You have a growing subscription-based business. And while you’ve made some great strides to digitally transform the way your teams operate on a daily basis, your finance team still takes care of your billing in a very manual way.
Using a bunch of different spreadsheets—some for building out invoices, some for storing customer information and credit card numbers—they generally manage to maintain your monthly cycle of recurring customer charges.
But then, one morning, your IT manager calls you up to deliver some news that makes your stomach drop. It seems there were quite a few suspicious access attempts on your firewall the night before. In fact, one of them was more than just an attempt. And it’s very likely the attacker gained access to that spreadsheet that contains all your customer’s credit card details.
Oh, great. Now you need to reach out to your customers to let them know their information may have been compromised.
Could it get any worse? Unfortunately, yes.
You get a call from your bank. They’d like to investigate your business’s compliance with PCI regulations.
By this point, your head is spinning. You’ve heard the acronym ‘PCI’, but what are these regulations? Should you really have been following them more closely all this time?
What is PCI compliance and how does it affect your subscription-based business?
PCI stands for Payment Card Industry and was formed by the major credit card brands (Visa, Mastercard, American Express, Discover, and JCB). Their Data Security Standard (DSS) is a set of rules any merchant accepting credit card payments must comply with.
For a subscription business like yours, compliance looks a bit different than it would for, say, the grocery store down the road.
Why? The nature of recurring billing means you need to store customer credit cards for ongoing transactions. This creates additional complexities because it’s a higher risk model—the simple fact that credit card numbers are being kept on file makes this type of business a more attractive target.
To keep this card information on file and maintain PCI compliance, your business should house it in a credit card vault—a tool that securely stores your customers’ payment information outside of your gateway. Opting to do this through a third-party provider rather than in-house, such as through your subscription billing software, can simplify the compliance requirements for your business.
The real impacts of PCI non-compliance
PCI compliance isn’t law, but it still isn’t optional.
Becoming compliant is tricky and it has surely caused a good number of headaches in the business world. But it exists for good reason.
Complying with the PCI DSS ensures your subscription customers are protected from cyber criminals, and your business is protected from non-compliance fines and other penalties.
And if you don’t comply with the PCI DSS?
Here are three of the more likely repercussions your business risks facing.
1. Heightened risk of a data breach.
A 2020 report from Datto stated 25% of SaaS businesses had been targeted by ransomware that year.
While the news mainly shares stories of big businesses that have fallen victim to cyberattacks—the Adobes and the Dropboxes of the world—the threat of an attack on a startup and any SaaS business in between is just as real.
Cyber crimes happen as a way for the attacker to make easy money. While they’re aware your small SaaS business probably doesn’t have big corporate money to pay a ransom, they also assume it doesn’t have big corporate security resources, either.
If their assumption is correct and your customer data isn’t encrypted and securely stored, it makes your business a much easier target for a successful attack.
Now, it’s impossible for any business to be completely invulnerable to an attack, but following best practices to put certain measures in place can often be enough of a deterrent.
The PCI DSS lays out regulations for how sensitive data of customers should be stored. Requirement 3 is entirely dedicated to protecting all cardholder data. So even if your business is targeted, it becomes much more difficult for this information to be compromised.
2. Punishments from the Payment Card Industry.
Cyberattacks are, of course, a relatively new type of crime. But, in 2019, the World Economic Forum named cyberattacks as one of the top five risks to global stability.
So it’s good to know authorities like the Payment Card Industry are taking it seriously.
However, even for businesses that may not even be aware they need to comply, punishments can be harsh, ranging from:
- fines up to $100,000 per month, to
- legal action, and even
- being prevented from doing business altogether.
3. Decreased trust in your subscription business.
When a business becomes PCI compliant, it receives an attestation of compliance (AOC) that any potential customer can request to verify the merchant’s compliance. If the AOC doesn’t exist, it’s not a good look.
If data security is important to your potential customers, this may signal to them that your business isn’t a trustworthy option. Instead, they’ll run right into the more secure, waiting arms of your competitors.
