Building a PCI compliant customer engagement platform
JUXT has been working with a global leading provider for smarter customer engagement programmes, to build a new Clojure-based platform in the AWS cloud, to service the needs of multiple client applications.
Since the applications require the storage of highly sensitive data, including credit cards, the platform has required careful design, certified under the Payment Card Industry’s Data Security Standard (PCI DSS) compliance standards.
JUXT were instrumental to deliver a solution with great quality and time to market.
Strategic Solutions and Technology
As part of the requirement to provide demonstrable evidence for PCI audit, JUXT has built a secure internal portal to serve governance documentation and evidence reports. This portal is able to query for live data about the production environment and generate live diagrams of the logical network topology.
The platform makes use of AWS CloudWatch. Every part of the system is able to send events to CloudWatch including:
Application events via logback
Linux systemd journal events from the underlying operating system
Other AWS events, such as CloudTrail
Alerts are monitored 24x7 by the JUXT team, with integration into our internal Slack.
All access authentication and authorisation, by humans or automated services, is configured using AWS IAM (Identity and Access Management) roles and AWS KMS (Key Management Services).
JUXT has long been building cloud platforms using infrastructure-as-code. All configuration is held in version control and used to generate systems, via infrastructure tools such as Terraform and AWS CloudFormation. Every change in configuration to the production environment is visible in the project’s version control history. All deployments to the cloud are fully automated and tested in a staging environment prior to production release.
The combination of infrastructure-as-code and application deployment automation means that services can be deployed on UNIX nodes that have no possible access in the production environment. This reduces the attack surface significantly, despite other defences being in place, such as file-integrity monitoring and intrusion detection.
Encryption keys and other secrets are held in AWS KMS. Where a secret is required by the application, JUXT have integrated KMS with their Aero library, via a custom tag literal.
The entire system, including all JUXT code and dependent libraries, are regularly subjected to vulnerability scanning and penetration testing, by an outside party.