By Vaibhav Pendhare · June 23, 2026 · 8 min read
TL;DR
- Most fintech startups need SOC 2 (for enterprise sales) but not necessarily PCI-DSS (only if you handle raw card data — Stripe and similar processors handle this for you in most architectures).
- The three infrastructure patterns that separate fintechs that pass audits from fintechs that scramble: immutable deployments, comprehensive audit logging, and network segmentation by data sensitivity.
- Zero-downtime deployments aren’t a nice-to-have — they’re a compliance control. Planned downtime windows are unacceptable when you’re processing payments or holding customer funds.
- Building compliance in from the start adds 15-25% to infrastructure cost. Retrofitting it later costs 3-6 months of engineering time.
The problem: compliance and velocity feel like opposites
Fintech infrastructure lives at the intersection of two forces that feel contradictory: you need to move fast (competitive market, investor expectations, feature velocity) and you need to prove you’re secure (auditors, bank partners, enterprise customers). Most startups treat these as separate tracks — “build features” and “prepare for audit” — and end up with a codebase that works but can’t produce the evidence an auditor needs.
The pattern we see repeatedly: a fintech with 30+ microservices, 2 years of velocity, and a signed LOI from a bank partner that requires SOC 2 Type II before the contract closes. The engineering team has 90 days to produce a year’s worth of compliance evidence from a system that was never instrumented to generate it.
The fix isn’t “slow down and be more careful.” It’s making compliance evidence a side effect of your normal engineering practices.
The framework: five infrastructure decisions for fintech
1. Scope your compliance surface before you build
Not everything in your system is in scope for PCI-DSS. The key question: does your application ever see raw cardholder data?
- If you use Stripe, Adyen, or a similar processor with client-side tokenization: Card data never touches your servers. You’re SAQ-A (the lightest PCI tier). Your compliance focus should be SOC 2, not PCI-DSS.
- If you handle card data server-side (raw PANs, CVVs): You’re in full PCI-DSS scope. This means network segmentation, quarterly ASV scans, annual penetration testing, and a Qualified Security Assessor (QSA) for Level 1 merchants.
Most fintech startups we work with are in the first category — they need SOC 2 for enterprise sales and can keep PCI-DSS scope minimal by using Stripe or Adyen correctly.
2. Immutable, auditable deployments
Every deployment should produce evidence: what changed, who approved it, when it went live, and how to roll it back. This is both a DevOps best practice and a SOC 2 / PCI-DSS control.
The infrastructure pattern:
- GitOps (ArgoCD or Flux) — every change to production is a Git commit with a PR, review, and merge. The audit trail is the Git history.
- Immutable container images — build once, deploy the same image to dev, staging, prod. No “just SSH in and fix it” in production.
- Automated rollback — canary or blue-green deployments with health checks. Failed deployments roll back automatically.
- Signed images (Cosign or Notary) — prove that the image running in production is the same one that passed CI, not something someone pushed manually.
Why this matters for audits: SOC 2 CC8.1 (change management) requires evidence that changes are authorized, tested, and reversible. GitOps gives you all three from the Git log alone.
3. Network segmentation by data sensitivity
Fintech systems handle data at different sensitivity levels — public API responses, user profile data, financial transaction records, and (if applicable) cardholder data. These should live in separate network segments with explicit, documented access rules.
On Kubernetes:
- Namespace per sensitivity tier —
public,internal,financial,pci(if applicable) - Network policies that allow only the specific pod-to-pod communication paths needed. Default deny, explicit allow.
- Separate databases per tier — financial transaction data doesn’t share a database with user preferences
- VPC/subnet segmentation — the database containing financial records is in a private subnet with no internet access, reachable only from specific application pods
Why this matters: When a QSA or SOC 2 auditor asks “what can access the financial data store?” you should be able to point to a network policy YAML file and a VPC security group, not say “well, everything is on the same network but we trust our code.”
