Building a global PCI-DSS Level-1 accredited platform
When a new application was developed to help retailers protect their customers from the multi-billion-dollar problem of payment-card fraud, the team was tasked with transforming it from an expensive, complex on-premise solution into a global cloud application that could be adopted by large and small businesses alike.
The result was an award-winning AWS-hosted service that was the first of its kind to achieve PCI DSS Level-1 accreditation — one that would debunk the myth that security and application flexibility and scalability don’t mix.
Keeping customers’ payment information secure is a fundamental business requirement. Unsurprisingly, the payment-card industry’s data security standards, PCI DSS, requires sellers taking payments over the telephone to implement significant measures to protect their consumers.
When a new secure method of taking telephone payments emerged that enabled customers to use their keypad to communicate card numbers during a call without exposing them to the seller’s agent, it was a game changer. Contact centres would no longer need to place payment-taking agents in secure, monitored areas away from other operations. Small merchants could take payments without exposing their customers to real or perceived risk. And card users could feel safe that they were not exposed to potential fraud.
However there was one problem: it was only available as an on-premise installation requiring substantial time and cost to install. The challenge was how to replicate the solution as a SaaS service that would remove the barrier to adoption for large and small merchants alike.
For maximum flexibility and scalability, the obvious answer was to build a multi-tenant service on AWS. However, this created a further technical challenge: how to secure a shared infrastructure to the level demanded by PCI-DSS for this kind of application.
Received wisdom was that security to the level required would inevitably restrict application flexibility and scalability — many questioned whether it was even possible on a multi-tenant public cloud. The team set out to prove the doubters wrong.
Working closely with a security architect and QSAs (qualified security assessors) from Amazon, the team developed a three-pronged approach to system security:
- Perpetual image ‘hardening’: An infrastructure-build process was developed that ensured any instance brought into service was built from the virtual equivalent of bare metal to a prescribed, automated security-hardened specification;
- Security-centric continuous-delivery pipeline: A CD software-release process with security controls, measures and auditability intrinsic to it — in short a rigorous application of what is now referred to as “devsecops”;
- Comprehensive event monitoring: Using Splunk, the team was not only able to actively monitor and manage platform health, but was also able to monitor its estate to detect and prevent threats and optimize incident response.
Through a process of creative problem solving and by putting information security at the heart of the systems-and-operational design process, the team created a PCI-DSS-compliant application without compromising the intrinsic flexibility and scalability advantages of cloud.
Furthermore, by harnessing AWS’s seamless geographic reach, the team was able to launch the service in any region in a matter of hours not days.
AWS —EC2, RDS, S3, SQS
The award-winning application was the first of its kind to achieve PCI DSS Level-1 accreditation.
By removing the need for on-premise infrastructure, it enabled organisations of any size in any location to increase protection of their customers’ most sensitive data — enabling business to flow more freely, and creating a stronger bond of trust between buyer and seller.