Fortune 500 Retail Organization
Google Cloud
ABOUT THE CUSTOMER
The customer operates a multi-national retail chain with both physical and online presence. Prior to engaging ScaleSec, the customer had been leveraging a service provider to process and route payments for stores and on their e-commerce website. As part of application modernization, along with the goal of performing their own payment processing to reduce service provider fees, the customer opted to develop their own payments processing platform in Google Cloud Platform (GCP). The customer engaged ScaleSec to augment their internal teams with expertise in Google Cloud, Payment Card Industry Data Security Standard (PCI-DSS), and engineering.
Services Provided
ScaleSec was engaged to review the customer’s proposed payment system architecture, provide guidance, and help the customer reduce their time to market. ScaleSec brought PCI-DSS and Google Cloud security expertise to ensure the selected solution architecture would satisfy PCI-DSS security requirements, while ensuring the new environment is highly scalable and management overhead is reduced by leveraging managed services and automation. ScaleSec designed and deployed the customer’s GCP organization and infrastructure, along with security guardrails that ensure PCI-compliant configuration and resiliency to process billions of dollars in payments annually.
In the initial phases the customer identified multiple existing systems that they would need to leverage their new payments system, but did not yet have a clear understanding of the boundary of their Cardholder Data Environment (CDE) or the full scope of PCI in their environment. ScaleSec performed an in-depth analysis of the customer’s proposed Google Cloud architecture, their existing cloud environment, and ensured the true scope of PCI was identified, with the appropriate Self-Assessment Questionnaire (SAQ) selected.
"In a matter of weeks, ScaleSec designed, deployed, and trained the customer on how to operate PCI-compliant workloads within their new GCP environment."
Solution Architecture
ScaleSec utilized their existing codebase and PCI-DSS expertise to rapidly develop customized Terraform Infrastructure as Code (IaC) modules that satisfy PCI-DSS and customer requirements, while allowinging customization to their environment. For example, these modules include the GCP organization hierarchy, foundational resources (such as VPC networking and centralized logging), security resources (including intrusion detection capabilities and compliant KMS keys for encryption), and infrastructure to run their workloads such as Google Kubernetes Engine (GKE) and database clusters.
Designed as an ideal model for this customer’s cloud environment, the Infrastructure as Code modules were written to be reusable across multiple geographies and support reuse across the customer’s non-PCI workloads as well. Cloud native security controls were implemented across the environment to minimize the need to purchase additional security tooling to meet PCI-DSS requirements, along with the operational overhead that goes along with managing those tools.
To ensure the security and confidentiality of any cardholder data in the environment, GCP Organization Policy constraints were designed and implemented to restrict access to only PCI-compliant services and prevent performing non-compliant configurations for any supported resources. Additionally, the environment was designed according to the principle of least privilege, ensuring users within the customer environment were unable to access the environment or its data unless absolutely necessary.
Results
With ScaleSec’s assistance, the customer was able to focus on application development rather than design and deploy the many infrastructure components and security services necessary to achieve PCI compliance in GCP. In a matter of weeks, ScaleSec designed, deployed, and trained the customer on how to operate PCI-compliant workloads within their new GCP environment. This allowed the customer to focus on delivery and deployment of their application to begin in-house processing for their multi-billion dollar annual online and brick-and-mortar sales, while allowing them to eliminate potentially hundreds of millions of dollars in transaction service fees over time.