Z2 — FinTech Reference Platform
Asset: Z2 | Workstream:
[GTM][A]| Ownership:[SO→CO]| Owner: Sagar Status: drafted (sales-doc form valid now; full deploy tracks M2b/M4) | = Z1 + deltaPCI-DSS-leaning posture for FinTech. Expressed as Z1 plus the additional controls (per Z0 composition rules) — not a standalone re-listing.
1. BOM — Z1 base + FinTech delta
Base: the full Z1 BOM (all 🟦 today).
Delta (the FinTech additions):
| Layer | Added asset(s) | Why | Status |
|---|---|---|---|
| Key management | M2 (CMK/HSM, auto-rotation) | Customer-managed keys for cardholder-data systems | roadmap (M2a/M4) |
| Encryption policy | M1 (deny unencrypted), M3 (TLS floor / deny HTTP) | PCI encryption-everywhere | roadmap (M2a) |
| Data residency | M6 (allowed-regions deny) | Keep regulated data in-region | roadmap (M2a) |
| Logging depth | J1 (LAW module), J6 (WORM immutable forwarding) | Tamper-evident audit trail | roadmap (M2a) |
| SIEM | J3 (Sentinel + MITRE analytics) | Continuous monitoring / detection | roadmap (M4) |
| Network hardening | N2 (Firewall Premium IDPS/TLS-inspect), N3 (WAF), N4 (DDoS) | Stronger perimeter for payment flows | roadmap (M2b/M4) |
| Network deny | N5 (private-endpoint enforce) | No public PaaS | roadmap (M2a) |
| Access | H3 (PIM, tightened), H6 (access reviews) | Stronger privileged-access governance | 🟦 / roadmap (M4) |
Honesty: the Z1 base is deployable today; the FinTech delta is largely roadmap (M2b/M4). Sales-doc form is valid now; scope live engagements to the shipped floor + an explicit delta roadmap. Never imply the full posture ships today.
2. Diagram (delta vs Z1)
Z1 topology, plus: Firewall Premium with IDPS in the hub doing TLS inspection
on egress; WAF in front of public ingress; CMK/HSM Key Vault feeding encryption
for data stores; Sentinel ingesting from the central LAW; WORM immutable log
sink. (d2 with V2.)
3. Compliance mapping (PCI-DSS-leaning + SOC 2)
Covers the Z1 SOC 2 set plus PCI-relevant controls. See Y7: - Encryption everywhere (M1/M2/M3) → PCI Req 3/4 · SOC2 CC6.1/6.7. - Network segmentation + WAF/IDPS (N2–N5) → PCI Req 1. - Logging + monitoring (J1/J3/J6) → PCI Req 10 · SOC2 CC7.2. - Access control + PIM + reviews (H3/H6) → PCI Req 7/8. - Data residency (M6) → regulatory.
The delta vs Z1 is explicit; compliance covers PCI-DSS + SOC 2; unshipped assets are flagged with their milestone (the Z2 DoD).
4. Cost estimate (delta vs Z1)
Z1 base + the FinTech additions raise cost notably:
| Addition | Illustrative $/mo ⚠️ |
|---|---|
| Firewall Premium (vs Standard) | $[+400–900] |
| Sentinel ingestion | $[+200–800] (volume) |
| WAF / DDoS Network Protection | $[+300 / +3,000] (DDoS is steep) |
| HSM-backed Key Vault (Managed HSM) | $[~1,000+] |
FinTech posture is materially more expensive than Z1 — set client expectations early; DDoS Network Protection in particular is a large line item.
5. Deploy guide (delta)
Stand up Z1 first, then layer: M1/M3/M6 policies → M2 CMK → J1/J6 logging → J3 Sentinel → N2–N5 network hardening → H6 access reviews. Each gated by its runbook when the module ships.
DoD (Z2)
- BOM validates against §4. (Met — all delta lines resolve; status flagged.)
- Delta vs Z1 is explicit. (Met — §1.)
- Compliance covers PCI-DSS + SOC 2. (Met — §3.)
- Assets not yet shipped flagged with milestone. (Met — §1 status column.)