PCI DSS compliance
How a payment provider became PCI DSS Level 1-certified in six months
About Payrexx
40,000 satisfied customers
Payrexx was founded in 2015 in Thun, Switzerland, and is specialized as a payment institute in the development of digital payment methods. As a registered payment facilitator of Mastercard and Visa, the Swiss company operates a payment platform developed in-house. Over 40,000 customers across Europe complete their payment transactions through the cloud-based platform. These companies include regional powerhouses such as BKW, Swiss Youth Hostels and Swissmilk, as well as major corporations like SBB, Swiss Post and Swisscom.
The platform combines over 40 payment providers and more than 200 payment methods and currencies from all over the world in a single platform. These include popular payment methods like Mastercard and Visa as well as TWINT, PostFinance, PayPal and Samsung Pay.
In an interview with Ueli Kramer (Chief Information Officer Payrexx), we will discuss why Payrexx chose AWS and exactly what the cloud solution looks like.
What persuaded you to use a cloud environment, and which challenges did you hope to overcome?
In terms of IT, Payrexx mainly has software developers, and we did not have any in-depth system and network experience within the company. Therefore, we were looking for a partner for a long-term collaboration to handle the compliance requirements of PCI DSS to process credit card data. In the meantime, Skaylink itself has PCI DSS Level 1 certification and can therefore already provide us its services in compliance with PCI DSS.
How was Skaylink able to solve your problem, and what advantages did this have for you and your customers?
In a joint PCI DSS audit in July 2019, we achieved PCI DSS Level 1 Service Provider status. This has allowed us to expand the value creation chain, our online payment functions and our business relationships, and to always focus on our core business – online payment and web programming.
We are very happy with the current solution and the collaboration with Skaylink, and we can highly recommend Skaylink as a partner.
What does the AWS infrastructure you use look like in detail?
The infrastructure consists of two separated productive environments: the platform and the CDE (cardholder data environment). In the process, the following components were used:
Platform
- Basic environment (DMZ, VPC, Firewall, Bastion)
- RDS Aurora MySQL
- EC2 – web server (autoscaling, redundant)
- EC2 – cron single instance
- EFS – shared folder
- ElastiCache – Redis (single)
- AWS NAT-GW
- Load Balancer, including ACM certificates
- WAF – AWS Web Application Firewall
- Route 53 – DNS zone hosting
- CloudTrail, including alarm notification
- Can be reached through OpenSSH and personal key
CDE
- Basic environment (DMZ, VPC, Firewall, Bastion)
- EC2 – web server (autoscaling, redundant)
- AWS NAT-GW
- Load Balancer, including ACM certificates
- WAF – AWS Web Application Firewall
- Route 53 – DNS zone hosting
- CloudTrail, including alarm notification
- MFA-enabled OpenVPN access
Additional solutions used:
- Skaylink Code Deploy
- Auditd Linux framework
- Anti-Virus Solution
- AWS GuardDuty
- AWS Secrets Manager
- IAM user and policies
- EC2 – OpenVAS single instance (part of the Skaylink PCI DSS solution)
- EC2 – Wazuh single instance (part of the Skaylink PCI DSS solution)
Why did you choose Skaylink and AWS?
To the best of our knowledge, Amazon Web Services is the market leader. In addition, most of the AWS services already have PCI DSS compliance.
After consulting Amazon, they recommended Skaylink as an AWS partner for our undertaking. Skaylink management was very open and ready to help us overcome these challenges together. After migrating to the cloud, we were able to fine-tune the entire environment and processes to PCI DSS as part of a project.
What improvements have you noticed so far? And what impact has this had on your key figures?
Without Skaylink’s help, we would have had to acquire the knowledge ourselves and would not have been able to focus on the core business in the meantime. Thanks to Skaylink’s expertise, we can confidently hand off infrastructure issues. Additionally, Skaylink’s 24/7 SLA allows us to fix disruptions quickly. Since Skaylink can now offer PCI DSS-compliant services itself, Payrexx’s PCI DSS scope is significantly reduced. This partnership was a win-win for everyone. Payrexx can stay focused on operations and the further development of the platform, and Skaylink has already been able to do some preliminary work and gain experience through the joint audit in 2019, which has helped us to comply with PCI DSS.
Thank you, Mr. Kramer, for this extraordinary insight. We wish you continued success and look forward to working with you in the future!
Would you also like to migrate to the cloud? Schedule your personal consultation with our cloud experts.
Facts & figures
6 months
to PCI DSS certification
40.000
Satisfied Payrexx customers
24/7
Managed Services with SLA
