An inherently risky part of running a SaaS subscription business is collecting and storing your customers’ sensitive information long-term—though it’s necessary to process recurring payments automatically. This is a unique challenge that business owners who execute only one-time transactions don’t have to deal with. Obviously, your customers need to be able to trust that their payment details, addresses, phone numbers, and so forth will be safe with you.
But data security is a complicated beast. For example, it’s a massive undertaking to ensure your business is PCI-compliant, even with an experienced in-house IT team tackling the job. Even SaaS giants like Microsoft and Adobe have been targeted by cyberattackers, with the average U.S. breach costing close to $9.5 million—ouch.
Luckily, your business isn’t the first to want to up its cybersecurity game. Many experts in the SaaS and data security industry have shared their knowledge to help you get a better grasp on potential issues you may face with secure subscription payments—and suggest solutions.
Here are pro tips from five industry leaders:
“My cybersecurity strategy was to shift to third party hosted solutions and SaaS so that if a breach were to occur I could point the finger at them.”
Speaking of recurring billing solutions, Rockaway Township Board of Education Chief Technology Officer Abraham Elder shares the importance of knowing when to delegate the security of your subscription payments to a third party.
Especially in the early days of a SaaS startup, it can be tempting to handle your subscription billing using the tools you already have at your disposal—spreadsheets, a legacy software program—or create a bespoke solution in-house.
However, each of these options presents a number of risks:
- Spreadsheets do not have any kind of encryption or other security features
- Older legacy software is generally not updated or maintained, so newly discovered vulnerabilities are not addressed
- Homegrown systems can be very costly (or even impossible) to keep up to date with the latest security features
- Spreadsheets are not PCI-compliant, and it’s extremely difficult to build a compliant DIY system (more on this in the next section)
- If an attack does occur, the blame will land squarely on your shoulders—remember that $9.5 million data breach price tag we talked about? Oof.
All of these risks can be virtually eliminated by outsourcing your recurring payments and data security to a modern billing software solution. Look for one that is purpose-built for handling subscription payments securely and is continually updated to combat emerging threats.
“We’ll see an expectation that data is always encrypted while it’s in use, regardless of how sensitive it might be.”
Microsoft Azure CTO Mark Russinovich speaks to the need for data encryption and confidential computing in B2B SaaS applications. These needs are backed up by the Payment Card Industry Data Security Standard (PCI DSS), which is a set of minimum acceptable standards for how customer data must be protected.
Failure to comply with these standards can result in a costly breach, a huge blow to your reputation, a loss of customers, and a loss of market share—but the ramifications don’t stop there. You can also be subject to penalties such as:
- fines of up to $100,000 for each month of noncompliance,
- legal action against you and your subscription business, or
- having your business shut down entirely.
How do you avoid these catastrophic consequences?
The easiest way is to choose a recurring payments solution that is built specifically with PCI compliance in mind. Bonus points if the subscription payment system is also SOC 2-compliant, as I’ll discuss next.
“Accustom your employees to security practices. Everyone at your company, whether it is a SaaS startup or an established business, should be aware of the cloud security risks and preventative measures to be used every day.”
This actionable tip comes from Alex Slobozhan, CSO of Freshcode IT. Even the most robust data security practices in the world won’t make a difference if your employees are playing fast and loose with the security guidelines.
Slobozhan elaborates on this, saying, “Simple routines like locking computers while stepping away and using password managers are prime examples of good security practices that often get overlooked. Secure employee accounts with two-factor authentication and encrypt work hardware, including smartphones. Create an onboarding and offboarding list to secure proprietary information and user data when new people join your team and when they leave.”
These types of practices are exactly what you need to do in order to be SOC 2-compliant.
SOC 2 is a data security auditing guideline developed by the American Institute of CPAs that’s designed specifically to help prevent breaches, malware attacks, and extortion.
While SOC 2 compliance is partially the responsibility of business owners and their employees, having a billing solution that is designed with SOC 2 guidelines in mind can help automate and enforce these types of policies. For example, Stax Bill requires end-users to create strong passwords and forces password cycling, as well as prevents users from viewing or exporting complete credit card numbers.
Entrepreneur, CEO, and SaaS expert Michael Koch makes a valuable point here. In the crowded SaaS subscription space, it’s the small details that set your business apart from your competitors.
Let’s say, for example, you and your closest competitor offer a very similar subscription service at essentially the same price points. You both have excellent customer service and a user-friendly interface. The difference is:
- you’re storing customer credit card information in an Excel spreadsheet, while
- your competitor uses a secure, PCI and SOC 2-compliant, automated recurring payment solution.
While the tech used in the back end of a business wouldn’t be obvious to a customer on the outside, an educated buyer should be asking potential vendors about security features. And if your competitor advertises itself as PCI-compliant, while the PCI digital badge is noticeably absent from your website…well, there’s no question.
Why would a customer risk having their information compromised by choosing your business in this scenario?
Fortunately, a modern, full-scale, secure subscription billing solution isn’t out of reach. Plus, making the switch comes with a whole host of other benefits that can help your business scale efficiently and outperform your competitors at every turn.
I’ll close with this pearl of wisdom from Salesforce co-CEO Marc Benioff. Data security is constantly evolving to keep up with emerging threats and to stay one step ahead of cyberattacks—it’s not a one-and-done type of task.
Rather, data security measures for your subscription billing process should be a continuous effort towards cyber-resiliency, which is most easily achieved through the adoption and implementation of an agile, secure recurring payments solution.
It’s also important to remember that within this article, we’ve only discussed beefing up the security of your business’s AR department. Strengthening this aspect of your security is a huge step in the right direction, though it doesn’t necessarily attack-proof your organization as a whole. It’s one piece of a larger puzzle that minimizes your risk as much as possible.