Compliance as a Code

Recently, I stumbled upon a concept that sounded new to me: Compliance as a Code.

The core idea is to “embed compliance policies into the code that can be repeated and tested automatically.” But what does it mean in practice?

For example, consider PCI DSS, which requires measures to secure credit card information to ensure compliance. Tools like Terraform, Ansible, and others should contain the code for encryption, access control, and data obfuscation. Additionally, before deployment, automated tests in the CI/CD pipeline should validate that the application meets PCI DSS requirements.