PCI DSS + SOC 2 + ISO 27001 for a Gaming SaaS Company

The company provided a white-label SaaS platform for online casinos and sportsbooks, including payment processing, player account management, KYC/AML workflows, and real-time game integration APIs. Their clients operated across multiple EU jurisdictions and required their technology vendors to hold PCI DSS (for card payment handling), SOC 2 (for operational security and data protection), and ISO 27001 (as a baseline information security management standard required by gambling regulators).

Running three separate compliance programs would have been prohibitively expensive and time-consuming for a 60-person company. They needed a unified approach that would minimize duplication, reduce the burden on engineering, and leverage automation wherever possible. The board had set a 9-month deadline to achieve all three certifications.

Adding complexity: the platform handled both real-money transactions and sensitive player data across jurisdictions with different privacy regulations, and the engineering team shipped multiple releases daily with zero tolerance for compliance processes slowing down delivery.

We designed a unified compliance program that treated PCI DSS, SOC 2, and ISO 27001 as overlapping control sets rather than separate initiatives, with Vanta as the central compliance automation platform:

• 1. Control Mapping & Gap Analysis (Weeks 1-3) — Mapped PCI DSS v4.0 requirements, SOC 2 Trust Services Criteria, and ISO 27001:2022 Annex A controls to identify overlapping requirements. Found 55-65% overlap across the three frameworks in areas like access control, logging, vulnerability management, incident response, and risk management. This meant we could implement once and evidence for all three.
• 2. Vanta Deployment & Integration (Weeks 2-5) — Deployed Vanta as the compliance automation backbone. Connected AWS, GitHub, Jira, Okta, and Slack integrations for continuous monitoring. Configured automated evidence collection for 80%+ of SOC 2 controls, mapped PCI DSS requirements to Vanta's test framework, and set up ISO 27001 ISMS tracking. This eliminated the manual evidence gathering that typically consumes 30-40% of compliance effort.
• 3. Unified Policy Framework (Weeks 4-8) — Wrote a single policy set that satisfied PCI DSS, SOC 2, and ISO 27001 requirements simultaneously. 26 policies, 18 procedures, and a formal risk assessment methodology (satisfying ISO 27001 clause 6.1). All linked to specific controls across all three frameworks. Policies were designed for the engineering culture: concise, actionable, and integrated into existing tools.
• 4. Technical Implementation (Weeks 5-20) — Implemented controls that served both frameworks simultaneously: centralized logging with 12-month retention (PCI DSS req 10 + SOC 2 CC7), vulnerability management with SLA-based patching (PCI DSS req 6 + SOC 2 CC7), network segmentation of the CDE (PCI DSS req 1 + SOC 2 CC6), and privileged access management with just-in-time access (PCI DSS req 7 + SOC 2 CC6).
• 5. Triple Audit Coordination (Weeks 20-28) — Coordinated all three audit timelines to run in parallel where possible. Used Vanta's evidence export to prepare artifacts for the QSA (PCI DSS), CPA firm (SOC 2), and certification body (ISO 27001 Stage 1 & 2). Served as the primary technical liaison for all three audit teams, minimizing disruption to engineering.

We selected Vanta as the compliance automation platform for this engagement based on several factors:

• Multi-framework support — Vanta natively supports PCI DSS, SOC 2, and ISO 27001, allowing unified control monitoring from a single dashboard
• Automated evidence collection — Direct integrations with AWS, GitHub, Okta, and other tools eliminated 80%+ of manual evidence gathering
• Continuous monitoring — Real-time alerts when controls drift out of compliance, rather than discovering gaps during annual audits
• Auditor collaboration — Built-in workflows for sharing evidence with auditors, reducing back-and-forth and audit duration

The automation saved an estimated 400+ hours of manual compliance work over the engagement, allowing the security team to focus on actual security improvements rather than spreadsheet management.

The biggest challenge was CDE scoping in a SaaS environment. Unlike a traditional processor, the company's payment handling was embedded within a larger multi-tenant platform. We worked with the QSA to define a CDE scope that was defensible but didn't pull the entire SaaS platform into PCI DSS requirements, using a combination of network segmentation, tokenization, and dedicated payment microservices.

Developer velocity was non-negotiable. The team deployed 5-10 times daily and any compliance gate that added friction would be bypassed. We integrated security checks directly into the CI/CD pipeline: automated dependency scanning, infrastructure-as-code compliance checks via Vanta's GitHub integration, and pre-commit hooks for secrets detection. The compliance layer became invisible to developers while maintaining continuous evidence.

Multi-jurisdictional data handling required careful architecture. Player data from different EU markets had varying retention and processing requirements. We implemented data classification tags and automated data lifecycle management that satisfied both PCI DSS data retention requirements and SOC 2 confidentiality criteria.

The company achieved PCI DSS v4.0, SOC 2 Type II, and ISO 27001:2022 certifications within 7 months — 2 months ahead of the board's deadline. Zero major findings across all three audits. The unified approach saved an estimated 40% in time and cost compared to running the certifications as separate programs.

The triple certification immediately unblocked 3 enterprise client deals that had been stalled pending compliance verification, satisfied gambling regulator requirements in 2 EU markets, and qualified the company as a certified vendor for 2 additional payment networks. Vanta continues to run as the ongoing compliance management platform, with automated monitoring providing continuous assurance between annual audits.