Read how FreshBooks simplified PCI compliance processes with a Managed AWS Cloud.

Ars Technica

The all-new FreshBooks is accounting software that makes running your small business easy, fast and secure.


Toronto, Canada

Simplifying the PCI compliance process for FreshBooks

FreshBooks helps businesses to spend less time on accounting and more time doing the work they love. With this as their mission, it only makes sense that the cloud accounting software company would follow the same logic when it comes to its cloud and IT infrastructure.

FreshBooks had been successfully hosting its own credit card processing and maintaining an entire PCI DSS-compliant environment for their payment app. But preparing for their annual PCI audit was time-consuming. 

FreshBooks saw an opportunity to migrate its credit card processing to an environment in which AWS could take on many of their PCI compliance-based functions. As a trusted AWS cloud partner, Deft was asked to help manage the transition.


What the environment looked like before AWS

When FreshBooks hosted its own bare metal environment in air-gapped data centers, it treated cardholder data as radioactive. The team went to great lengths to keep it from mixing with other systems and networks. While the method kept credit card data safe, it took up a lot of time.

“We can’t innovate in hosting cardholder data — that’s just not something we can even try to do. What we can do is write an intelligent application for processing cardholder data, and do our due diligence in making sure it’s hosted in a PCI-compliant manner.”

Stephen Freudenthaler

Site Reliability Engineering Manager at FreshBooks

To achieve PCI compliance, a company typically needs to set aside a considerable amount of time, including at least a full day to meet with a Qualified Security Assessor (QSA). The QSA goes through a set of about 200 controls and evidentiary tasks to make sure a system meets PCI DSS security standards. 

Before FreshBooks moved to a Managed AWS Cloud, their entire infrastructure was routinely examined for PCI compliance instead of just the payment-processing portion. That meant there were a lot of checkboxes to tick.


An easier way to maintain PCI DSS compliance

“This is going to be the easiest PCI build I’ve ever seen.”


PCI Qualified Security Assessor (QSA)

Moving FreshBooks’ credit card processing application to AWS accomplished two things:

  • It separated payment data from the rest of the infrastructure; and
  • It put the bulk of the PCI requirements onto AWS, saving FreshBooks considerable time that they were able to reinvest in supporting their customers.

“We were using three people to maintain our PCI environment before. That number dropped to one. Now, our engineers can shift their focus to making a better product for our customers.”

Stephen Freudenthaler

Manager of Site Reliability at FreshBooks

With AWS securely hosting all payment data — and already approved as PCI-compliant — FreshBooks could eliminate several steps of the internal audit process while ensuring all data stayed as secure as it was before.

“When the PCI auditors saw the new, streamlined design, our planned three-hour meeting only took 45 minutes.”

Eric Dynowski

Chief Technology Officer at Deft


Getting the fringe benefits of an AWS cloud

FreshBooks knew that moving payments to the cloud would make a big difference for a global SaaS company. But that was just the beginning. 

“The PCI controls that humans were doing before are now automated, so we’re able to spend more time on our core business.”

Jeff Dawson

Site Reliability Engineer at FreshBooks

Instead of connecting all the way back to FreshBooks’ main data center, FreshBooks users are automatically routed to the closest server, making transactions faster.

Additionally, if demand spikes — like, say, around tax time — the application is optimized for autoscaling, so FreshBooks will always have the resources it needs to serve every user. 

The new setup also means FreshBooks only has to pay for what it uses. Instead of needing to buy new servers to manage a spike, only to leave them sitting idle during off-hours, FreshBooks pays per hour per container. If there’s very little load, there’s also very little cost, ultimately saving the company money.


Protecting against outages with a disaster recovery plan

Setting up in AWS made it easy to double credit card processing across two environments. Instead of everything being housed in — and dependent on — the FreshBooks data center, now there was added redundancy.

Deft set up one environment in the Eastern Region of the U.S. and one in the Western Region. If one went offline, redundancy and failover capabilities would kick in. FreshBooks’ global customers would be able to complete online purchases without a hiccup. That’s a big deal, especially when you manage taxes for companies all over the world.

Contact us about starting your own project



111 W. Jackson Blvd #1600
Chicago, IL 60604
+1 (312) 829-1111

© 2022 ServerCentral, LLC dba

Inc. 5000 America's Fastest Growing Private Companies