US-based nodes that inflate results.
The two-month sprint in early 2026 drove the sharpest jump: Health Score went from roughly 70 to 91 in eight weeks. Nine error categories resolved. 4,469 documented issues closed.
Authority Maintenance (SEO): Building Credibility Systematically
Monthly backlink audits with systematic spam disavow. Meta titles, descriptions, and slugs optimized across all pages, both new ones and the existing ones that had never been touched. Complete alt text coverage. Internal link architecture rebuilt strategically to distribute link equity and improve crawl efficiency. DA and Trust Flow tracked against contract KPIs every month, not just at the end.
Content Management and GMB at Scale
Daily content operations: articles, press releases, corporate reports, layout improvements targeting the bounce rate KPI. Wikipedia page maintenance. And then there's the GMB piece.
Getting 945 ATM Link locations claimed and verified in Google Business Profile required a multi-account approach. Google's platform caps processing at 1,000 locations per account, manageable in theory until you factor in verification workflows, documentation requirements, and the cases that needed direct Google Support escalation. Arfadia structured the entire operation specifically around these platform constraints. 928 locations verified. 98% of the full network, now visible in local search.
The Results: Complete Transformation
Now let's get into the numbers. These come from Ahrefs, Google PageSpeed Insights, Google Search Console, Google Analytics 4, Moz, Majestic, and Qualys. All independently verifiable.
Performance: From Failing to Green Across Every Parameter
LCP went from 5.4 seconds to 0.8 seconds. Let that sink in. A 93% improvement on a single metric that Google uses as a primary ranking signal. CLS went from 0.46 to 0.002, essentially from "this page jumps around as it loads" to "completely stable." And the Ahrefs Health Score moving from 54 to 91 required resolving issues across nine distinct error categories, not just a handful of easy wins.
SEO Health: From Fair to Excellent
Domain Authority: Both Targets Exceeded
DA moving from 26 to 36 sounds like a modest number until you understand the scale. The Moz DA metric is logarithmic. Getting from 26 to 36 is substantially harder than going from 10 to 20. The referring domain profile now includes 3,400+ domains, and the Trust Flow jump from 6 to 22 represents a complete transformation of backlink quality signals, not just volume.
Organic Search Visibility
Six months of Google Search Console data: 12.1 million impressions, 41,856 organic clicks. More than 60 articles published across Year 1 covering payment infrastructure, digital banking, ATM network operations, and Jalin's institutional programs. Content production ran daily throughout, covering press releases, corporate reports, and ongoing data cleanup.
| Metric | Result |
|---|---|
| Organic Impressions (6-month GSC) | 12.1 million |
| Organic Clicks (6-month GSC) | 41,856 |
| Bounce Rate (GA4) | 33% (target <40%) |
| Articles Published (Year 1) | 60+ |
Security: Grade A Across the Board
| Security Metric | Before | After |
|---|---|---|
| SSL Certificate (Qualys) | Basic | Grade A |
| Security Headers | Not Set (Medium Risk) | Grade A |
| OWASP ZAP Pentest | Flagged Issues | NOT VULNERABLE |
| Vulnerable JS Libraries | Active (XSS risk) | Fully Remediated |
| Load Test (1,000 users/min) | N/A | 100% success, 742ms avg |
The "NOT VULNERABLE" pentest result doesn't happen from a one-time patch cycle. It requires resolving every OWASP-flagged item, updating the full JS library stack, and implementing proper CSP headers with Sub-Resource Integrity. Then retesting to verify each fix. For a BUMN website, this is the security baseline, not a bonus deliverable.
GMB: 945 Locations, One National Network
At project start, 945 ATM Link locations existed across Indonesia. Verified in Google Business Profile: zero. Not a single one. That's an enormous number of local search touchpoints invisible to Google Maps, invisible to anyone searching "ATM near me" in any of those locations.
The challenge with claiming a network this size isn't just volume. Google Business Profile's 1,000-location processing cap per account means you can't do this naively from a single account. Arfadia structured a multi-account approach with direct Google Support escalation for cases that got flagged. Result: 928 locations verified. 98% of the full ATM Link network, now live in local search.
Every Single KPI. Exceeded.
