FreshBooks

Read how FreshBooks simplified PCI compliance processes and bolstered its availability with Deft.

Ars Technica

The all-new FreshBooks is accounting software that makes running your small business easy, fast and secure.

 

INDUSTRY
Finance
SaaS
LOCATION
Toronto, Canada
CUSTOMER SINCE
2018

Simplifying the PCI compliance process for FreshBooks

FreshBooks helps businesses spend less time on accounting and more time doing the work they love. With this as their mission, it only makes sense that the cloud accounting software company would apply the same logic to its cloud and IT infrastructure.

FreshBooks had been successfully hosting its own credit card processing and maintaining an entire PCI DSS-compliant environment for their payment app. But preparing for their annual PCI audit was time-consuming. 

FreshBooks saw an opportunity to migrate its credit card processing to a cloud environment that could take on many of their PCI compliance-based functions. As a trusted cloud partner, Deft was asked to help manage the transition.

What the environment looked like before 

When FreshBooks hosted its own bare metal environment in air-gapped data centers, it treated cardholder data as radioactive. The team went to great lengths to keep it from mixing with other systems and networks. While the method kept credit card data safe, it took up a lot of time.

“We can’t innovate in hosting cardholder data — that’s just not something we can even try to do. What we can do is write an intelligent application for processing cardholder data, and do our due diligence in making sure it’s hosted in a PCI-compliant manner.”


Stephen Freudenthaler

Site Reliability Engineering Manager at FreshBooks

To achieve PCI compliance, a company typically needs to set aside a considerable amount of time, including at least a full day to meet with a Qualified Security Assessor (QSA). The QSA goes through a set of about 200 controls and evidentiary tasks to make sure a system meets PCI DSS security standards. 

Before FreshBooks moved to the cloud with Deft, their entire infrastructure was routinely examined for PCI compliance instead of only the payment-processing portion. That meant there were a lot of checkboxes to tick.

An easier way to maintain PCI DSS compliance

“This is going to be the easiest PCI build I’ve ever seen.”

 

PCI Qualified Security Assessor (QSA)

Moving FreshBooks’ credit card processing application to the cloud accomplished two things:

  • It separated payment data from the rest of the infrastructure; and
  • It put the bulk of the PCI requirements onto the cloud, saving FreshBooks considerable time that they were able to reinvest in supporting their customers.

“We were using three people to maintain our PCI environment before. That number dropped to one. Now, our engineers can shift their focus to making a better product for our customers.”


Stephen Freudenthaler

Manager of Site Reliability at FreshBooks

With their cloud securely hosting all payment data — and already approved as PCI-compliant — FreshBooks could eliminate several steps of the internal audit process while ensuring all data stayed as secure as it was before.

“When the PCI auditors saw the new, streamlined design, our planned three-hour meeting only took 45 minutes.”


Eric Dynowski

Chief Technology Officer at Deft

 

Getting the fringe benefits of a compliant cloud

FreshBooks knew that moving payments to the cloud would make a big difference for a global SaaS company. But that was just the beginning. 

“The PCI controls that humans were doing before are now automated, so we’re able to spend more time on our core business.”


Jeff Dawson

Site Reliability Engineer at FreshBooks

Instead of connecting all the way back to FreshBooks’ main data center, FreshBooks users are automatically routed to the closest server, making transactions faster.

Additionally, if demand spikes — like, say, around tax time — the application is optimized for autoscaling, so FreshBooks will always have the resources it needs to serve every user. 

The new setup also means FreshBooks only has to pay for what it uses. Instead of needing to buy new servers to manage a spike, only to leave them sitting idle during off-hours, FreshBooks pays per hour per container. If there’s very little load, there’s also very little cost, ultimately saving the company money.

Protecting against outages with a disaster recovery plan

FreshBooks doubled its credit card processing across two environments. Instead of everything being housed in — and dependent on — the FreshBooks data center, Deft set up one environment in the Eastern region of the U.S. and one in the West.

If one region goes offline, redundancy and failover capabilities kick in. FreshBooks’ global customers can now complete online purchases without a hiccup. 

Contact us about starting your own project

Deft, a Summit company

Deft, a Summit company
2200 Busse Rd.
Elk Grove Village, IL 60007
+1 (312) 829-1111