The Four Tendencies

Gretchen Rubin says a useful way to think about people’s behavior is by considering how willing they are to meet or resist expectations on them. Expectations can either be external, like your boss asking for a project to be completed or internal, like exercising regularly.

From these she identifies the four combinations labelled as The Four Tendencies.

External Expectation
Internal Expectation
Upholder (tick) (tick)
Questioner (warning) (tick)
Obliger (tick) (warning)
Rebel (warning) (warning)

(tick) Meets (warning) Resists

This could provide you with more empathy when considering your colleagues, friends or family and make you a more effective communicator. Maybe try thinking about members of your software development team and which tendency they seem to exhibit.

Which one are you? Take the quiz and find out.

Achieving PCI compliance the easy way with a serverless architecture

Achieving PCI Compliance can be a rather onerous ongoing commitment. The first thing you will have to show is your architecture in the form of a network diagram together with a data flow diagram showing the routes where credit card data is transmitted. The more complex the architecture the more work involved in making it PCI compliant. So what can you do to mimise the amount of effort? Well your first thought should be around minimising the scope that falls under PCI compliance. This can be done by isolating only the components requried for payments and moving everything else outside of this scope.Once this is done you should then think about how to implement the system that will be in scope for compliance and this is what I want to talk about in this post.

The key to easier PCI compliance of YOUR system is to offload as much as possible to other providers and by other providers I mean Cloud hosting providers like AWS and GCP who’s platforms hare already attained PCI compliance.

In this example I’m going to use AWS. I’m going to compare two architectures, one deploying your application on EC2 instances and the other using Lambda as our serverless facilitator.

Lets take a simple application that takes credit card details from customers over the phone line and uses Paypal payment gateway to process the payment.

High level network diagram

If we ignore the telephony section of the data flow to keep things simple in this illustration then these are the architectures that we have to produce in each case

Traditional Architecture

Network diagram for traditional architecture

AWS Components used

  1. VPC
  2. public subnets
  3. private subnets
  4. Internet gateway
  5. NAT gateway
  6. Two Availability zones
  7. Internet Gateway
  8. Bastion host for SSH
  9. Security groups
  10. ACLs
  11. Route tables
  12. S3 buckets for Cloudwatch logs

Serverless Architecture

Network diagram for serverless architecture

AWS Components used

  1. Lambda (using default VPC)
  2. API gateway
  3. S3 buckets for Cloudwatch logs

It’s pretty clear how much simpler the serverless architecture is.

Next we’ll see how some of the PCI requirements are met by each architecture and especially how must of the compliance responsibility is handed over to AWS when using the serverless solution.

How each architecture meets PCI requirements – traditional versus serverless

PCI requirement
Traditional Architecture
Serverless Architecture
Harden operating system Hardened AMIs, remove unused applications, lock down ports No instances  (AWS takes care of runtime)
Incoming Firewall  DMZ to prevent unauthorized access, Security Group on VPC Lambda comes with default VPC
Outoing internet access Internet gateway, NAT gateway, Security groups and/or ACLs Default Lambda VPC has outgoining internet access
Do not provide direct access to instances Use a bastion host to allow SSH access No Instances, so no SSH required


By going serverless we are able to totally ignore the following requirements:

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programsg