PCI Compliance Dashboard
This project focused on closing gaps in the company’s Payment Card Industry (PCI) compliance before a scheduled audit for a telephony-based product where customers can configure sending entered digits to a third-party payment processor. I led the architectural design and rollout of security enhancements across voice and contact-center systems—implementing robust encryption, stronger access controls, and network segmentation. By isolating voice traffic behind proxy servers and deploying dedicated management systems in a segmented PCI environment, the team remediated all critical findings ahead of schedule. The resulting audit produced zero major findings and ensured that sensitive client data is handled securely.

Key contributions

  • Designed the Active Directory structure for the project.
  • Architected outgoing HTTPS traffic flow to be limited and compliant with PCI requirements.
  • Led the implementation of network segmentation and proxy servers to isolate sensitive traffic.
  • Developed and enforced access control policies, including 2FA and restricted access to the PCI environment.
  • Coordinated with application teams to ensure full-path encryption (TLS, SRTP, Secure-SIP) for all relevant communications.
  • Established procedures for secure OS and application updates within the restricted environment.
  • Collaborated with the Security Team and external auditors to validate all remediation measures and achieve PCI-DSS compliance.

Highlights

  • All requirements were aligned with Protecting Telephone-Based Payment Card Data v3.0 by the PCI Security Standards Council.
  • Ensured every possible call path between caller and payment processor was fully compliant, eliminating any non-compliant routes.
  • Built an isolated environment with strict access controls, including enforced 2FA and least-privilege principles.
  • Developed a secure and auditable process for OS and application updates, accommodating PCI restrictions and minimizing downtime.
  • Achieved zero major findings in the PCI-DSS audit, demonstrating the effectiveness of the remediation approach.

Implementation

  1. Conducted a comprehensive design and architecture phase, mapping all data flows and identifying compliance gaps.
  2. Built a pre-production environment that mirrored production, enabling thorough validation of TLS, SRTP, and Secure-SIP across all applications and integrations.
  3. Deployed a fully isolated production environment with enforced 2FA, implemented the validated design, and integrated with common infrastructure while maintaining PCI boundaries.
  4. Established continuous monitoring and alerting for compliance-related events and access attempts.
  5. Coordinated with the Security Team and auditors to review, test, and approve all remediation steps, ensuring readiness for the PCI-DSS audit.