My phone, electricity, and insurance companies all have web portals for payments, bills, and service status.
These obviously have access to the payment database, but with very limited privileges. They need that access to work.
However, an electricity meter (power meter) installed at a client site will not have direct access to the customer/payment database.
It will access a separate database containing only information relevant for electricity meter operation, typically with customers identified by an arbitrary ID included in the meter. That database is synchronized periodically with the customer/payment database.
If the electricity company provides an interface for customers to monitor their power use, that will use a yet separate database, containing only electricity usage histories (typically at reduced resolution) and no payment history.
Many legal auditability requirements can only be fulfilled by separating different parts of the services into separate databases, and periodically checking for differences, and having an exact transaction record. Many of them are used to monitor for both technical problems as well as human operator misbehaviour.
While it is technically easiest to use a single database for everything, it also means any problem anywhere in your system is potentially catastrophic. Yes, there are companies that operate this way, but I condemn them to hell. There is very little difference to setting up a company that really is just a front for its executives to sell the customer information on the black market. Ineptitude should not be a legal defense at all.
And there ain't no such thing as 'one way pushing' between systems.
Bullshit. You typically do that via an intermediary that has very limited access to the customer/payment database (typically read-only plus delete access to a single table containing pending changes), read-write access to the IoT client database, is strictly limited in its automated actions, and leaves an auditable trail of every single transaction it makes between the two databases. Exactly how this is set up depends on the database engine used.
It is the intermediary, via its access permissions, that provides the privilege separation between the two databases.
I would expect this to include a full state update every
N hours using the same mechanism but as if all customer states had changed, with the intermediary checking for differences between the IoT database and the information from the customer/payment database, as any differences would indicate some updates were lost which should never happen.