4. Comprehensive audit logging — application and infrastructure
Two layers of logging, both required:
Infrastructure logging:
- CloudTrail / Cloud Audit Logs on all accounts
- VPC flow logs on all subnets containing sensitive data
- Kubernetes audit logging for API server events
- All logs shipped to an immutable, long-retention store (S3 with object lock, or a dedicated SIEM)
Application logging:
- Every API call that reads or writes financial data: who, what, when, from where
- Authentication events: login, logout, failed attempts, password changes, MFA enrollment
- Authorization events: permission grants, role changes, access denials
- Structured JSON format (not unstructured text) so logs are searchable and queryable
Retention: SOC 2 doesn’t specify a retention period, but 1 year is the common expectation. PCI-DSS requires 1 year with 3 months immediately available. Keep at least 1 year, ideally 2.
5. Zero-downtime deployments — non-negotiable
If your application processes payments, holds customer funds, or is part of a financial workflow, downtime has regulatory and financial consequences beyond user experience. “We’ll do a maintenance window at 2 AM Sunday” is acceptable for a blog; it’s not acceptable for a payment processor.
The infrastructure pattern:
- Blue-green or canary deployments — new versions roll out alongside the old, with traffic shifted gradually
- Health checks with financial validation — not just “the pod is alive” but “the payment processing endpoint returns a valid response”
- Database migrations that don’t lock tables — online DDL, backward-compatible schema changes, expand-then-contract pattern
- Feature flags — decouple deployment from activation. Ship code to production behind a flag, activate when ready, roll back by flipping the flag
Real-world example
A payments processing startup came to us with 18 microservices on EKS, deployed via GitHub Actions with kubectl apply. They’d been operating for 14 months and were 60 days from a SOC 2 Type II audit window opening. The problems: no GitOps (no deployment audit trail), database credentials hardcoded in Kubernetes secrets created by hand, no network policies (every pod could reach every other pod and every database), and application logs that didn’t include user identity or data access context.
Six weeks of work: ArgoCD for GitOps (instant deployment audit trail from Git history), AWS Secrets Manager with External Secrets Operator (rotated credentials, no hardcoded values), network policies with default-deny per namespace, structured application logging with user context piped to CloudWatch and retained in S3. We also separated the payment-processing services into a dedicated namespace with its own database, network policies, and monitoring.
The SOC 2 Type II auditor reviewed the system 3 months later. Zero findings. The engineering team’s deployment speed actually increased because ArgoCD made deployments faster and more reliable than the previous kubectl apply approach.
Trade-offs and what we’d avoid
- Don’t pursue PCI-DSS Level 1 compliance if you don’t need it. If Stripe handles your card data, stay at SAQ-A and focus your compliance energy on SOC 2. PCI Level 1 is expensive ($50K+ for the QSA alone) and unnecessary if you’ve scoped your card data handling correctly.
- Don’t use “we’re a startup” as an excuse to skip compliance controls. Bank partners and enterprise customers don’t grade on a curve. They need evidence, regardless of your company size.
- Don’t build a separate “compliance environment.” If your production system can’t pass an audit, building a second system that can is fraud, not compliance. The system the auditor reviews must be the system your customers use.
- Don’t wait for the audit to instrument logging. SOC 2 Type II requires evidence over a review period (typically 6-12 months). If you add logging 30 days before the audit, you have 30 days of evidence. You need at least 6 months.
What to do next
- If you’re pre-audit and not sure what you need — the free Infrastructure Assessment includes a compliance gap check for SOC 2, PCI-DSS, or both.
- If you need SOC 2 readiness — the SOC 2 Readiness Playbook ($3,500, ~5 weeks) covers gap analysis, evidence collection, and remediation roadmap.
- If you need a full compliance + DevOps engagement — see Compliance Audit and DevOps Consulting or book a 30-minute call.
Related reading: SOC 2 readiness: the engineering checklist covers the specific SOC 2 controls mapped to engineering tasks.
Tags