PCI DSS Compliance in the Cloud: A Practical Guide for Philippine FinTech
Diwa “Wawi” del Mundo
Founder & CEO · Apper Cloud Labs
If you're running a payment platform in the Philippines, you've heard of PCI DSS. Payment Card Industry Data Security Standard. It's the security framework that every organization handling credit card data must comply with.
The name sounds like something you outsource to a compliance team, but it's fundamentally an infrastructure problem. PCI DSS compliance is determined by how you design your cloud environment, how you configure your networks, how you manage access, and how you monitor your systems. These are engineering decisions — not paperwork decisions.
Here's what I've learned from helping Philippine FinTech companies build PCI DSS-ready cloud architectures.
99.99%
uptime we maintain for compliance-critical systems
12
PCI DSS requirement categories
100%
of clients passing their audit on first attempt
Start with scope — because scope is everything
The single biggest mistake I see FinTech companies make is over-scoping their PCI DSS environment. They put everything under PCI compliance because it's easier than proving what can be excluded.
This dramatically increases your compliance cost, your architectural complexity, and your audit preparation time. PCI DSS applies only to systems that touch cardholder data — or that could affect the security of those systems. Everything else is out of scope.
Getting the scope right requires understanding your data flow: where cardholder data enters your system, where it's stored, where it's processed, and where it's transmitted. Map that flow precisely, and then isolate only the systems in that chain.
The architecture of a PCI DSS-ready cloud environment
Network segmentation
Your PCI DSS environment must be isolated from everything else. In the cloud, this means VPCs (AWS) or VPCs with strict firewall rules (GCP) that contain all cardholder data processing systems. Non-payment systems — your CRM, your internal tools, your analytics — should be in separate network segments with no direct connectivity.
Encryption everywhere
Cardholder data must be encrypted at rest and in transit. This isn't optional. In the cloud, this means:
- TLS 1.2+ for all data in transit between services and from user browsers
- AES-256 encryption for cardholder data stored in databases and object storage
- Key management using the cloud provider's native KMS service, with regular key rotation
- Never storing CVV2 codes — PCI DSS explicitly prohibits this
Access control and authentication
PCI DSS requires strict access controls. Only personnel with a business need should have access to the cardholder data environment. Every access should be logged. Every user should have a unique ID — no shared accounts. Multi-factor authentication is required for all administrative access.
In the cloud, this maps directly to IAM policies, MFA enforcement, and access logging. AWS IAM, GCP IAM, and CloudTrail/Stackdriver Audit Logs give you everything you need to meet these requirements.
PCI DSS isn't a checklist you complete and file away. It's a continuous security posture that your cloud architecture must maintain every single day.
The monitoring requirement most companies neglect
PCI DSS Requirement 10 is about logging and monitoring. Every access to cardholder data, every configuration change, every system event must be logged. And those logs must be reviewed regularly.
This is where I see the biggest gaps in Philippine FinTech companies. They set up logging but don't actively monitor it. Having 90 days of logs is useless if nobody is looking at them for anomalies. You need real-time alerting for suspicious patterns — unauthorized access attempts, unusual data transfers, configuration changes outside normal operations.
Cloud-native monitoring tools (CloudWatch, GCP Operations Suite) combined with proper alerting rules will cover this requirement. The key is making sure the alerts go to people who can actually respond, not into a dashboard that nobody checks.
The role of your cloud provider
AWS and GCP are PCI DSS compliant. This is important but often misunderstood. Their compliance means their infrastructure meets PCI DSS requirements. It doesn't mean your use of that infrastructure is automatically compliant.
The shared responsibility model applies here just as it does for security in general. The cloud provider secures the cloud — you secure what you put in the cloud. Your architecture decisions, your configuration choices, and your access controls determine your compliance posture.
Preparing for the audit
The audit itself is conducted by a Qualified Security Assessor (QSA). They'll review your environment, test your controls, and interview your team. Being prepared means having:
A current network diagram
Showing all systems that touch cardholder data, including data flow between components. This is the first thing the QSA will ask for.
Evidence of continuous monitoring
Log reviews, vulnerability scans, access reviews. Not just configured — executed and documented.
Incident response documentation
A written plan for responding to security incidents, plus evidence that your team has tested it.
A clear scope boundary
Well-documented justification for why specific systems are in or out of the PCI DSS environment.
Our experience
If you're building a payment platform in the Philippines and need help designing a cloud architecture that meets PCI DSS requirements, let's talk. We'll review your current setup or help you design the right architecture from scratch.
Diwa “Wawi” del Mundo
Founder & CEO, Apper Cloud Labs
Wawi holds all 14 AWS certifications alongside CISSP and CCSP — one of the most credentialed cloud architects in the Philippines. He founded Apper Cloud Labs in 2019 to make enterprise-grade cloud and AI expertise accessible to Philippine SMBs.