This isn't a case study where some metrics hit and others missed. Every. Single. Target. Was. Exceeded.
| KPI | Before | Target | Actual | Status |
|---|---|---|---|---|
| PageSpeed Desktop | 42 | All Green | 87 | Achieved |
| LCP (Desktop) | 5.4s | < 2.5s | 0.8s | Exceeded |
| Speed Index | 3.9s | N/A | 1.1s | Improved |
| CLS | 0.46 | < 0.1 | 0.002 | Exceeded |
| Ahrefs Health Score | 54 (Fair) | N/A | 91 (Excellent) | Excellent |
| Domain Authority (Moz) | 26 | 35 | 36 | Exceeded |
| Trust Flow (Majestic) | 6 | 20 | 22 | Exceeded |
| Bounce Rate | >40% | <40% | 33% | Exceeded |
| SSL Certificate | Basic | Grade A | Grade A | Achieved |
| Security Headers | Not Set | N/A | Grade A | Hardened |
| Penetration Test | Flagged | N/A | NOT VULNERABLE | Secured |
| GMB Locations Verified | 0 / 945 | N/A | 928 / 945 (98%) | 98% Complete |
| Website Uptime | N/A | 99.9% | 99.9% | Maintained |
Why This Engagement Worked
A few things made this different from a standard vendor contract. Worth calling them out because they're the factors that consistently separate results like this from engagements that deliver less.
Design approval before development, every time. Requiring Figma sign-off before any code gets written sounds like it slows things down. It doesn't. It eliminates the most expensive type of rework, which is changing things after they're built. The Figma file for jalin.co.id is publicly accessible, with every screen, every component, every interaction. What was approved is exactly what was built.
Staging server as an absolute policy. For a BUMN handling financial data, there's no acceptable version of "push it to production and see what happens." Every change, including routine maintenance patches and minor layout adjustments, went through staging and was validated before touching the live environment. Zero deployment-related incidents in the engagement period. That's process discipline, not luck.
Security findings drove the security fixes. The CSP implementation and JS library remediation came directly from documented OWASP ZAP scan results. Not generic best-practice checklists. Confirmed vulnerabilities, fixed specifically, retested to verify resolution. The pentest result reflects that approach.
The GMB strategy was built around platform reality. Most teams would attempt a 945-location verification from a single account and hit the processing ceiling partway through. Arfadia structured the multi-account approach specifically because of the 1,000-location cap, with Google Support escalation paths planned in advance for edge cases. 928 locations verified. The remaining cases require Google back-end resolution and continue through the engagement.
One integrated report, five service dimensions. Jalin received a single monthly document covering security, performance, SEO, authority, and content together, not fragmented updates from separate teams. When you can see all five dimensions in one place, you can make decisions with the full picture. It sounds simple. Most agencies don't do it.
The Strongest Signal
You can look at every metric in this case study. PageSpeed scores, Health Scores, Trust Flow numbers, GMB verification rates. They all tell the same story.
But the strongest indicator of what this engagement actually delivered is simpler than any of the metrics. When Arfadia submitted the Year 2 proposal for jalin.co.id managed service, the RFP documents showed Arfadia's own work as the baseline to be maintained and improved. Every audit result, every before/after comparison, every KPI achievement in this article. That's what the procurement team evaluated when deciding whether to continue.
That kind of accountability is rare. The results are there.
About Arfadia
PT Arfadia Digital Indonesia has been operating since 2008 with offices in Jakarta, Bandung, and Bali. The agency is recognized as Indonesia's pioneer in Generative Engine Optimization (GEO), with a measurable framework called RoGEO (Return on Generative Engine Optimization). Arfadia provides full-service digital marketing, SEO, website development, and managed service engagements for enterprise and institutional clients across Indonesia.
Notable results from other engagements include 1,200% organic traffic growth for SERA (Astra Group), 380% conversion improvement for Allianz Indonesia, 1,764% traffic growth for JobStreet Express, and 260% traffic growth plus 334 verified AI citations for Toffin Indonesia.
If you're looking for a managed website and SEO partner for a government institution, BUMN, or enterprise organization, contact the Arfadia team to discuss your requirements.
Frequently Asked Questions
What does a website managed service engagement with Arfadia include?
The structure Arfadia used for this engagement covers five integrated workstreams running simultaneously: Security Management (daily monitoring, patching, encrypted backups, penetration testing, OWASP-based vulnerability assessment), Application Management (troubleshooting, MACD requests, CMS management, staging deployment, SSL), Performance Optimization (Core Web Vitals, monthly database cleanup, server monitoring from Asia-region test nodes), Authority Maintenance (monthly backlink audits, disavow, meta optimization, internal linking, DA and TF tracking), and Content Management (article publishing, GMB management, Wikipedia, layout improvements for engagement metrics). All five workstreams are tracked in a single integrated monthly report delivered to the client.
How long does it take to move a PageSpeed score from 42 to 87?
Honest answer: it depends heavily on what's causing the low score. For this engagement, initial performance gains appeared within the first three to four months as the UI/UX rebuild replaced the old codebase with optimized code. The final push to 87 came from a focused two-month sprint targeting render-blocking resources, image optimization, and cache configuration. Total timeline from 42 to 87: roughly eight to ten months of active work. There's no shortcut here. Quick fixes on a broken technical foundation don't stick. The underlying structure has to be right first.
Why does the Ahrefs Health Score improvement from 54 to 91 matter so much?
