Back to Blog

DevOps Case Study: Automating Deployments with PCI Compliance for Fintech

Automating Deployments with PCI Compliance for Fintech

The DevOps software development model embodies a speed of service delivery that brings a competitive advantage to organizations.

Core DevOps practices within this model, like CI/CD (Continuous Integration/Continuous Deployment) drive efficiency gains with automated software deployments that shorten the Software Development Lifecycle (SDLC).

In practice, these core practices often attract specific outcomes following a DevOps transformation exercise. For instance, easier performance monitoring improves the system’s reliability, and integrating security testing and auditing into the DevOps workflow promotes compliance.

Organizations subject to PCI compliance audits can reap the benefits of a DevOps transformation exercise by building their workflows on compliant infrastructure. But this process starts with selecting the right tool for the job. The problem isn’t a lack of tools - there’s a sea of PaaS applications with various specializations.

So what’s the best way to pick a tooling approach that serves your organizational needs, especially with PCI compliance in the mix? This DevOps case study explores the decision-making process behind one team’s choice of Convox as their preferred PCI-compliant DevOps transformation tool.

Case Study Objectives

This case study explores the needs of a fintech startup, a global financial services provider - and its choice of Convox as a preferred DevOps automation tool in its PCI compliance efforts. It also highlights the breakthroughs and challenges faced during and after onboarding.

The Client

Initially established as a Forex trading platform, the financial services provider evolved into a global payment facilitator that offered international commerce players the necessary tools to send and receive money locally and globally.

With a team of fifteen developers, the organization offered businesses global multicurrency wallets for receiving, converting, and paying money locally. These wallets primarily served cross-border e-commerce players by helping them accept payments using local banking infrastructures. Customers could transfer funds back to their country at mid-market fx rates, avoiding slow and expensive mainstream bank transfers.

The Background

As the financial services provider looked to launch a new card program, the need for PCI compliance became apparent. The team had two months to achieve PCI compliance before being audited, and they needed a solution for quick implementation.

PCI DSS (Payment Card Industry Data Security Standard) stipulates compliance requirements for assessing payment gateways, merchants, issuers, and other fintech organizations interacting with sensitive payment card data. These security-based compliance requirements outline vital areas for consideration, including the provision of secure infrastructure - Convox fits in here.

The Problem

The company initially considered Heroku as a viable solution. However, with all infrastructural components on AWS Singapore, Heroku’s incompatibility with AWS Singapore posed a big challenge. In addition, being located in Asia required an enterprise account on Heroku, and migration came with several risks and unpredictable factors.

The Way Forward

The team needed an application they could easily install onto their existing AWS region in Singapore. It was also crucial that migration from their self-managed infrastructure was seamless. Apart from Heroku, the team considered ECS, Kubernetes, and Docker Swarm, but these were too complex and didn’t seem to tick all their boxes.

In addition, the team wanted a solution that offered processes automated enough not to require building a new DevOps team. To save costs, the team wanted to leverage existing DevOps resources (which consisted of one DevOps engineer).

The Solution

By offering the financial services provider a Heroku-like experience, Convox enabled the team to update its application easily without a huge learning curve or downtime.

In addition, the financial services provider could easily plug Convox into its existing AWS region in Singapore, including directly to the VPC, and have a cluster running with their application connecting to the current RDS instance.

Migration from the self-managed AWS Elastic Beanstalk to Convox was also hitch-free, taking around two months to complete. From the onset, the team was live in production with Convox and had quickly depreciated assets on Elastic Beanstalk.

The open-source nature of the Convox platform was another huge selling point. The team found it easy to investigate and solve issues with a collection of cloud formation templates.

Convox enabled PCI compliance and hyper compliance, which the financial services provider needed for an upcoming card program. Convox also met the team’s specific requirement to achieve this without building an in-house DevOps team.


The financial services provider used Datadog for monitoring and metrics as recommended by Convox. However, the team faced Datadog integration issues related to features like container monitoring and file integrity monitoring – all of which were fixed by reaching out to the support team.

End State

The migration process equipped the financial services provider with a DevOps automation tool that addressed its infrastructural compliance needs, leaving just documentation and processes to handle.

During the transformation exercise, the Convox team helped to define the PCI compliance strategy. The decision was made to block public access to S3 buckets - now a core offering available to Convox’s customers.

Under Convox’s enterprise plan, the financial services provider leveraged the self-hosted console for better performance. This plan addressed the limitations of running workflows in parallel with Convox-hosted workflows. It also offered review apps for developers, which enhanced productivity.

Convox helped to create a quick feedback loop between developers, product managers, and QA for fast and secure deployment. Rapid feedback exchange was critical for a multicurrency wallet platform, especially when used in tandem with Convox’s customer support.

The migration exercise aligned with the best DevOps practices and was executed within the financial services provider’s stipulated time frame. It also set the company up for a cost-effective long-term approach that relied on a lean DevOps team.

Key Takeaways

Organizations seeking to meet PCI-compliant standards need the backing of PCI-compliant infrastructure like Convox to help them achieve their goals.

The best deployment solution goes beyond infrastructure provisioning. Like Convox, the best solution should have strategic involvement in defining the best approach for deployment infrastructure provisioning. Convox employs best practices to empower organizations with PCI-compliant infrastructure, an essential feature for a fintech like the financial services provider.

The choice of deployment tools is a strategic decision that optimizes cost-effectiveness by reducing the need for dedicated DevOps human resources.

Let your team focus on what matters.