FinTech Startup: Maintaining security and meeting compliance in a fast-growing, innovative company

One of our clients is a fast-growing FinTech company that provides payroll card solutions for US businesses of all sizes. Their primary product offering is a direct deposit debit card that maximizes direct deposit participation among unbanked employees, eliminating the hassle of cashing paper checks.

Prior to a recent acquisition, the startup was enjoying success as a market leader with a wave of new customer acquisition. Its growth trajectory was also attracting new investors keen to enter the FinTech market. At the same time, the 100-employee company was facing challenges meeting its PCI DSS (Payment Card Industry Data Security Standard) compliance in a rapidly changing regulatory environment. Deep into their growth mode, the company’s leadership was told by investors they could not commit significant funding until new compliances were met.

For FinTech startups, PCI fines can threaten critical cash flow and bottom line profitability. Companies who fail to pass their audits can be fined anywhere from $5k to $100k per month depending on their size. Given their aggressive first-to-market strategy, the pressure was on the team to operationalize solutions and meet compliance immediately.

Originally engaged by a third-party security company to help the company with custom software development, Effectual was introduced by their auditing company to help address its regulatory and security concerns. As an Amazon Web Services (AWS) Advanced Consulting and Well-Architected Partner, Effectual has in-depth experience identifying security vulnerabilities. More importantly, the firm’s core expertise is translating those recommendations into clear, pragmatic steps for operationalizing long-term solutions.

Rapid growth and changing internal roles

As the startup expanded to service its widening customer base, internal roles and operational responsibilities were continually changing. The result was an unclear separation of permissions and duties as well as a lack of capacity or direction for detailed oversight. While former consultants had provided high level recommendations for mitigating security concerns, they had not provided the firm with practical, specific solutions for implementing them, leaving the team uncertain as how to proceed.

Results:

• Reviewed all seven workloads – particularly related to Primary Account Number (PAN) data – to ensure the company had change management in place. This included security encryption, data storage, and permissions access.
• Isolated workloads to keep access separate, creating an Amazon account for each workload.
• Outlined clear separation of duties for auditing changes in their environment, with segmented duties and workloads.
• Documented and aligned policies, processes, and permissions with internal changes and promotions to provide stability of roles and what tools each will use consistently going forward.

Managing multiple 3rd party vendors and outsourced workloads

The growing company had also become 100% reliant on third-party vendors for its workloads. Keeping eight different vendors informed of its regulatory and compliance requirements and ensuring necessary standards were met had become extremely difficult for the inexperienced team to manage. In addition, the client was at the mercy of its vendors’ competing timelines and unpredictable capacities. This was dramatically slowing its ability to respond to crucial deadlines for compliance. Effectual’s Well-Architected Framework Review quickly surfaced these issues as well as the need for remediation.

Results

• Coordinated project management with all third-party vendors to remedy immediate issues affecting compliance.
• Built a secure CDE data environment to store PAN data.
• Reduced the number of outside vendors to be more manageable and complimentary.
• Migrated two PCI-compliant workloads to Amazon using AWS Lambda, Amazon DynamoDB, GuardDuty, and API Gateway.
• Outlined plan for migrating remaining workloads to Amazon in the next seven months.

Meeting compliance as an everyday activity

Working with Effectual, the client succeeded in passing its crucial PCI audit in less than 3 months. More importantly, the company has built a DevOps foundation for its future growth and regulatory compliance with everyday operations that ensure its continued success.

As a result, the startup is now skilled at the following:

• Understanding its separation of duties, including how many people are involved and needed to facilitate a change in its environment
• Documenting and aligning policies, processes, permissions with internal changes and promotions to create greater efficiencies and security
• Strategically utilizing third-party vendors and keeping them informed as to its compliance needs

“At first, we brought Effectual on board to build an onboarding web application. But they’ve been far more than just a software development firm. Their DevOps infrastructure expertise, ability to build products in a PCI compliant manner, and emphasis on data security has been a game changer for us.”

Evan, VP of Operations