Because the Health Score measures technical SEO compliance across the entire website. Moving from 54 to 91 required resolving thousands of individual issues spread across nine categories: broken canonical tags, missing alt attributes, orphan pages, duplicate meta descriptions, crawl errors, hreflang problems, redirect chains, and more. Each resolved issue is a small crawlability and trust signal. The aggregate effect of closing all of them is a website that search engines can reliably crawl, index, and trust, which is the foundation that organic rankings are actually built on.
How does Arfadia handle security for institutional clients like BUMN?
Security testing follows a structured process: OWASP ZAP for vulnerability assessment (which identified the CSP header and JS library issues in this engagement), Nmap for port scanning, Qualys SSL Labs for SSL/TLS configuration grading, and manual penetration testing. Findings are documented, prioritized by risk level, and resolved in a staging environment before any changes touch production. Post-fix retesting confirms each item is closed before it's reported as resolved. The end result here: NOT VULNERABLE on pentest, Grade A on both SSL and Security Headers, reflects that methodology applied consistently.
Is 98% GMB verification realistic for a 945-location network?
Yes, but it requires a specific approach built around how the platform actually works. Google Business Profile processes up to 1,000 locations per account, which sounds sufficient until you factor in verification workflows, location-level documentation requirements, and cases that get flagged and need manual intervention. Arfadia structured a multi-account strategy with Google Support escalation paths planned in advance for problem cases. 928 of 945 locations were verified during the engagement. The remaining 17 require resolution through Google's back-end processes, which takes longer than standard verification. That work continues.
What's the difference between a website managed service and a standard SEO retainer?
A typical SEO retainer covers the marketing layer: keyword research, content strategy, and link building. A managed service goes deeper into the infrastructure layer: security patching, application updates, performance monitoring, database maintenance, and all the developer-level technical work that keeps the website operationally sound for the marketing to run on. For this engagement, managed service scope included the full UI/UX redesign, staging-verified deployment workflow, OWASP-based security hardening, SSL management, and developer-level MACD handling, none which of which would appear in a standard SEO contract. The broader scope is directly why the results span performance, security, and authority simultaneously.
How long does it take to see measurable results from a BUMN website managed service?
Security hardening and initial technical SEO improvements are measurable within the first three months. Performance gains from the UI/UX rebuild start appearing around months four through six as the new codebase replaces the old one. Authority metrics, DA and Trust Flow, build progressively over the full engagement. In this case, DA moved from 26 to 36 and Trust Flow from 6 to 22 across the engagement period. GMB verification runs in parallel throughout and compounds as more locations get verified and indexed by Google.
How is Arfadia's managed service different from other digital agencies in Indonesia?
Several things. The Figma-first design process creates a documented approval trail before any development begins, which prevents the scope disputes that derail a lot of web projects. The staging-first deployment policy protects institutional clients from production incidents. The integrated reporting format means clients see all five service dimensions in one document instead of piecing together updates from separate teams. And Arfadia's track record with other BUMN and enterprise clients, including Allianz Indonesia, Kementerian Keuangan, and BPJS Ketenagakerjaan, means the team understands the governance requirements and documentation standards that institutional clients need. That context matters when you're dealing with procurement processes and audit trails.
Sources and References
All metrics in this case study were captured using industry-standard tools and are independently verifiable. The sources below support the methodology and benchmarks referenced throughout.
Performance and Core Web Vitals
- Google, Core Web Vitals Documentation, official Google documentation on LCP, CLS, and TBT thresholds used as benchmarks in this case study.
- Google PageSpeed Insights, the primary performance measurement tool used for before and after comparisons. All measurements from Asia-region servers.
- GTmetrix, supplementary performance monitoring used alongside PageSpeed Insights throughout the engagement.
SEO and Authority Metrics
- Ahrefs SEO Metrics Explained, official Ahrefs documentation on Health Score, Domain Rating, and the audit error categories referenced in this case study.
- Moz Domain Authority Guide. Moz's documentation on how DA is calculated and why mid-range improvements on the logarithmic scale are significant.
- Majestic Trust Flow Explained, official documentation on the Trust Flow metric used to track backlink quality profile.
Security and Technical Standards
- OWASP ZAP, the open-source security scanner used to identify and document vulnerabilities in this engagement.
- Qualys SSL Labs, SSL/TLS configuration testing used to validate Grade A SSL certificate result.
- Google Search Central SEO Starter Guide, official documentation on technical SEO fundamentals that formed the baseline for the nine-category error resolution.
Local Search and GMB
- Google, Manage Locations in Bulk, official documentation on bulk location management and the account-level processing constraints that shaped the multi-account GMB strategy.
About the Client
- PT Jalin Pembayaran Nusantara Official Website. The subject of this case study. The current website reflects the results of the managed service engagement described above.