PCI DSS on a multi-tenant platform, without forking the cluster.

A B2B payments platform needed PCI DSS Level 1 for their largest customer — but their architecture team had been told it would require a separate cluster and six months of work. We delivered it in eleven weeks on the existing EKS estate.

INDUSTRY

B2B payments platform

DOMAIN

SECURITY

DELIVERED

2025

STACK

EKS·AURORA POSTGRES·NETWORK POLICIES·AWS WAF·VAULT·KMS·CLOUDHSM·AUDIT MANAGER

RESULTS

What changed, by the numbers.

PCI SCOPE

−72%

CARDHOLDER DATA ENVIRONMENT

NEW CLUSTERS

SHARED EKS, ISOLATED NS

CERTIFICATION

11w

KICKOFF TO QSA SIGN-OFF

CUSTOMERS

1 → 4

NOW SELL TO REGULATED ENT.

HOW IT WENT

The team had read every blog post about PCI on Kubernetes. They knew about cardholder data environments, segmentation, and the QSA’s preference for separate clusters. They also knew their platform team couldn’t operate two clusters.

We mapped the actual flow: tokenisation at ingress, ephemeral PAN handling, vaulted storage. Less than 30% of the platform ever touched cardholder data. The fix was Kubernetes network policies, dedicated node groups for the CDE, KMS key isolation, and CloudHSM for the token vault — all on the existing cluster.

The QSA accepted the design on the second review. Audit Manager ran the evidence collection. The customer onboarded their first regulated enterprise account four weeks after sign-off.

RELATED · SAME DOMAIN

Other engagements in this space.

ARCO · 2026

Retired eighty IAM users in three weeks.

80 → 0IAM USERS RETIRED

FOSTER · 2025

Two million users migrated, no password resets.

0PASSWORD RESETS REQUIRED

PREVIOUSAURUM — Azure to AWS, twenty-two services, no rewrite.NEXT RIVET — An internal API gateway that engineers prefer over service URLs.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →