“Just being in the AWS Cloud, where those critical compliance assessments are already done, is a great benefit and a timesaver when we talk to our Qualified Security Assessor, who makes our PCI DSS compliance assessment.”
AWS compliance support enabled Enfuce to be the first fintech company to operate in the cloud with Finnish FSA approval. Enfuce offers Software-as-a-Service solutions to banks, financial institutions, and other fintechs in the payment and consumer finance industry. Enfuce used Amazon CloudWatch for monitoring, Amazon EBS for storage, multiple Availability Zones for failover, and load balancing to maintain 99.99 percent uptime.
Nordic fintech company Enfuce Financial Services offers Software-as-a-Service solutions to incumbent banks, financial institutions, and other fintechs in the payment and consumer finance industry. The solutions include platforms for handling credit card payments and for authenticating customers in line with the Payment Services Directive Two (PSD2) European Union Directive.
Before launching Enfuce, the five cofounders designed, built, and maintained financial products for banks and financial institutions. But the process of creating these systems using on-premises data center infrastructures was time-consuming and costly. It was a painful undertaking. “I was thinking that there had to be a better way,” explains Monika Liikamaa, cofounder and chair at Enfuce. “Then I asked the other cofounders: ‘If we were to do this all over again, how would we run it?’”
Liikamaa had previously worked with Niklas Apellund, chief technology officer and fellow cofounder at Enfuce. It was Apellund’s task to take what they had learned from their previous collaborations and shorten the “horrendously long time”—as Liikamaa puts it—between concept and launch. Apellund says, “I felt that there was so much demand from the market to develop new products faster, but the infrastructure wasn’t enabling this. So we decided to build a platform entirely in the cloud, with a view to making compliance and service creation easy for companies wishing to issue credit cards.”
When it comes to issuing credit cards, Level 1 Payment Card Industry Data Security Standard (PCI DSS) is the primary certification needed. Achieving PCI DSS is no small feat, with 12 requirements needed before certification is issued to on-premises or cloud-based services. After an initial scoping period, Enfuce chose Amazon Web Services (AWS) to help it become certified.
“A key benefit of using AWS is the compliance support, which is amazing,” says Apellund. “Just being in the AWS Cloud, where those critical compliance assessments are already done, is a great benefit and a timesaver when we talk to our Qualified Security Assessor, who makes our PCI DSS compliance assessment.”
AWS enabled Enfuce to deliver savings at scale, thanks to the fact that AWS uses external certification partners and auditors, and it provides a host of compliance workbooks, best-practice docs, and white papers. As a result, Enfuce became one of the first financial service providers in the world to get PCI DSS certification while running its operations in the cloud and was the first cloud-based operator to be approved by the Finnish Financial Supervisory Authority (FSA). “The PCI DSS certification is transportable globally, so we are approved by Visa and MasterCard as well,” Liikamaa explains. “That’s a global certification that we can use.”
When deciding on a cloud provider, the key criteria for Enfuce were speed, security, compliance, and support. The team put Microsoft Azure and AWS head to head. Apellund says, “We were convinced from the beginning that we wanted to run in AWS. We had previous experience with AWS and were really impressed with the community and services. In addition to that, we also valued the compliance support.”
The AWS Shared Responsibility Model, which relieves a lot of the IT management burden from customers, meant Enfuce team could define its own responsibilities in data encryption, security, and issuing passwords. “This was a great benefit,” says Apellund. “When we came into the assessment meetings, we could present a clear diagram of what was checked by AWS and what we needed to do. The assessor was then able to easily scope where responsibility sat, which made certification so much quicker."
Another key to gaining PCI DSS compliance was the secure storage of cardholder data. Enfuce uses Amazon Elastic Block Store (Amazon EBS) volumes for its primary databases, across two Availability Zones, enabling quick failover. “If one Availability Zone fails, we still have the other,” Apellund explains. “This actually happened in the summer, so we got to try that out for real. It was a good practice and failover was seamless.”
Amazon CloudWatch monitors activity across the whole system and offers deep visibility into API calls and log files. This enables the technical team to always have the correct number of Amazon Elastic Compute Cloud (Amazon EC2) instances to handle demand.
When it comes to developing a new financial product, speed is vital. As a project’s duration increases, so too does the cost, and banks are keen to find any way they can to save time. “The biggest benefit of working in the AWS Cloud is the speed,” says Liikamaa. “We can be really fast. For example, when we initiated our Apple Pay project with MasterCard, the company expected the process to take at least six months. We said we could do it in three. And thanks to AWS, we were able to deliver it in less than three months, shortening the project time by more than 50 percent.”
Thanks to the scalable nature of AWS, the time spent implementing and maintaining the architecture was also significantly reduced. Says Apellund, “Instead of building a team for infrastructure, for network and for product development, we have all the competence we need in one team.”
“Previously, as the CIO at a traditional bank, I was running multiple vendors in multiple locations and data centers,” says Liikamaa. “When the business was performing well, and we needed to scale up, it became a huge challenge from an IT perspective. But with AWS, we pay only for what we use. Plus, before we might have needed five different people to install, manage, upgrade, and back up our infrastructure. Now I can have one person doing all that work in three hours. Without these AWS Cloud capabilities, we simply wouldn't exist and we wouldn't be able to provide the services that we do.”