GCP PCA · Question 08 · Compliance Design

CASE STUDY: ShopGlobal

Company Overview:
ShopGlobal is an international e-commerce retailer. They are preparing for their largest annual sales event (Black Friday) and want to migrate off their aging on-premises infrastructure.

Current Technical Environment:

• 3 on-premises data centers (US-East, US-West, EU-Central).
• VMware vSphere environment with 500 VMs.
• Monolithic Java application running on Tomcat.
• Oracle RAC database for transactions.
• 50 TB of product images on SAN storage.

Business Requirements:

• Ensure 100% availability during the upcoming holiday season.
• Modernize the application architecture over the next 3 years.
• Reduce capital expenditure (CapEx) by shifting to an OpEx model.

Executive Statements:

• CEO: "Downtime during Black Friday costs us $1M per hour. We need bulletproof reliability."
• CFO: "We want to stop buying hardware. Move everything to a pay-as-you-go model."
• CTO: "We want to eventually move to microservices, but we don't have time to rewrite the app before the holidays."

Technical Requirements:

• Migrate the existing VMs to the cloud with minimal changes initially.
• Implement a global CDN for product images to reduce latency.
• Set up disaster recovery with an RPO of 15 minutes and RTO of 1 hour.
• Ensure PCI-DSS compliance for payment processing.

Constraints:

• The migration must be completed in 4 months (before the code freeze).
• The Oracle database license cannot be easily transferred to the cloud.
• The team has no experience with Kubernetes or containers yet.

QUESTION:
To ensure PCI-DSS compliance for payment processing in the new cloud environment, which combination of GCP security controls should you implement?