Guides and reports

Dev Talks 2020: How Etsy migrated their PCI environment to offset risk

By Andrew Wong, Developer Advocate, Adyen

December 11, 2020
 ·  4 minutes
Payments Decoded: DevTalks

On November 12, I was excited to sit down with Etsy’s Imran Hoosain, Staff Software Engineer, and Aman Pratap Singh, Senior Software Engineer, for a discussion on how the global marketplace recently migrated their PCI environment to a serverless, databaseless one.

Imran and Aman shared how the move allowed Etsy to offset the risk of holding onto credit card numbers in favor of vendor tokens, all without losing the flexibility and redundancy of a credit card vault. We also had a great Q&A session at the end, thanks to our audience’s participation.

There were many takeaways in this discussion, but to recap, here are Etsy’s top three learnings from their migration experience. (You can also skip straight to the recordinghere.)

Learning #1: PCI is a lot of work — don’t do it unless you have to

PCI is made up of many standards that a company must meet to establish compliance and companies must be audited annually by the PCI Standards Council to ensure they’re compliant. For Etsy, this process used to be a lot more complicated and audits used to span multiple days when housing their PCI environment in a physical data center. With their new serverless environment, management and passing the audit are now both a lot less painful. That doesn’t mean either is easy — or that having a PCI environment is for everyone.

“Pandemic not included, we only spent a day talking to the assessor [with the new environment] and explaining the architecture overall and talking through various parts of the PCI spec that we’d have to prove out,” says Imran. “Having gone through the giant change once, next year we said we’d do it on a Zoom call. Sad part is we have to do it every year. Don’t do PCI if you don’t have to [although having one does allow benefits]!”

Learning #2: You have to prove you aren’t responsible in a serverless world

Since the PCI Security Standards are still primarily centered around physical databases (although they’re working on updating their requirements), proving divisions of responsibility when using a serverless environment (such as Google Cloud Build, like Etsy does) takes a fair bit of work. The biggest hurdle Etsy faced was proving what they weren’t responsible for.

“Right now, PCI is on version like 3.1.2, at least it was when we went through our last assessment in February,” says Imran. “Four is supposed to be more cloud supported and remove a lot of the data center terminology. We found the hardest part of convincing our assessor was that you can’t bring the same data server terminology to the cloud. Proving you can’t do something is actually quite hard. We relied on the fact that no human can access the environment or IAM permissioning. Google is compliant, they’re responsible for that level of architecture. We’re responsible for what we can control through the UI they provide us.”

Learning #3: Using tokens has many benefits

Part of Etsy’s approach to reducing their PCI environment was to adopt tokens. Tokenization is when sensitive data such as a credit card number is replaced with a token that maps to the sensitive data, but has no intrinsic value of its own. Tokens allow Etsy to utilize its payment providers, such as Adyen, to handle credit card encryption on their end and return something Etsy can keep and pass back to them when they want to charge a card.

“Using tokens has other benefits, though, like account updater flows from our vendors,” says Aman. “For instance, Adyen will automatically update tokens when expiration dates change or if an account number changes without us having to change our tokens, which is super handy.”

Adds Imran: “One of the benefits of embracing tokens is we no longer use the PCI environment to perform authorizations on transactions. Now, we can bring all that code that does authorizations and passes a token to our main application, so it makes it a lot easier to use our testing frameworks to ensure our payment methods are correct.”

Hear the whole Etsy PCI migration story

Want more detail on why and how Etsy migrated its PCI environment from a physical data center to a serverless one? Go behind the scenes with Imran and Aman in their full presentation below. And thanks to our speakers from Etsy, it was a pleasure diving into this topic with you!

Overlay for youtube video

Reach out to us:

Adyen docs

Check out our developer docs, tools, and answers to commonly asked questions.

Explore library

Developer newsletter

Sign up for updates to the API and our libraries, upcoming events, and more.

Subscribe now

Adyen Devs on Twitter

Follow us for the latest on building payment processing solutions with Adyen.

Follow us

Fresh insights, straight to your inbox

By submitting your information you confirm that you have read Adyen's Privacy Policy and agree to the use of your data in all Adyen communications.