Razorpay developed a custom Lua plugin for Kong Gateway to streamline PCI compliance, focusing on minimizing the exposure of sensitive card information to meet PCI-DSS standards. The Payment Card Industry Data Security Standard mandates companies to create secure systems that process, store, or transmit card data, requiring annual audits for certification. To achieve this, Razorpay uses a tokenization service, which replaces card data with unique tokens, reducing the number of components exposed to raw card information. The custom plugin, known as the PCI Handler Plugin, introspects payloads for card data, validates input, and facilitates tokenization, transforming payloads by replacing card attributes with tokens. The implementation involves configuring Kong to manage the plugin and setting up tokenization and upstream services. This architecture, leveraging Kong's plugin system, enhances security by narrowing the PCI scope and supports the scalability of Razorpay's microservices while maintaining compliance.