How I Built a PCI-Ready Merchant Onboarding API on AWS for Under $5/Month

Payment processors get rejected from enterprise contracts because it wasn't auditable. PCI DSS cares whether every data access event is logged, every record is encrypted with a key you control, and whether you can recover a merchant record to a specific second if a dispute arises. This post walks through a serverless merchant onboarding API built to those standards, with full cost transparency. What This Solves A payment processor needs to register merchants: collect business details, store KYC documents, and expose that data to internal admin systems. Straightforward on the surface. The compliance overhead is where most implementations fall apart: PCI DSS Requirement 3.5.1 — stored data must be encrypted with a key the organization controls, not a cloud-provider default PCI DSS Requirement 8 — every API call must be authenticated and tied to an identity PCI DSS Requirement 10 — every data access event must produce audit evidence Building infra that can survive a compliance audit witho