Title: AWS re:Inforce 2024 - Building PCI-compliant real-time payment processing with AsapCard (DAP222)
Insights:
- Introduction to AsapCard: AsapCard is a Brazilian fintech startup focused on innovating financial and banking services, particularly for bank acquirers, issuers, and PSPs.
- Cloud Deployment: The company has fully deployed its key components, the connector and the authorizer, in the cloud, eliminating the need for hardware security modules and mainframe-based processing.
- Mission and Goals: AsapCard aims to provide better services, reduce operational costs, mitigate risks, and offer real-time data processing. They emphasize flexibility, ease of integration, and real-time control over traditional batch processing.
- PCI DSS Compliance: Ensuring PCI DSS compliance is a critical aspect of AsapCard's operations. Key requirements include robust network security, cardholder data protection, encryption, least privileged access, and regular testing and monitoring.
- AWS Partnership: AsapCard leverages AWS services to maintain PCI DSS compliance, including AWS Control Tower, AWS Organizations, AWS PrivateLink, AWS WAF, AWS Secrets Manager, AWS Cloud HSM, and AWS payment cryptography.
- Security and Monitoring: Continuous monitoring and security are managed using AWS CloudTrail, Amazon CloudWatch, AWS WAF, AWS Shield Advanced, AWS Security Hub, Amazon GuardDuty, Amazon Macie, Amazon Inspector, and Amazon Detective.
- Future Vision: The company aims to modernize card processing by decommissioning old systems, adopting microservices and event-driven architectures, and ensuring seamless migration between card processing systems without business disruption.
Quotes:
- "We are going to innovate and be the next generation card processing company."
- "Our goal is to provide more services and also to help our customers to have better services, lower the operational costs, and of course, mitigate risks."
- "We need to work with real-time processing and forget everything that we had in the past for batching processing."
- "We are leveraging all the services from AWS, Tower and AWS organizations to be the foundation for our accounts."
- "We have a dedicated team that is taking care of all the continuous monitoring and ensure that we have everything in place, no data is being leaked, we don't have a security threat."
- "AWS was a key partner for us to take care of all the PCI compliance and we leverage a lot of their services and certifications to stay PCI compliant."