Skip to content
Close
SEARCH
Talk with Us
Talk with Us
Our Approach
Consulting Services
Cloud Security and Compliance
Cloud Adoption and Modernization
Cloud Capabilities and Engineering
FedRAMP Consulting
All Partners
AWS
Google Cloud
Microsoft Azure
Schellman
News
Blog
Video Library
White Papers
Events
Open Source Projects
About Us
Who We Are
Our Team
Our Jobs
Contact Us
iStock-1434378390 (1)-1

Fortune 500 Retail Organization

ScaleSec Accelerates Achieving PCI DSS 4.0 Compliance in the Cloud
INDUSTRY
Retail
LOCATION
Atlanta, Georgia
USE CASE
Google Cloud PCI-DSS
PLATFORM

Google Cloud

 

ABOUT THE CUSTOMER

The customer operates a multi-national retail chain with both physical and online presence. Prior to engaging ScaleSec, the customer had been leveraging a service provider to process and route payments for stores and on their e-commerce website. As part of application modernization, along with the goal of performing their own payment processing to reduce service provider fees, the customer opted to develop their own payments processing platform in Google Cloud Platform (GCP). The customer engaged ScaleSec to augment their internal teams with expertise in Google Cloud, Payment Card Industry Data Security Standard (PCI-DSS), and engineering.

 

Services Provided

ScaleSec was engaged to review the customer’s proposed payment system architecture, provide guidance, and help the customer reduce their time to market. ScaleSec brought PCI-DSS and Google Cloud security expertise to ensure the selected solution architecture would satisfy PCI-DSS security requirements, while ensuring the new environment is highly scalable and management overhead is reduced by leveraging managed services and automation. ScaleSec designed and deployed the customer’s GCP organization and infrastructure, along with security guardrails that ensure PCI-compliant configuration and resiliency to process billions of dollars in payments annually. 

In the initial phases the customer identified multiple existing systems that they would need to leverage their new payments system, but did not yet have a clear understanding of the boundary of their Cardholder Data Environment (CDE) or the full scope of PCI in their environment. ScaleSec performed an in-depth analysis of the customer’s proposed Google Cloud architecture, their existing cloud environment, and ensured the true scope of PCI was identified, with the appropriate Self-Assessment Questionnaire (SAQ) selected. 


 

 

"In a matter of weeks, ScaleSec designed, deployed, and trained the customer on how to operate PCI-compliant workloads within their new GCP environment."

 

Solution Architecture

ScaleSec utilized their existing codebase and PCI-DSS expertise to rapidly develop customized Terraform Infrastructure as Code (IaC) modules that satisfy PCI-DSS and customer requirements, while allowinging customization to their environment. For example, these modules include the GCP organization hierarchy, foundational resources (such as VPC networking and centralized logging), security resources (including intrusion detection capabilities and compliant KMS keys for encryption), and infrastructure to run their workloads such as Google Kubernetes Engine (GKE) and database clusters. 

Designed as an ideal model for this customer’s cloud environment, the Infrastructure as Code modules were written to be reusable across multiple geographies and support reuse across the customer’s non-PCI workloads as well. Cloud native security controls were implemented across the environment to minimize the need to purchase additional security tooling to meet PCI-DSS requirements, along with the operational overhead that goes along with managing those tools. 

To ensure the security and confidentiality of any cardholder data in the environment, GCP Organization Policy constraints were designed and implemented to restrict access to only PCI-compliant services and prevent performing non-compliant configurations for any supported resources. Additionally, the environment was designed according to the principle of least privilege, ensuring users within the customer environment were unable to access the environment or its data unless absolutely necessary.

 

Results

With ScaleSec’s assistance, the customer was able to focus on application development rather than design and deploy the many infrastructure components and security services necessary to achieve PCI compliance in GCP. In a matter of weeks, ScaleSec designed, deployed, and trained the customer on how to operate PCI-compliant workloads within their new GCP environment. This allowed the customer to focus on delivery and deployment of their application to begin in-house processing for their multi-billion dollar annual online and brick-and-mortar sales, while allowing them to eliminate potentially hundreds of millions of dollars in transaction service fees over time.

 

Want to speak with a ScaleSec expert?

Want to optimize and transform your existing digital portfolio? Reach out to us.
Connect