PCI-DSS

• 

  Building ComplyAgent: An AI-Powered PCI DSS Compliance Orchestrator on Cloud Run

Inspiration

Every year, over 12 million merchants worldwide undergo costly and manual PCI DSS compliance audits—often spending $10k–$100k/year just to prove they’re following baseline security practices. As someone who’s worked with small retailers, I’ve seen teams drown in spreadsheets, missed configuration drifts, and panic during QSA visits.

What if compliance could be continuous, automated, and verifiable—not a once-a-year fire drill?

That question sparked ComplyAgent: a serverless, multi-agent system that simulates device attestations, validates them against PCI DSS policy, and gives real-time compliance visibility—all running on Google Cloud Run.

What it does

PCI DSS compliance monitoring is an AI-powered, serverless application built on **Google Cloud Run that automates PCI DSS compliance monitoring. It uses two AI agents—an Inspector Agent that simulates device attestations (e.g., POS terminals) and a Compliance Agent that validates them against PCI policy—enabling continuous, real-time compliance checks instead of manual annual audits. The system stores only cryptographic hashes (never real card data) and includes a live dashboard for auditors, all deployed using Cloud Run, Pub/Sub, Firestore, and Google’s Agent Development Kit (ADK).

How i built it

Architecture Overview flowchart LR A[Inspector Agent\n(Cloud Run Job)] -->|Pub/Sub| B[Compliance Agent\n(Cloud Run Service)] B --> C[(Firestore)] C --> D[React Dashboard\n(Cloud Run Service)] E[Auditor Agent\n(Cloud Run Service)] -->|RAG + Gemini| C Key Components Inspector Agent (Python + ADK) Runs hourly as a Cloud Run Job Simulates POS terminals by generating PCI-hardened config hashes: h=SHA3-256("pci_baseline_v1.2" + device_id) Publishes attestation to Pub/Sub Compliance Agent (Python + ADK + Gemini Pro) Triggered by Pub/Sub → validates h against expected baseline Uses function calling to log results to Firestore Updates compliance status for Requirement 2.2 in real time Auditor Agent (Gemini + RAG over PCI DSS v4.0 PDF) Answers natural language questions like: “Is my server room access control compliant?” Retrieves relevant policy sections and cross-references Firestore evidence Frontend Dashboard (React + Vite) Hosted on Cloud Run Service Shows live device status, policy coverage, and audit trail Tech Stack Language: Python (backend), TypeScript (frontend) AI: Google ADK, Gemini 1.5 Pro/Flash Cloud: Cloud Run (Service + Job), Pub/Sub, Firestore, Cloud Storage CI/CD: GitHub Actions

Challenges i ran into

1. Statelessness vs. Workflow Continuity Cloud Run services are stateless, but agent workflows need memory. ✅ Solution: Used Firestore as a shared ledger for agent state, with document locks to prevent race conditions.

   1. Simulating “Trust” Without Blockchain Peaq provided device identity; Cloud Run doesn’t. ✅ Solution: Used signed JWTs for device identity in simulation, and emphasized in docs: “In production, bind to TPM or HSM.”
   2. Gemini Overkill for Simple Checks Initially used Gemini Pro to validate config hashes—massive overkill! ✅ Solution: Reserved LLM for ambiguous cases (e.g., “Is this firewall rule compliant?”) and used deterministic logic for hash matches.
   3. Cold Starts in Demo Cloud Run cold starts delayed the live demo. ✅ Solution: Kept services warm with a cron ping during presentation.

Accomplishments that we're proud of

First multi-agent PCI compliance system deployed entirely on Cloud Run—proving complex regulatory workflows can be automated, scalable, and auditable. Zero sensitive data exposure: Only cryptographic hashes (e.g., SHA3-256) are stored or transmitted, fully respecting PCI DSS’s strict data handling rules. End-to-end serverless architecture: From device simulation (Cloud Run Job) → validation (Cloud Run Service) → live dashboard (React on Cloud Run), all auto-scaling with zero infrastructure management. Built in under a week using Google’s AI and serverless stack—demonstrating how AI Agents can solve real-world enterprise problems with minimal code and maximum trust. This isn’t just a demo—it’s a blueprint for the future of autonomous compliance.

What i learned

This project pushed me to master several cutting-edge Google Cloud technologies:

Google Agent Development Kit (ADK): I learned how to model autonomous agents that collaborate via message-passing workflows. Cloud Run’s serverless model: I embraced stateless design, idempotency, and event-driven triggers (via Pub/Sub) to mimic blockchain-like integrity without a blockchain. AI for policy reasoning: I used Gemini 1.5 Pro not just for chat, but as a compliance reasoning engine—evaluating whether a simulated device configuration met Requirement 2.2 (“Remove unnecessary services”). Secure-by-design principles: Even in a demo, I enforced zero CHD storage—using only hashes (e.g., SHA3-256(config) ) to prove integrity. Most surprisingly, I discovered that compliance is a perfect use case for multi-agent systems: one agent observes, another validates, and a third explains—just like humans in a real audit team

What's next for PCI-DSS

ComplyAgent proves that compliance doesn’t have to be painful—it can be automated, intelligent, and scalable using the very tools Google provides. By shifting from annual audits to continuous assurance, we can help millions of businesses focus on what they do best: serving customers, not paperwork.

And the best part? It all runs on Cloud Run—deployed in minutes, scaled globally, and powered by AI agents who never sleep.