Continuous Deployment and PCI-DSS at Etsy

At DevOpsDays Mountain View I was lucky enough to get some time with Michael Rembetsy, Director of Engineering and Operations at Etsy, which manages to be PCI-DSS compliant while practicing continuous deployment. In this short interview, he describes how they do it.

Here are some of the key points from the interview:

• Etsy deploy to production 25-50 times a day;
  
• They built a new, segmented PCI-DSS compliant environment for their payment systems – “we built a whole separate Etsy, essentially”;
  
• Segregation of duties doesn’t mean people can’t talk to each other. In fact, collaboration is an essential element of effective risk management. So everybody in the PCI environment still follows devops principles – there’s no physical separation of the teams, and Etsy have hired more people into the various roles (dev, sysadmin, dba, manager, networking) to facilitate collaboration;
  
• In the payments environment they “still have to follow the rules: a developer still doesn’t have access to a production database”, but they’ll have dbas working alongside them who they can ask for help, and graphs showing metrics from the database;
  
• They use a similar deployment process in their PCI environment to their non-PCI environment, but it includes much more logging on who did what when, and they have roles for QA pusher and production pusher;
  
• Developers can run most of the test framework in their PCI development environment, and they have access to production logs via Splunk in read only mode;
  
• They have a ticketing system that all changes have to go through, but they can push out a change from dev to production in less than an hour if necessary with their normal, non-emergency change management process;
  
• Final words of advice: “Make sure that the team is on board and realizes that yes, there’s going to be some constraints, but … if you all work together you’re going to be able to continuously deliver the product that you want even into a secure environment.”