safari
All posts
RiskFebruary 4, 2026· 8 min read

Compliance as a feature: shipping PCI DSS Level 1 without slowing the team

PCI DSS Level 1, SOC 2, and regional licensing don't have to be a tax on velocity. Here's how we wired the controls into the platform itself instead of bolting them on top.

ComplianceCleared
PCI DSS · L1
SOC 2 Type II
Sanctions
Travel rulePending
PCI
SE
Safari Engineering
Risk & Compliance

The standard story about compliance in a payments company is that it's a quarterly fire drill: the auditors arrive, the engineering team freezes, the risk team translates evidence requests into Jira tickets, and three months later everyone goes back to shipping.

We didn't want that, so we built it differently.

The principle

Treat every compliance control as a piece of product. Each one needs an owner, a metric, an SLA, and a regression test — exactly like a payment flow. If it can't be expressed that way, it isn't really a control; it's a hope.

What that looks like in practice

1. Scope is software-defined

The cardholder data environment used to be a network diagram a human maintained. Now it's expressed as policy in code: which services may touch PAN, which may touch only tokens, which must run in dedicated subnets. The diagram is generated from the policy, not the other way around.

When an engineer tries to deploy a service that violates the boundary, CI fails. That's the entire conversation.

2. Evidence is continuous

Logging, key rotation, vulnerability scans, access reviews — every PCI requirement has a machine-readable evidence stream feeding into a single warehouse. Auditors get read-only access to the live data, not a snapshot prepared for them.

This single change cut the time from "audit kicks off" to "audit signs off" by more than half. More importantly, it made the rest of the year boring: if a control drifts, we know the same day, not the next audit.

3. Risk verdicts move with the payment

The compliance posture isn't a separate system the payment waves at on the way past. Every authorisation, payout, and on-chain settlement carries a verdict object — sanctions cleared, travel rule data attached, license applicable to this corridor. The routing layer won't pick a rail that the policy engine hasn't already cleared.

The product impact: the risk team stops being a queue and starts being an API.

What didn't work

A few things we tried and walked back:

  • Per-team compliance liaisons. Sounded right, ended up creating a game of telephone. Replaced with embedded ownership: the team that owns the service owns the controls on it.
  • Quarterly access reviews by spreadsheet. Replaced with permission expiry by default — every grant times out unless re-justified. The spreadsheet review went away because there was nothing left to review.
  • A separate "compliance roadmap". Now compliance work shows up in the same backlog as everything else, with the same prioritisation. Nothing important got dropped; a lot of theatre did.

Where this lands

We re-certified PCI DSS Level 1 in 2025 and renewed in 2026 without a freeze, without an all-hands rallying cry, and without anyone losing a weekend to evidence collection. Cross-border licensing follows the same playbook: every market we operate in has a policy module, and the router won't surface a path the module hasn't approved.

Compliance stopped being a tax on velocity. That was the whole point.