← All work
Build

Achieving PCI-DSS Level 1 Compliance — In-House

Technical Product Manager & Delivery Manager · Minority Partner

Egyptian fintech · SaaS payments for SMEs · ~5,000 → 15,000+ merchants, ~1B EGP

Summary

A bank partner required PCI-DSS Level 1 — the top, most demanding tier of payment-security compliance — before they would work with us. It’s the certification most companies our size outsource to consultants. I led it end-to-end in-house, we passed in three months on target, and it became the foundation for direct card processing, new bank partnerships, and a cost-saving smart-routing capability.

The challenge

To keep growing, Easykash needed to become a certified payment gateway in its own right — processing cards directly instead of leaning on intermediaries. The gate was a bank partner who wouldn’t proceed without PCI-DSS Level 1, the top tier of the standard.

The starting position was telling: the card-processing environment was already mostly secure, but the processes the standard demands — formalized, documented, repeatable — mostly lived in people’s heads. This was never a security-engineering problem. It was organizational change wearing a security costume — and we’d do it without the consultants most firms lean on.

The approach

Translator between the standard and the business. With no consultants, someone had to turn dense, ambiguous requirements into a concrete plan. I met directly with the certifiers, worked out what each requirement actually demanded, researched what it meant for our business, and translated it into specific actions for the team. That interpretation — accurate, without a safety net — was the hardest part of the project.

Compliance as a first-class roadmap item, not a tax. Too big for the margins, it got dedicated resourcing: one architect on the technical gaps, one technical writer on documentation, me directing strategy and sequencing. Feature work never stopped — this ran in parallel.

Focus on the three real gaps. Security policies already existed; the genuine lifts were change management (formalizing an informal process), logging & monitoring (extending coverage), and incident response (making an undocumented practice repeatable) — with employee training layered on so it stuck.

Selling the “why” internally. Management was already bought in; the team wasn’t — compliance reads as overhead to people shipping features. The turning point came when the work visibly paid off in their own day-to-day.

The insight

Compliance is supposed to be a cost you absorb. The opposite happened: treated as a genuine product investment, it made the whole engineering org faster. Once the logging and monitoring module was built to satisfy the standard, bug investigations became dramatically easier — work done for an auditor became infrastructure that paid off every day. Compliance as a forcing function for engineering maturity, not a drag on it, is the lesson I kept.

The results

  • PCI-DSS Level 1, in ~3 months, on target — entirely in-house.
  • Direct card processing unlocked, handled securely in-house.
  • An expanded partner pool — credibility to strike deals with more banks and providers.
  • Smart routing — with multiple bank relationships, we routed each card to the cheapest provider, saving money we reinvested into growth.

What I’d take with me

  • The hardest product work is often translation, not building — turning an ambiguous external standard into an executable plan is a portable skill.
  • Big non-feature initiatives need first-class status and a focused team, not scraps of spare capacity.
  • Constraints can be generative — the same work that satisfied the auditor sped up the team and opened a cost-saving feature.