“When it comes to the trust your customers place in your company to take care of their personal data, one misstep can cost you countless customers,” wrote Josh Maday, writer for The Future of Commerce.
According to Maday, these missteps with sensitive data could cause 80% of customers to abandon your business.
He continued:
“Misusing customer data or using it without their knowledge is one thing, and hackers stealing that info is another; but in the end it’s all the same to your customers: their data is in the possession of someone they did not choose to trust with that information.”
How automated billing software maintains PCI compliance for subscription businesses
While the effects of PCI non-compliance could be detrimental to your business, becoming PCI compliant can be a complicated and difficult task. So much so that it’s common for businesses to fail on their first or even second attempt.
One silver lining? There’s a perfectly legitimate loophole to make compliance easier.
By working with a PCI-compliant automated billing software provider, your business is able to offload some of the requirements. That’s because the billing software is the one housing the sensitive information, not you. And since the software is already compliant, your customers’ data stays secure, and the Payment Card Industry is satisfied.
For example, Stax Bill maintains PCI Level 1 compliance, which is the highest level of compliance available. It is also audited each year by third parties in order to maintain its certifications and compliance so its customers don’t have to.
The bottom line? It may be a lot of work to attain PCI compliance, but your business could suffer more without it.
Data security is no longer an option. It’s a must-have. Taking security seriously is extremely important—almost equally as important as the actual product or service that you’re offering.
Quick FAQs about PCI Compliance
Q: What is PCI compliance?
PCI stands for Payment Card Industry. Its Data Security Standard (DSS) is a set of rules that every merchant accepting credit card payments must adhere to. Complying with the PCI DSS ensures that your subscription customers are protected from cyber criminals, and your business is protected from non-compliance fines and other penalties.
Q: Why is PCI compliance important for a subscription-based business?
The nature of recurring billing in a subscription-based business requires storing customer credit card details for ongoing transactions. This creates a higher risk model as the credit card numbers kept on file make this type of business a more attractive target for cyber criminals. Hence, to protect customer data, PCI compliance becomes crucial.
Q: What happens if a subscription-based business is not PCI compliant?
Non-compliance with PCI DSS can lead to severe repercussions. These can range from fines up to $100,000 per month, legal action, and even being prevented from doing business altogether. Non-compliance can also lead to loss of customer trust and reputation damage, which can affect the business significantly.
Q: What happens if a PCI non-compliant business suffers a data breach?
In the event of a data breach, a non-compliant business may need to reach out to its customers to inform them that their information may have been compromised. This not only damages the business’s reputation but also exposes it to potential legal action and fines.
Q: How can a subscription-based business ensure PCI compliance?
To ensure PCI compliance, a subscription-based business should securely store customer credit card information outside of its gateway, ideally in a credit card vault. Businesses can also opt to achieve compliance through a third-party provider such as a PCI-compliant automated billing software provider, which can simplify the compliance requirements.
Q: What is a credit card vault in the context of PCI compliance?
A credit card vault is a tool that securely stores your customers’ payment information outside of your gateway. Using such a tool helps ensure the data is safe and helps maintain PCI compliance.
Q: What is an Attestation of Compliance (AOC) in PCI compliance?
When a business becomes PCI compliant, it receives an Attestation of Compliance (AOC), which any potential customer can request to verify the merchant’s compliance. The presence of an AOC can instill trust in potential and existing customers.
Q: What is the impact of PCI non-compliance on customer trust?
Non-compliance with PCI regulations can lead to a loss of customer trust. If potential customers feel that their data security may be compromised, they may choose to do business with a competitor who demonstrates better security practices.
Q: What can businesses do to simplify the process of becoming PCI compliant?
Businesses can simplify the process of becoming PCI compliant by working with a PCI-compliant automated billing software provider. This allows the business to offload some of the requirements as the billing software is the one housing the sensitive information, not the business itself.
Q: How does PCI compliance relate to data security?
Data security is a critical aspect of PCI compliance. The PCI DSS lays out regulations for how sensitive data of customers should be stored. Compliance with these standards ensures that even if a business is targeted by cyber criminals, it becomes much more difficult for this information to be compromised.
