HomeInsightsCase StudiesMeeting PCI DSS Requirements on AWS with Ease of Use

Meeting PCI DSS Requirements on AWS with Ease of Use

Enfuce is a business-to-business (B2B) card processing and payments company with 150 employees at the time of publication. It operates one entity in the United Kingdom and another in Finland, the latter of which maintains the company's licensing service. Enfuce also acts as a Bank Identification Number (BIN) sponsor, saving businesses the time and effort required to get their own BIN identifying code if they are interested in issuing credit cards.

We sat down with Teppo Vanhala, Lead Cloud Engineer and Site Reliability Engineering Team Lead at Enfuce, and Kalpesh Bharadwa, Head of IT and Information Security at Enfuce. Kalpesh joined in August 2024 and has a background in leading IT teams. He steers the company's pursuit of ISO 27001 certification and leads infrastructure challenges like vulnerability management. He also oversees Teppo, a former senior cybersecurity manager who leads eight cloud engineers with varying levels of IT and cybersecurity expertise.

Kalpesh and Teppo told us how they use CIS Hardened Images® to fulfill Enfuce’s cloud security and compliance goals on Amazon Web Services (AWS).

Let's examine how this happened.

The Challenge: Fulfilling PCI DSS Requirements, Minimizing Security Gaps with a Small Team

As a payment processing organization, Enfuce must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The company needs to verify its compliance to PCI DSS requirements to support its customers. Similarly, it needs to harden its AWS environment and eliminate security gaps when launching products into production.

The Software Reliability Engineering team’s primary function is to distribute and manage images, with Kalpesh steering the use of these images internally. But the Software Reliability Engineering team is relatively small. It has limited resources for purchasing vulnerability management tools or investing in monitoring and remediation capabilities. As such, the team lacks the ability to build its own images and harden them on their own.

The Solution: CIS Hardened Images as Base Images

Enfuce has been using CIS Hardened Images from the beginning. It spun up its first CIS Hardened Image when it built its payment platform in the late-2010s. At that time, the company consisted of fewer than 10 employees.

To securely configure its infrastructure, which is all located in the cloud, Enfuce now uses five CIS Hardened Images for Microsoft Windows and Red Hat operating systems on AWS. These CIS Hardened Images function as the company's base images. Each week, the Software Reliability Engineering team adds its own settings and packages before sharing the modified images with development teams. The development teams then test the images in pre-production environments. If no issues arise, the development teams deploy the images into production.

Customers often reach out to the company asking how it remains compliant to PCI DSS. Kalpesh responds by telling them the company uses CIS Hardened Images to bake foundational security and compliance into the payment platform. Reflecting the ongoing partnership between the Center for Internet Security® (CIS®) and the PCI Security Standards Council (SSC), PCI DSS mentions CIS Benchmarks as a way for organizations to harden their systems in Requirement 2.2, "System components are configured and managed securely." CIS Hardened Images automate this conformance to CIS Benchmarks, helping Enfuce save time and money hardening its cloud-based systems while maintaining PCI DSS compliance.

The Impact: Ease of Use and Time

Teppo says that one of the reasons Enfuce has been using CIS Hardened Images for so long, is their ease of use.

"CIS Hardened Images come from a trusted source, and the images we use are already available in the AWS marketplace," he explained. "As a result, we don't need to spend time researching how to adapt our use of these images to our AWS environment. We can just pull down the latest image with the secure configurations of the CIS Benchmarks™ built in. This simplifies our AWS security efforts."

Speaking of time, Teppo remembers when he used to build images from scratch in a previous position. He remembers needing to configure and update various settings on those images as well as test them to ensure the settings were in place. These tasks took dozens of hours each month for just one image.

Teppo estimates his team saves at least that much time today by using five CIS Hardened Images. His team also saves on salary costs, as he doesn't need to hire someone with the competence to manually harden and update images on AWS. CIS takes care of the maintenance, as he points out.

"CIS Hardened Images receive regular patching from CIS," he said. "These updates complement our focus on security at Enfuce. When we spin up one of these images, we recognize we're configuring our AWS-based systems to the guidance of the latest CIS Benchmarks and, in the process, limiting the company's attack surface as the cloud threat landscape continues to evolve. We've never had an issue with CIS Hardened Images, which makes it easy to trust them."

Want to learn more about how you can secure your presence on AWS using CIS Hardened Images? Check out our video below.

 

 

Now It’s Your Turn!

Through the use of CIS Hardened Images, Enfuce saves its team dozens of hours each month on secure configuration management along with the salary of one full-time employee dedicated to hardening images for the purpose of maintaining PCI DSS compliance and upholding AWS cloud security.

Interested in learning how CIS Hardened Images can benefit your organization?

Spin up a CIS Hardened Image
Spin up a CIS Hardened Image