Case study
Fintech — PCI audit pass in 90 days
Audit outcome
Pass, 0 criticals
Time to re-audit
90 days
Findings closed
37 / 37
In their words
"Ninety days, thirty-seven findings, zero criticals carried forward. Our regulator asked to see the evidence twice — we sent them the same packet."
Head of Engineering · Series B fintech (anonymized)
A Series B fintech failed its first PCI-DSS audit on scope creep and segmentation. With a regulator-driven deadline, the team had one quarter to close 37 findings across network segmentation, key management, and logging controls. Helptype stood up a joint engineering + compliance pod, rebuilt the cardholder-data environment with explicit segmentation, migrated key management to a hardware-backed HSM, and closed the logging gaps. Re-audit passed in 90 days with zero criticals carried forward.
01 · Architecture
Architecture — before & after
Before: flat VPC, shared IAM, CloudWatch + per-service logging with 30-day retention, no cardholder-data segmentation boundary.
After: dedicated CDE account with explicit peering, HSM-backed key management, centralized Splunk SIEM with 13-month retention, per-control test in the monitoring plane.
02 · Stack
Stack
- AWS (eu-west-1)
- HashiCorp Vault (HSM-backed)
- AWS CloudHSM
- Splunk (SIEM)
- Segment-level VPC Flow Logs
- Wiz + AWS Config
03 · People
Named team
04 · Practices
Services involved
05 · Sector
Industry
06 · Similar
Similar case studies
Start a similar project
Scoping call is 30 minutes with the engineer lead. We respond within one business day.