On November 12, I was excited to sit down with Etsy’s Imran Hoosain, Staff Software Engineer, and Aman Pratap Singh, Senior Software Engineer, for a discussion on how the global marketplace recently migrated their PCI environment to a serverless, databaseless one.
Imran and Aman shared how the move allowed Etsy to offset the risk of holding onto credit card numbers in favor of vendor tokens, all without losing the flexibility and redundancy of a credit card vault. We also had a great Q&A session at the end, thanks to our audience’s participation.
There were many takeaways in this discussion, but to recap, here are Etsy’s top three learnings from their migration experience. (You can also skip straight to the recordinghere.)
Learning #1: PCI is a lot of work — don’t do it unless you have to
PCI is made up of many standards that a company must meet to establish compliance and companies must be audited annually by the PCI Standards Council to ensure they’re compliant. For Etsy, this process used to be a lot more complicated and audits used to span multiple days when housing their PCI environment in a physical data center. With their new serverless environment, management and passing the audit are now both a lot less painful. That doesn’t mean either is easy — or that having a PCI environment is for everyone.
“Pandemic not included, we only spent a day talking to the assessor [with the new environment] and explaining the architecture overall and talking through various parts of the PCI spec that we’d have to prove out,” says Imran. “Having gone through the giant change once, next year we said we’d do it on a Zoom call. Sad part is we have to do it every year. Don’t do PCI if you don’t have to [although having one does allow benefits]!”
Learning #2: You have to prove you aren’t responsible in a serverless world
Since the PCI Security Standards are still primarily centered around physical databases (although they’re working on updating their requirements), proving divisions of responsibility when using a serverless environment (such as Google Cloud Build, like Etsy does) takes a fair bit of work. The biggest hurdle Etsy faced was proving what they weren’t responsible for.
“Right now, PCI is on version like 3.1.2, at least it was when we went through our last assessment in February,” says Imran. “Four is supposed to be more cloud supported and remove a lot of the data center terminology. We found the hardest part of convincing our assessor was that you can’t bring the same data server terminology to the cloud. Proving you can’t do something is actually quite hard. We relied on the fact that no human can access the environment or IAM permissioning. Google is compliant, they’re responsible for that level of architecture. We’re responsible for what we can control through the UI they provide us.”
Learning #3: Using tokens has many benefits
Part of Etsy’s approach to reducing their PCI environment was to adopt tokens. Tokenization is when sensitive data such as a credit card number is replaced with a token that maps to the sensitive data, but has no intrinsic value of its own. Tokens allow Etsy to utilize its payment providers, such as Adyen, to handle credit card encryption on their end and return something Etsy can keep and pass back to them when they want to charge a card.
“Using tokens has other benefits, though, like account updater flows from our vendors,” says Aman. “For instance, Adyen will automatically update tokens when expiration dates change or if an account number changes without us having to change our tokens, which is super handy.”
Adds Imran: “One of the benefits of embracing tokens is we no longer use the PCI environment to perform authorizations on transactions. Now, we can bring all that code that does authorizations and passes a token to our main application, so it makes it a lot easier to use our testing frameworks to ensure our payment methods are correct.”
Hear the whole Etsy PCI migration story
Want more detail on why and how Etsy migrated its PCI environment from a physical data center to a serverless one? Go behind the scenes with Imran and Aman in their full presentation below. And thanks to our speakers from Etsy, it was a pleasure diving into this topic with you!
Reach out to us:
Check out our developer docs, tools, and answers to commonly asked questions.