Career OS

Compliance & Security — Non-Negotiable in Fintech

Why Compliance Isn’t Optional

In fintech, security isn’t a “nice to have.” It’s regulated by law. Build an insecure payment system and your company faces:

  • Fines (up to millions of dollars)
  • Loss of ability to process payments
  • Criminal liability
  • Customer trust destroyed permanently

As an engineer, you need to know what rules exist and how they affect your code.

PCI-DSS — The Big One

PCI-DSS (Payment Card Industry Data Security Standard) — 12 requirements for anyone who stores, processes, or transmits card data.

In one picture — PCI scope is every system the raw card number touches. The whole game is shrinking that box. Let a gateway take the card and your own backend falls outside scope:

flowchart LR
    subgraph IN["In PCI-DSS scope"]
        GW["Payment gateway<br/>Razorpay or Stripe"]
        NET["Card network<br/>and issuer"]
    end
    subgraph OUT["Out of scope"]
        B["Your backend<br/>sees only a token"]
        DB["Your database<br/>stores last 4 plus token"]
    end
    C["Cardholder<br/>enters card"] -->|raw card number| GW
    GW -->|authorize| NET
    GW -->|token only| B
    B --> DB

Anything inside the In scope box must meet all 12 requirements and get audited. Anything that only ever sees a token is out of scope — which is why “never let card data touch your servers” is the first design rule in fintech.

The 12 Requirements (Simplified)

#RequirementWhat It Means for Engineers
1Install and maintain a firewallNetwork segmentation. Card data zone isolated.
2Don’t use vendor default passwordsChange defaults. Harden servers.
3Protect stored cardholder dataEncrypt at rest. Mask PANs (show only last 4).
4Encrypt transmission of card dataTLS everywhere. No HTTP for card data.
5Use and update antivirusKeep systems patched.
6Develop secure systemsSecure coding practices. Code reviews. OWASP.
7Restrict access on need-to-knowRole-based access. Least privilege.
8Assign unique ID to each userNo shared accounts. Audit trails.
9Restrict physical accessServer room access control.
10Track and monitor all accessLogging. Audit trails. Alert on anomalies.
11Regularly test securityPenetration testing. Vulnerability scans.
12Maintain an information security policyDocumentation. Training.

PCI-DSS Levels

LevelCriteriaAudit Requirement
Level 16M+ transactions/yearOn-site audit by QSA
Level 21M-6M transactions/yearSelf-assessment + quarterly scans
Level 320K-1M e-commerce transactionsSelf-assessment
Level 4Under 20K e-commerceSelf-assessment

What This Means for Your Code

// NEVER do this
logger.info("Card number: " + cardNumber); // PCI violation
logger.info("CVV: " + cvv); // PCI violation — CVV must NEVER be stored

// DO this
logger.info("Card ending in: " + cardNumber.substring(cardNumber.length() - 4));
// Or better: don't handle card numbers at all — use tokenization

Best practice: Use a payment gateway (Razorpay, Stripe) that handles PCI compliance for you. Your backend never sees the full card number.

RBI Guidelines (India-Specific)

RegulationWhatImpact on Engineers
Card-on-file tokenizationMerchants can’t store card numbersMust use network tokens (Visa/MC token service)
Two-factor authenticationOnline payments need 2FA (OTP/biometric)Integrate 3D Secure for online card payments
Data localizationPayment data must be stored in IndiaCan’t use AWS us-east-1 for Indian payment data
Recurring payment rulesE-mandate required for auto-debit > Rs. 15,000Implement e-mandate flow for subscriptions
UPI autopay limitsAuto-debit limit Rs. 1 lakh (raised from 15K)Validate limits in your code

Security Patterns Every Fintech Engineer Must Know

1. Encryption at Rest and in Transit

At rest:  Data in database → AES-256 encryption
In transit: Data between services → TLS 1.2+
Key management: AWS KMS or HashiCorp Vault (never hardcode keys)

2. Audit Trail — Everything Is Logged

Every financial operation must have an immutable audit trail:

@Entity
@Table(name = "audit_logs")
public class AuditLog {
    @Id
    private Long id;
    private String action;          // "PAYMENT_CREATED", "REFUND_INITIATED"
    private String entityType;      // "Payment", "User"
    private Long entityId;
    private String performedBy;     // User ID
    private String details;         // JSON of what changed
    private Instant timestamp;
    // No UPDATE or DELETE operations allowed on this table
}

Rule: Audit logs are append-only. Nobody can edit or delete them.

3. Secrets Management

WRONG: application.properties
  jwt.secret=mysupersecretkey123

WRONG: Environment variable in Dockerfile
  ENV JWT_SECRET=mysupersecretkey123

RIGHT: External secrets manager
  - AWS Secrets Manager
  - HashiCorp Vault
  - Even just environment variables set at deployment time (not in code)

4. Input Validation — Trust Nothing

// ALWAYS validate at the boundary
public ResponseEntity<?> createPayment(@Valid @RequestBody PaymentRequest request) {
    // @Valid triggers Bean Validation
    // But also validate business rules:
    if (request.amount().compareTo(BigDecimal.ZERO) <= 0) {
        throw new InvalidAmountException();
    }
    if (request.amount().scale() > 2) {
        throw new InvalidPrecisionException(); // No sub-paise amounts
    }
}

5. Rate Limiting on Sensitive Endpoints

EndpointRate LimitWhy
/auth/login5/minute per IPBrute force prevention
/payments10/second per userPrevent duplicate charges
/auth/forgot-password3/hour per emailEmail bombing prevention

OWASP Top 10 — Know These

#VulnerabilityFintech ImpactPrevention
1Broken Access ControlUser A sees User B’s transactionsTest authorization on every endpoint
2Cryptographic FailuresCard data exposedTLS + AES-256 + proper key management
3Injection (SQL/NoSQL)Attacker dumps your databaseParameterized queries (JPA does this)
4Insecure DesignWeak business logicThreat modeling before building
5Security MisconfigurationDebug mode in productionSecurity hardening checklist

Interview Questions

  1. “What is PCI-DSS and how does it affect your code?”
  2. “How would you store sensitive financial data?”
  3. “What’s the difference between encryption at rest and in transit?”
  4. “Why can’t you store CVV numbers?” (PCI explicitly prohibits it, even encrypted)
  5. “How do you prevent SQL injection in a Spring Boot application?”
  6. “What’s an audit trail and why does fintech need it?”

Module done? Add it to today’s tracker

Saves your progress on this device.