I designed and built a compliant payment backend with encryption, tokenization, MFA authentication, secure deployment on AWS, and a full audit pipeline. This backend meets PCI-DSS 3.4 and UAE Central Bank SRR 4.2 requirements and passed automated Snyk + OWASP ZAP scans with zero critical findings.

Financial systems that handle cardholder data must meet strict security and compliance standards. The challenge was to create a backend that:

Processes PANs securely

Never stores sensitive data in raw form

Enforces TLS, MFA, RBAC, and hardened endpoints

Generates audit-ready logs

Deploys safely in AWS with automated scanning and rollback

The client needed an end-to-end secure backend that could pass compliance review.

AES-256-CBC with dynamic IVs

Tokenization system with no raw PAN storage

Masked logs + SHA-256 hashed traces

Secrets stored in vault / AWS Secrets Manager

Enforced TLS v1.2+ via NGINX and HSTS

TOTP-based MFA

Short-lived JWT tokens

RBAC (admin, auditor, service roles)

Network IP allowlists for sensitive endpoints

Mapped system against:

PCI-DSS 3.4 (encryption, tokenization, data masking, authentication)

UAE SRR 4.2 (TLS, logging, audit continuity, secure transmission)

All mapped in compliance files.

AWS me-central-1 region:

ECS (Dockerized Node.js)

RDS (encrypted PostgreSQL)

S3 (encrypted + access logs)

CloudWatch centralized audit logs

Blue/green deployments

CI/CD runs:

Snyk container + dependency scanning

OWASP ZAP DAST scanning

Dependabot vulnerability checks

Cron-based patching workflow

Auto rollback on failed deploy

Passed with 0 critical findings.

Data Security — Raw PAN never persisted; full encryption + masking

Compliance — Aligned with PCI-DSS 3.4 + UAE SRR 4.2

Authentication — MFA + role-based access + JWT idle timeout

Transmission Security — Full TLS v1.2+ enforcement

Logs — Hash-backed, timestamped, masked audit logs

Scanning — 0 critical vulnerabilities (Snyk & ZAP)

Reliability — Blue/green deployments + automated rollback