Navan rebuilds its payment infrastructure to meet PCI-DSS compliance, reducing total cost of ownership by 35% and shortening release cycles by 40%.
Client profile
A corporate travel management company
Industry
Other, Travel & Expense
Region
North America
Reduction in total cost of ownership
Shorter release cycles
Navan is a corporate travel management company. Its platform combines travel booking, expense management, and corporate card capabilities. The company serves businesses that want to simplify travel operations and control spending. Every transaction on the platform touches sensitive financial data.
01 The ChallengeCorporate travel is a $1.1 trillion global market. 58% of companies cite data privacy and compliance concerns when sharing traveler data across platforms. Enterprise buyers require PCI-DSS certification before they will route payments through a vendor. For travel management platforms, compliance is a prerequisite.
Navan’s leaders wanted to accelerate revenue growth by accepting payments directly. The company relied on a third-party provider to handle customer transactions. Processing in-house would give Navan more control, lower per-transaction costs, and a stronger position with enterprise buyers.
Achieving PCI-DSS compliance meant upgrading the company’s infrastructure across network architecture, access controls, monitoring, logging, and deployment processes. Every layer had to meet strict security requirements.
Navan partnered with Provectus, an AI-first systems integrator and solutions provider, to design and build a compliant environment and prepare the documentation for PCI-DSS certification.
02 The ApproachProvectus began with an infrastructure assessment workshop. The analysis identified areas for improvement across network architecture, user access management, monitoring, and CI/CD processes.
The upgrade started with access controls and network segmentation. Provectus implemented structured roles and groups to control who accessed what. The network was redesigned with isolated environments for production, staging, and development. VPN access with two-factor authentication was added for remote connectivity.
Next came logging, monitoring, and security. A centralized logging system gave Navan full visibility into system activity. An action audit system tracked all changes and access events. Automated backups, antivirus, and vulnerability detection were applied to all services.
Finally, Provectus redesigned CI/CD pipelines. Automatic builds and tests run on every pull request. Merge restrictions and continuous code inspection enforce security standards. The migration completed with zero downtime.
03 The BuildThe build delivered a PCI-DSS-ready infrastructure on AWS.
Network environments are isolated. Public and private segments route traffic through strict security policies. Production, staging, and development cannot cross-communicate. Two-factor VPN protects remote access.
Centralized logging and monitoring surface all system activity in real time. Custom alerting collects metrics from services and compute instances. An audit system records every change and access event.
CI/CD pipelines enforce security at every step. Builds and tests run automatically. Code inspection catches vulnerabilities before merge. A content delivery layer enables low-latency page loads with geolocation-based distribution.
04 The ResultsNavan achieved PCI-DSS compliance readiness. The company can now accept payments directly, track transactions, and store financial data without a third-party provider.
35%
Reduction in total cost of ownership
With 40% shorter release cycles
The cost reduction came from optimized infrastructure, better resource management, and eliminated third-party processing fees. Release cycles shortened 40%, letting the engineering team ship improvements faster. Customer expenses dropped 3% from improved platform performance.
Enterprise clients who require strict security standards can now evaluate Navan with confidence. In-house payment processing, faster delivery, and lower operating costs position the company for its next stage of growth.
05 What’s NextNavan now has the infrastructure to onboard enterprise clients who require PCI-DSS certification. Provectus works with Navan on extending capabilities as the company scales its corporate travel platform.