From the Regulatory Lead to the Site Reliability Engineers (SREs) and development team, there are quite a few individuals involved in keeping a Financial Technology (FinTech) company compliant. And there are quite a few regulations to stay in line with: anti-money laundering (AML), know your customer (KYC), payment card industry data security standard (PCI DSS), the list goes on. Adhering to these standards is difficult because it requires consistent, stringent software development standards across numerous teams and long periods of time.
The complexity of this task is huge: ensuring the right visibility across several teams, setting and maintaining the right practices across the entire software development lifecycle, to name a few. Luckily, there is a set of tools that was developed to help with a slice of these problems: Internal Developer Portals (IDPs).
IDPs help in a couple of ways:
- Standardize software development: Ensure alignment to standards of security, compliance, scalability, and more
- On-going visibility and alerting: Centralize software health assessments and the alerting mechanisms that help developers maintain ownership without losing speed
In this article, we'll explore how IDPs play a critical role in helping FinTech companies maintain software standards that support initiatives like PCI DSS compliance, and how some of Cortex's unique features—like Software Catalogs, Scorecards, Initiatives, Scaffolder, and Reporting—equip FinTech companies to make certain parts of regulatory compliance more repeatable.
The crucial role of IDPs in PCI DSS compliance
PCI DSS is a set of 12 security standards for any business processing credit card transactions. They range from installing and maintaining firewalls to encrypting cardholder data and regularly testing security systems.
Integrating these practices into the software development process is no small feat. This is especially true given the rapid pace of innovation and change in the FinTech sector and the numerous disciplines and teams involved in maintaining compliance. Additionally, the movement from monolith- to microservices-based architectures, where companies can have a huge number of separately deployed services that all might interact with sensitive data, further complicates the compliance journey.
IDPs like Cortex play a pivotal role in this scenario, as central hubs that help manage the intricate software ecosystems prevalent in FinTech companies. They abstract away the complexities involved in ensuring software security, maturity, and production readiness by leveraging data across all of the tools you use to manage software production. While IDPs alone cannot make a tech stack or tech organization PCI-compliant, they can help stack the deck in your favor. To see what this looks like in practice, let’s dive into a few points from the PCI Compliance checklist, and break down how IDPs can support each.
- Develop and maintain secure systems and applications: IDPs enable you to set rules and rubrics that take context from other tooling into account. For example, connect your vuln management and ticketing solutions to continuously check whether software is connected to security scanners, has at least 80% code coverage, is running tests, has no more than 3 open p3 vulnerabilities, and much more.
- Regularly test security systems and processes: IDPs enable you to ensure testing and code coverage on new or existing software, and will alert devs when software they own falls out of alignment with these expectations.
Data Management Protocols
- Protect stored cardholder data: Add custom data from verification systems to flag whether software falls out of alignment with certain configuration protocol, like at-rest encryption. Alert devs to action needed in the same place they receive alerts for other software improvement needs.
- Maintain a policy that addresses information security for all personnel: Although IDPs do not create policies, they play a crucial role in disseminating and tracking adherence to software security policies within the development environment, addressing the gap in policy management and compliance.
Network Access Protocols
- Encrypt transmission of cardholder data across open, public networks: Import custom data from network monitoring tools to create flags for alignment to best practice. Ensure software is configured to use the requisite encryption for data transmission, and ensure ongoing alignment.
- Track and monitor all access to network resources and cardholder data: IDPs do two things here: aggregate data from any telemetry you may have (like Datadog, CloudTrail, and others), and use that data to ensure adherence to standards.
Looking at the list of PCI requirements, it’s worth noting that many have two key components: compliance in initial setup, and remaining compliant thereafter—IDPs help with both.
IDPs are helpful at setup time because they automate many of the checks that are required to understand if a newly deployed system is compliant. But the more difficult part, and where IDPs really shine, is helping you stay compliant in the months and years that come after. IDPs like Cortex continue to apply the automated checks necessary to understand if the many components that make up a FinTech deployment remain compliant. And they surface this status information in a single, convenient, central source of truth, providing the visibility needed to the various teams (regulatory, SRE, engineering) that need to be involved in the process.
How Pismo closed the compliance gap with Cortex
Pismo, a FinTech company processing $208 billion in transactions per year, leverages the Cortex IDP as part of a broader initiative to improve software consistency and reliability. Pismo’s platform consists of numerous microservices, and faced challenges in maintaining service quality due to the company’s rapid growth. To address the issue, the Pismo team took advantage of several core Cortex features, starting with a comprehensive software catalog that included vital information for each service, like programming languages, databases, and message brokers.
To help close the compliance gap, the Pismo team used Scorecards, which provide detailed evaluations of software services against predefined standards (like the PCI standards defined above) and Initiatives, which aid in setting and achieving short- and long-term compliance goals. To simplify the process of creating and maintaining software services that are compliant with industry standards, the team was able to use Cortex’s Scaffolder feature. Scaffolder enables reusable templates, boilerplate code, and configuration, which let the team ensure that new services they create to keep up with demand are compliant by default. Lastly, the dependency graphs created using Cortex further helped Pismo identify potential bottlenecks and critical areas in their services, thereby ensuring a robust and compliant financial services platform. To learn more, check out the case study: How Pismo built a road to visibility in a complex microservices ecosystem.
Broader impact of Cortex in FinTech development
Cortex's impact extends beyond helping firms meet the requirements of PCI compliance. Its comprehensive suite of tools plays a crucial role in enhancing the overall quality and efficiency of software development in the FinTech industry. By automating many parts of compliance checks and integrating them into the software development lifecycle, Cortex allows FinTech companies to maintain a continuous focus on innovation and customer service.
The ability to assess and monitor the health and security of software services in real-time is critical for FinTech companies, given the heavy regulation present in the space. This monitoring and assessment ensures that compliance is ingrained in the development process, and is not just an afterthought. This proactive approach to software development and compliance positions FinTech companies to respond swiftly to changing market demands and regulatory landscapes.
The incorporation of IDPs into software development in FinTech organizations represents a significant stride towards simplifying and reinforcing PCI compliance. Through tools like Scorecards, Initiatives, and Scaffolder, Cortex provides a pathway for helping FinTech companies achieve and maintain high standards in security and regulatory compliance, without compromising on the speed and innovation that drive the sector. As FinTech continues to evolve, the adoption of robust, compliance-focused development tools will be paramount in navigating the complex interplay of technology, regulation, and market demands. If you’re interested in seeing how Cortex can help your FinTech organization with PCI compliance and more, please reach out to schedule a live demo.