Read how FreshBooks simplified PCI compliance processes with a Managed AWS Cloud.
The all-new FreshBooks is accounting software that makes running your small business easy, fast and secure.
Simplifying the PCI compliance process for FreshBooks
FreshBooks helps businesses to spend less time on accounting and more time doing the work they love. With this as their mission, it only makes sense that the cloud accounting software company would follow the same logic when it comes to its cloud and IT infrastructure.
FreshBooks had been successfully hosting its own credit card processing and maintaining an entire PCI DSS-compliant environment for their payment app. But preparing for their annual PCI audit was time-consuming.
FreshBooks saw an opportunity to migrate its credit card processing to an environment in which AWS could take on many of their PCI compliance-based functions. As a trusted AWS cloud partner, Deft was asked to help manage the transition.
What the environment looked like before AWS
When FreshBooks hosted its own bare metal environment in air-gapped data centers, it treated cardholder data as radioactive. The team went to great lengths to keep it from mixing with other systems and networks. While the method kept credit card data safe, it took up a lot of time.
“We can’t innovate in hosting cardholder data — that’s just not something we can even try to do. What we can do is write an intelligent application for processing cardholder data, and do our due diligence in making sure it’s hosted in a PCI-compliant manner.”
Site Reliability Engineering Manager at FreshBooks
To achieve PCI compliance, a company typically needs to set aside a considerable amount of time, including at least a full day to meet with a Qualified Security Assessor (QSA). The QSA goes through a set of about 200 controls and evidentiary tasks to make sure a system meets PCI DSS security standards.
Before FreshBooks moved to a Managed AWS Cloud, their entire infrastructure was routinely examined for PCI compliance instead of just the payment-processing portion. That meant there were a lot of checkboxes to tick.
An easier way to maintain PCI DSS compliance
“This is going to be the easiest PCI build I’ve ever seen.”
PCI Qualified Security Assessor (QSA)
Moving FreshBooks’ credit card processing application to AWS accomplished two things:
- It separated payment data from the rest of the infrastructure; and
- It put the bulk of the PCI requirements onto AWS, saving FreshBooks considerable time that they were able to reinvest in supporting their customers.
“We were using three people to maintain our PCI environment before. That number dropped to one. Now, our engineers can shift their focus to making a better product for our customers.”
Manager of Site Reliability at FreshBooks
With AWS securely hosting all payment data — and already approved as PCI-compliant — FreshBooks could eliminate several steps of the internal audit process while ensuring all data stayed as secure as it was before.
“When the PCI auditors saw the new, streamlined design, our planned three-hour meeting only took 45 minutes.”
Chief Technology Officer at Deft
Getting the fringe benefits of an AWS cloud
FreshBooks knew that moving payments to the cloud would make a big difference for a global SaaS company. But that was just the beginning.
“The PCI controls that humans were doing before are now automated, so we’re able to spend more time on our core business.”
Site Reliability Engineer at FreshBooks
Instead of connecting all the way back to FreshBooks’ main data center, FreshBooks users are automatically routed to the closest server, making transactions faster.
Additionally, if demand spikes — like, say, around tax time — the application is optimized for autoscaling, so FreshBooks will always have the resources it needs to serve every user.
The new setup also means FreshBooks only has to pay for what it uses. Instead of needing to buy new servers to manage a spike, only to leave them sitting idle during off-hours, FreshBooks pays per hour per container. If there’s very little load, there’s also very little cost, ultimately saving the company money.
Protecting against outages with a disaster recovery plan
Setting up in AWS made it easy to double credit card processing across two environments. Instead of everything being housed in — and dependent on — the FreshBooks data center, now there was added redundancy.
Deft set up one environment in the Eastern Region of the U.S. and one in the Western Region. If one went offline, redundancy and failover capabilities would kick in. FreshBooks’ global customers would be able to complete online purchases without a hiccup. That’s a big deal, especially when you manage taxes for companies all over the world.