"Those people pushing to production on day one aren't pushing a new credit-card feature; they are pushing a standard, pre-defined change to the 'about' page to add their picture. Instead of fearing change, we get people used to it. The risks change," he said, gesturing at the monitors, but we take steps to address the risks. It's a different way of developing software."

We continued our tour, we dropped by the security and privacy team, which is identical to every other small group of cubicles, except that the lights are noticeably dimmer. As we talked, one man, sitting in his chair, looked at us with authority -- and a little suspicion. It was Nick Galbreath, a director of engineering at Etsy, whose practice includes security and privacy.

Suddenly my colleague, Peter Walen, got very excited. Pete was just visiting for the trip, but his background is in financial systems, including PCI compliance, the international standard for credit cards -- and he says that most of this would never fly under most interpretations of PCI. How is this possible?