Subscription Business

3 Ways PCI Non-Compliance Can Harm Your Subscription-Based Business

Greg Burwell | July 1, 2021

You have a growing subscription-based business. And while you’ve made some great strides to digitally transform the way your teams operate on a daily basis, your finance team still takes care of your billing in a very manual way.

Using a bunch of different spreadsheets—some for building out invoices, some for storing customer information and credit card numbers—they generally manage to maintain your monthly cycle of recurring customer charges.

But then, one morning, your IT manager calls you up to deliver some news that makes your stomach drop. It seems there were quite a few suspicious access attempts on your firewall the night before. In fact, one of them was more than just an attempt. And it’s very likely the attacker gained access to that spreadsheet that contains all your customer’s credit card details.

Season 2 Pop

Oh, great. Now you need to reach out to your customers to let them know their information may have been compromised.

Could it get any worse? Unfortunately, yes.

You get a call from your bank. They’d like to investigate your business’s compliance with PCI regulations.

By this point, your head is spinning. You’ve heard the acronym ‘PCI’, but what are these regulations? Should you really have been following them more closely all this time?

What is PCI compliance and how does it affect your subscription-based business?

PCI stands for Payment Card Industry and was formed by the major credit card brands (Visa, Mastercard, American Express, Discover, and JCB). Their Data Security Standard (DSS) is a set of rules any merchant accepting credit card payments must comply with.

For a subscription business like yours, compliance looks a bit different than it would for, say, the grocery store down the road.

Why? The nature of recurring billing means you need to store customer credit cards for ongoing transactions. This creates additional complexities because it’s a higher risk model—the simple fact that credit card numbers are being kept on file makes this type of business a more attractive target.

To keep this card information on file and maintain PCI compliance, your business should house it in a credit card vault—a tool that securely stores your customers’ payment information outside of your gateway. Opting to do this through a third-party provider rather than in-house, such as through your subscription billing software, can simplify the compliance requirements for your business.

The real impacts of PCI non-compliance

PCI compliance isn’t law, but it still isn’t optional.

Becoming compliant is tricky and it has surely caused a good number of headaches in the business world. But it exists for good reason.

Complying with the PCI DSS ensures your subscription customers are protected from cyber criminals, and your business is protected from non-compliance fines and other penalties.

And if you don’t comply with the PCI DSS?

Here are three of the more likely repercussions your business risks facing.

1. Heightened risk of a data breach.

A 2020 report from Datto stated 25% of SaaS businesses had been targeted by ransomware that year.

While the news mainly shares stories of big businesses that have fallen victim to cyberattacks—the Adobes and the Dropboxes of the world—the threat of an attack on a startup and any SaaS business in between is just as real.

Cyber crimes happen as a way for the attacker to make easy money. While they’re aware your small SaaS business probably doesn’t have big corporate money to pay a ransom, they also assume it doesn’t have big corporate security resources, either.

If their assumption is correct and your customer data isn’t encrypted and securely stored, it makes your business a much easier target for a successful attack.

Now, it’s impossible for any business to be completely invulnerable to an attack, but following best practices to put certain measures in place can often be enough of a deterrent.

The PCI DSS lays out regulations for how sensitive data of customers should be stored. Requirement 3 is entirely dedicated to protecting all cardholder data. So even if your business is targeted, it becomes much more difficult for this information to be compromised.

2. Punishments from the Payment Card Industry.

Cyberattacks are, of course, a relatively new type of crime. But, in 2019, the World Economic Forum named cyberattacks as one of the top five risks to global stability.

So it’s good to know authorities like the Payment Card Industry are taking it seriously.

However, even for businesses that may not even be aware they need to comply, punishments can be harsh, ranging from:

  • fines up to $100,000 per month, to
  • legal action, and even
  • being prevented from doing business altogether.

3. Decreased trust in your subscription business.

When a business becomes PCI compliant, it receives an attestation of compliance (AOC) that any potential customer can request to verify the merchant’s compliance. If the AOC doesn’t exist, it’s not a good look.

If data security is important to your potential customers, this may signal to them that your business isn’t a trustworthy option. Instead, they’ll run right into the more secure, waiting arms of your competitors.

“When it comes to the trust your customers place in your company to take care of their personal data, one misstep can cost you countless customers,” wrote Josh Maday, writer for The Future of Commerce.

According to Maday, these missteps with sensitive data could cause 80% of customers to abandon your business.

He continued:

“Misusing customer data or using it without their knowledge is one thing, and hackers stealing that info is another; but in the end it’s all the same to your customers: their data is in the possession of someone they did not choose to trust with that information.”

How automated billing software maintains PCI compliance for subscription businesses

While the effects of PCI non-compliance could be detrimental to your business, becoming PCI compliant can be a complicated and difficult task. So much so that it’s common for businesses to fail on their first or even second attempt.

One silver lining? There’s a perfectly legitimate loophole to make compliance easier.

By working with a PCI-compliant automated billing software provider, your business is able to offload some of the requirements. That’s because the billing software is the one housing the sensitive information, not you. And since the software is already compliant, your customers’ data stays secure, and the Payment Card Industry is satisfied.

For example, Stax Bill maintains PCI Level 1 compliance, which is the highest level of compliance available. It is also audited each year by third parties in order to maintain its certifications and compliance so its customers don’t have to.

The bottom line? It may be a lot of work to attain PCI compliance, but your business could suffer more without it.

Data security is no longer an option. It’s a must-have. Taking security seriously is extremely important—almost equally as important as the actual product or service that you’re offering.


Written by:

Greg Burwell
Greg Burwell
CTO and co-founder, Stax Bill

Greg is a co-founder and former CTO of Stax Bill. Greg’s storied career in technology has seen him rapidly progress through the ranks of the IT and services industry. He is skilled in cloud technology, IT operations, data center implementation and management, enterprise software, and software development life cycle (SDLC).