Case Study

How a Global Enterprise Is Orchestrating PCI Compliance & Infrastructure Change With Itential

Moving PCI Investigations from Manual Forensics to Deterministic, Audit Ready Workflows

Challenge

Manual PCI investigations and spreadsheet driven change processes could not support audit demands or enterprise scale infrastructure migration.

Solution

Automated PCI identity analysis and infrastructure workflows using Itential to deliver repeatable, auditable outcomes in minutes instead of weeks.

Impact

Chosen for its ability to productize automation with governance, accelerate delivery, and scale across regulated hybrid environments.

The Challenge

When PCI Compliance & Large-Scale Change Collide

A global enterprise delivering device protection and technical support services operates thousands of applications and networked systems across multiple data centers and hybrid cloud environments. Many of these systems fall under PCI DSS requirements, making compliance a continuous operational obligation rather than a periodic audit exercise.

As the organization prepared to migrate approximately 2,500 applications across three data centers, compliance and delivery pressures converged. Network and security teams needed to update infrastructure at scale without increasing risk, while security and governance leaders required faster, more defensible proof that PCI scoped resources were properly identified and controlled. The existing operating model could not support both objectives simultaneously.

PCI investigations depended heavily on human expertise. Establishing whether an IP address was in scope required engineers to manually correlate data across multiple systems – firewall logs, endpoint security tools, authentication platforms, and IPAM or DNS sources. Even when performed by experienced engineers, this process typically took 45 to 60 minutes per IP address. At audit scale, that translated into weeks of effort, limited throughput, and inconsistent outcomes. Investigations did not scale during audits or security incidents, results were difficult to reproduce or explain months later, and evidence often lived outside systems of record – increasing audit risk.

The organization had already invested in Python-based automation to accelerate parts of its compliance and migration workflows. While effective in targeted use cases, this approach introduced new constraints as demand increased. Automation requests quickly outpaced the team’s ability to deliver and maintain scripts. Security reviews became more frequent as dependencies aged, and each new workflow required custom development, testing, and documentation. What the team needed was not more scripts, but a way to productize automation with governance, reuse, and auditability built in.

More scripts wouldn’t make compliance defensible. The team needed orchestration that productized governance, auditability, and reuse – by design.

Why Itential

An Operating Model, Not Another Script Library

The team needed orchestration that could operationalize automation across domains while embedding control, auditability, and reuse by design – a way to shift from one-off automation projects to a standardized, governed automation operating model that could scale with both compliance demands and infrastructure change.

Six Criteria Shaped the Decision

After Python hit its practical limits, the team was explicit about what would not work: more point tools, more scripting frameworks, or another platform that shifted governance back onto engineers. Six criteria shaped the choice.

Explore the Platform

Reduce Delivery Time Without Sacrificing Rigor

A low-code approach to workflow design allowed the team to move faster than high-code scripting while still supporting complex logic, integrations, and conditional execution. Existing Python capabilities could be reused where appropriate, rather than rewritten or abandoned.

Governance & Auditability as Native Capabilities

The organization required built-in lifecycle management, execution history, and versioning to support PCI evidence, internal governance reviews, and future audits. This eliminated the need to build and maintain custom compliance frameworks around automation.

Clean Integration with Existing ITSM Processes

Intake, approvals, and execution had to remain connected so that infrastructure teams, security teams, and application owners could operate through familiar systems of record. Automation needed to fit into established operational workflows, not bypass them.

Orchestration Across All Infrastructure Domains

PCI compliance and data center migration both spanned network, security, compute, and cloud platforms. Itential’s ability to coordinate actions across vendors and technologies allowed the organization to avoid siloed automation and instead build end-to-end workflows.

Assurance-Driven Validation

Network validation workflows run before and after changes – eliminating reliance on standalone assurance tools. Pre- and post-checks execute as part of every workflow, catching configuration drift before it becomes an incident.

Operational Overhead Mattered

A SaaS deployment option reduced platform management burden, while an API-first architecture ensured the solution could integrate with existing tooling and evolve as PCI requirements and infrastructure both change.

We were trying to move fast while still proving compliance, and those two things were constantly in tension.

Network Architect

Global Enterprise (Device Protection & Technical Support Services)

The Solution

Redefining Compliance Around Deterministic Identity

The architectural shift came from redefining how PCI scope was established. Instead of relying on manual correlation, the team defined a deterministic identity model for infrastructure resources. Before a system could be governed or changed, automation needed to answer, with evidence: what the resource is and how it behaves on the network; what systems and users communicate with it; which team owns it and under what security context; and whether it is in PCI scope and why. Using Itential as the orchestration layer, the organization built workflows that automatically ingested and correlated data from network telemetry, security platforms, and asset systems. The result was a repeatable identity record that included both the conclusion and the evidence used to reach it.

Automated PCI Identity & Scope Analysis

Workflows automatically ingest and correlate data from network telemetry, security platforms, and asset systems. Identity establishment dropped from 45-60 minutes per IP to about 6 seconds – hundreds or thousands of IPs analyzed in parallel, with deterministic results in minutes instead of weeks.

Replayable, Audit-Defensible Evidence

Every execution produces a complete audit trail that can be replayed or reviewed long after the fact. IP addresses get repurposed, systems evolve, teams change – the historical evidence stays intact, and the team can explain exactly why a decision was made months or years later.

Coordinated Multi-Domain Change Execution

For the data center migration, workflows coordinate changes across network, firewall, and load balancing infrastructure while integrating with ITSM for intake and approval. Application teams request outcomes – not device-level changes – with full change history captured automatically.

Automated Dependency Discovery

Dependency discovery runs as part of the workflow, not as a separate spreadsheet exercise. Migration activities proceed without compromising compliance controls or audit readiness – and the analysis itself is 96% more efficient than the manual approach.

Automation removed the guesswork from change and gave us confidence we weren’t breaking compliance as we moved. What used to take weeks of careful investigation now runs in minutes, with better evidence.

Network Architect

Global Enterprise (Device Protection & Technical Support Services)

The Outcome

Measurable Results Across Compliance & Infrastructure Operations

Speed and consistency. Audit defensibility. Capacity recovered for the work only experienced engineers can do.

200x

PCI Investigation Efficiency

Per-IP analysis dropped from 45-60 minutes to ~6 seconds – a 2,300% efficiency gain.

200

IPs Analyzed in 20 Minutes

Hundreds of IPs analyzed in 20 minutes – work that previously required weeks.

$11K

OpEx Saved in One Month

Estimated savings from a single month of automated PCI analysis.

96%

Faster Migration Analysis

Efficiency improvement on data center migration analysis workflows.

2,500

Applications Migrated

Applications coordinated across three data centers on the same orchestration foundation.

Audit Readiness That’s Durable, Not Episodic

Execution history, identity evidence, and change context preserved as a durable compliance record – referenceable long after infrastructure has changed. Risk reduction not just at audit time, but for legal, security, and governance teams that depend on historical accuracy.