Building an In-House PCI-DSS Environment for a Madrid-Based FinTech Company

The client had outsourced PCI-DSS compliance to an external provider, paying substantial recurring fees for a restrictive, vendor-controlled environment. The provider’s SDK limited what the client could build for their merchants, and any custom integration required weeks of coordination. As the client’s transaction volume grew, so did the fees — without a corresponding improvement in functionality or control. The leadership team wanted to own their compliance environment to reduce costs, eliminate vendor dependency, and build custom payment flows for their merchant base.

We designed and deployed a fully PCI-DSS compliant environment in the client’s own AWS accounts. All infrastructure was provisioned with Terraform for repeatability and auditability. We built pre-configured application APIs for payment processing, implemented encrypted data storage with strict access controls, and configured AWS Security Hub for continuous compliance monitoring. We guided the client through the PCI Self-Assessment Questionnaire and Attestation of Compliance documentation, selected a Qualified Security Assessor, and managed the entire audit process. The environment was designed for ongoing maintainability — all compliance-relevant configurations are codified and version-controlled.

The client eliminated recurring provider fees, achieving significant annual cost savings. They gained full control over their payment infrastructure and can now build custom merchant integrations without third-party limitations. The in-house environment has passed six consecutive annual PCI-DSS audits with zero critical findings. Our partnership has continued since 2018, covering ongoing maintenance, annual audit preparation, and environment evolution as the client scales.