SaaS Versus On-Premise: Security, Updates, and PCI Compliance

Ecommerce companies are subject to a massive amount of scrutiny when it comes to security and compliance, which is understandable when you consider the volume of credit card data....


One of the most fundamental platform decisions companies have to make is whether to leverage a software-as-a-service (SaaS) platform, which means outsourcing hosting and backend management to a company specializing in eCommerce or selecting a platform that requires the retailer to provide on-premise hosting and management.

eCommerce companies are subject to a massive amount of scrutiny when it comes to security and compliance, which is understandable when you consider the volume of credit card data that passes through online merchants’ databases. Ensuring your eCommerce platform is as secure as possible means keeping up with security patches, updates, and PCI compliance standards. Since neither type of platform is inherently safer, your decision will rest on whether you prefer to have control over updates and compliance auditing or whether you want an eCommerce provider to handle those things for you.


If you choose an on-premise eCommerce platform, your IT team will be responsible for conducting updates, maintenance, and PCI compliance. Keep in mind that each time the platform releases an update, you’ll need to install it on all licenses individually. You will also need to apply patches to any plugins you’re using and run a thorough quality assurance check to make sure nothing unexpected has been impacted by the updates.

Whether you’re using open-source or commercial eCommerce software, some or all of the responsibility for your company’s PCI compliance will rest on your teams’ shoulders. This includes building and maintaining a secure network, developing PCI policies, conducting PCI-related meetings, analyzing code, sketching flowcharts, and writing PCI reports on an ongoing basis. For larger teams that want more ownership of this process, it can make sense. However, it’s important for lean or mid-sized organizations to fully weigh the time and skill needed to manage this very important part of your eCommerce business.


Security, Updates, and PCI Compliance On-premise Ecommerce Platforms With a SaaS platform, updates, maintenance, and PCI compliance are covered for you. This is obviously the easier choice for businesses that don’t have the bandwidth to build out a team to handle these tasks. Since the eCommerce provider is responsible for PCI compliance, you are protected from payment card data breaches and don’t have to worry about the costs and hassles of managing compliance yourself.


SaaS eCommerce platforms take a lot of the pain out of security and maintenance. This is a major reason why even larger companies choose to use a trusted SaaS eCommerce partner rather than build an on-premise system.

For mid-sized companies, the choice between SaaS and on-premise is not terribly difficult. In addition to being more cost-effective, SaaS eCommerce platforms save time, complexity, headcount, and a great deal of uncertainty, all of which add up to a compelling packaged solution for growing businesses. Where the decision becomes more complicated is for larger organizations, for which staffing, expense, and complexity are less of an obstacle. On-premise solutions are endlessly flexible and give companies complete access to their source code and customer database—a benefit for enterprises who need to do real-time data mining. However, SaaS platforms are also highly customizable, are far more cost-effective, and enable enterprises to go to market much faster.

For more information on the total cost of ownership, business system integration, time to market info, and more, you can download the complimentary JBS/BigCommerce white paper SaaS Versus On-Premise: The eCommerce Platforming Showdown.

The JBS Quick Launch Lab

Free Qualified Assessment

Quantify what it will take to implement your next big idea!

Our assessment session will deliver tangible timelines, costs, high-level requirements, and recommend architectures that will work best. Let JBS prove to you and your team why over 24 years of experience matters.

Get Your Assessment