Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Continuous Deployment and PCI-DSS at Etsy

DZone's Guide to

Continuous Deployment and PCI-DSS at Etsy

· DevOps Zone
Free Resource

Planning to extract out a few microservices from your monolith? Read this free guide to learn the best practice before you get started.

At DevOpsDays Mountain View I was lucky enough to get some time with Michael Rembetsy, Director of Engineering and Operations at Etsy, which manages to be PCI-DSS compliant while practicing continuous deployment. In this short interview, he describes how they do it.



Here are some of the key points from the interview:

  • Etsy deploy to production 25-50 times a day;
  • They built a new, segmented PCI-DSS compliant environment for their payment systems – “we built a whole separate Etsy, essentially”;
  • Segregation of duties doesn’t mean people can’t talk to each other. In fact, collaboration is an essential element of effective risk management. So everybody in the PCI environment still follows devops principles – there’s no physical separation of the teams, and Etsy have hired more people into the various roles (dev, sysadmin, dba, manager, networking) to facilitate collaboration;
  • In the payments environment they “still have to follow the rules: a developer still doesn’t have access to a production database”, but they’ll have dbas working alongside them who they can ask for help, and graphs showing metrics from the database;
  • They use a similar deployment process in their PCI environment to their non-PCI environment, but it includes much more logging on who did what when, and they have roles for QA pusher and production pusher;
  • Developers can run most of the test framework in their PCI development environment, and they have access to production logs via Splunk in read only mode;
  • They have a ticketing system that all changes have to go through, but they can push out a change from dev to production in less than an hour if necessary with their normal, non-emergency change management process;
  • Final words of advice: “Make sure that the team is on board and realizes that yes, there’s going to be some constraints, but … if you all work together you’re going to be able to continuously deliver the product that you want even into a secure environment.”

Measure the impact of feature releases, and of your DevOps program more broadly with full stack experimentation. Learn how with this free article from CITO Research, provided by Split Software.

Topics:

Published at DZone with permission of Jez Humble. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}