For fintech engineers, PCI-DSS (Payment Card Industry Data Security Standard) is the set of rules governing credit card data. The golden rule of PCI infrastructure is Scope Reduction. The goal is not to secure the entire infrastructure to Level 1 standards, but to isolate the sensitive data (PAN - Primary Account Number) into a tiny, fortified "Vault" so the rest of the app can operate with lower overhead.
The Tokenization Vault Architecture
Inbound: When a user enters a card, the frontend sends the PAN directly to the Vault (or a third-party PSP like Stripe Elements). The main backend never sees the PAN.
Storage: The Vault hashes and encrypts the PAN, storing it in a restricted database. It returns a non-sensitive "Token" (e.g., tok_123) to the main application.
Usage: When charging the card, the main app sends the Token to the payment gateway. The Gateway detokenizes it to process the transaction. This keeps the main application database out of PCI scope.
Network Segmentation (VLANs)
To achieve compliance, the "Cardholder Data Environment" (CDE) must be network-segmented.
Firewall Rules: The CDE should be on a separate private subnet. Ingress is strictly limited (e.g., only HTTPS from the Load Balancer). Egress is whitelisted to specific Payment Gateway IPs.
Jump Hosts: Engineers cannot SSH directly into the CDE. They must pass through a bastion host with MFA and audit logging.
