Subscription management and recurring billing solutions

PCI Compliance & SubscriptionBridge

How PCI compliance relates to the SubscriptionBridge system
PCI standards

Credit cards are not stored by SubscriptionBridge. Isn't it PCI compliant by default?

No. Since it contains a hosted checkout system (regardless of wheter you use it), it is considered a "payment application", and therefore must undergo PCI-DSS validation (any other service that contains a hosted payment page must do the same: don't let other companies mislead you).

Your business and PCI compliance

SubscriptionBridge is not a stand-alone system. On one side, it connects to your business (e.g. your Web site). On the other side, it connects to the payment system that you decided to use for processing recurring payments (e.g. Authorize.Net Automated Recurring Billing). For your entire business to be PCI compliant, you need:

  • A PCI-DSS validated recurring billing system
    No problem here: SubscriptionBridge has been PCI-DSS validated.
  • A PCI compliant payment gateway
    No probem here either! All the payment systems used by SubscriptionBridge are PCI compliant.
  • A PA-DSS e-commerce system (if applicable)
    If you are using the hosted checkout system that is built into SubscriptionBridge, this does not apply.
    If you are using another shopping cart, since that application becomes part of the process (e.g. that's where customers "checkout" when they order a subscription), that system needs to be PA-DSS validated (PA stands for "payment application").

In all cases, you should take the PCI DSS self-assessment questionnaire to find out if there are things you need to do (e.g. change some internal procedures) so that you - as a business - are PCI compliant.