The SaaS industry has the potential to grow in an economic downturn.

Large capital projects are the first casualties in an enterprise trimming costs.  SaaS offerings limit capital expenditure and IT infrastructure, offer fast implementation cycles, allow companies to limit and adjust licensing volumes.  SaaS is exactly the type of solution that can pass internal executive reviews when money is tight.  When SaaS companies compete against traditional software implementations, SaaS products should win these deals.

How should a SaaS company change its operations to reflect the new economic downturn?

There are many common operational changes that any company will need to make in an economic downturn; the points below are particularly key to a SaaS company:

1. Achieve cash positive business operations.  Rationalizing spending and eliminate that cash burn until the capital markets improve. If VC funding is planned in the next 12 to 24 months, manage cash to do without it.
   
2. Utilize partners and channels to expand sales.  The downturn will provide additional competitive advantage to SaaS companies over traditional on premise apps.  However, the downturn and the need to preserve cash make it difficult to expand a sales and marketing team to take advantage of the opportunity.  Partner and channel sales can provide increased reach with a success-based reward structure.  Ensure robust systems in place to track the revenue splits and provide transparency to upstream and downstream partners.
   
3. Purchase SaaS products.  Focus on core competencies and outsource or rent the rest.  Do not become a billing and e-commerce expert or build out a major data center; find other SaaS companies to purchase these products and focus limited resources on the most value - the core product.
   
4. Capture all revenue possible per customer.  Do not leave money on the table through inefficient or manually intensive billing and subscription management processes.  Ensure customers can add and upgrade products online, simplify the contracting process and ensure to entice additional revenue from existing clients.
   

Most of us have heard of the PCI standard. Some of us have gone through the implementation and maintenance of a PCI compliant system. If you're not familiar with the standard, and what it entails, let me shed a little light on the subject.

PCI, or rather, PCI-DSS, stands for Payment Card Industry Data Security Standard. It is a set of requirements introduced by the PCI Security Standards Council (composed of members that represent American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) in an effort to ensure the protection of credit card data by organizations that handle the data, such as online stores and billing companies.

What kinds of things are covered by the standard? Well, as a short list: a secure network, protection (encryption) of cardholder data, maintenance of a vulnerability management program, strong access control measures and regular testing of the systems and their security. There are other great sites that provide detail on the standard. pcianswers.com for example has a good overview of the standard.

Clearly, the list crosses the boundaries between operations and development and requires a focused effort to achieve compliance.

So, what should you do if you want to handle credit card data? Well, if you have the operational and development skills in house and more importantly the time, compliance is achievable. Our company was fortunate to not only have a development department, but a capable operational department and control of our own datacenter. Often, software focused organizations do not have access to the operational knowledge to ensure all the security measures are in place, or to get them in place. At the very least, depending on your transaction volume, you will need to bring in a third party to actually carry out the required audits.

Be prepared for the ongoing maintenance and updates that come along with PCI compliance. In addition to the scans of the system that must be carried out on a regular basis by an external party, the standard is evolving. For example, by the end of June 08, the standard required that application level firewalls be in place in addition to the network level firewalls.

PCI is a good standard, and the maintenance of our compliance makes use of all of our available technical and procedural skill sets. For those of you just getting involved with the standard, take a close look at all that it entails, and be sure you have the skill sets available to become compliant.

I wrote another post the other day about the key questions facing SaaS marketers.  I talked about Consumer versus Enterprise billing and about Direct versus Channel marketing models.  Overlaid on all of these choices, we have the concept of Session Control.

We implement Session Control through a component of our application called the "Session Manager".  It's an optional service but virtually all of our existing clients use it.

If you're a do-it-yourselfer and your application keeps track of users and sends data to the billing application (wherever it is), session management is done by the application itself.  If a customer doesn't pay their bill, someone in a place of authority has to take action to disable access to the application until they pay. 

If you have a small number of customers, the "someone" is probably in your accounting department and they call or email someone at the hosting company to pull the plug for a while.  It's a workable model for a small business, or if you don't care about timely payment.  It may sound odd, but if the customer has a perpetual license, for instance, or it's your corporate parent there's no payment to wait for and session management is unnecessary.  Manual control doesn't scale beyond a few customers, though - it becomes pretty labor-intensive as you grow.

What our Session Manager does is automate the control process and close the loop on payments.  After an account is set up for a new customer, the application and the Session Manager constantly swap messages about who's using the system (is this user that just logged in an authorized user?) and tracking the necessary billing data.  The Session Manager also monitors the payment queue to track whether the account is up to date.

The real value of the Session Manager becomes evident on that fateful day that a customer doesn't pay their bill.  Then the Session Manager uses the client's business rules to decide how to respond.  If the rules say that the customer is supposed to get daily "payment due" reminders and be allowed 30 days to catch up, then the Session Manager sends advisory messages to your administrative managers and implements that strategy without human intervention. 

At 31 days, if the account is still delinquent, an eerie silence descends on the freeloading users as the service is suspended pending settlement of the outstanding account.  While payment-due notices always get attention, a service suspension usually gets a response that a whole blizzard of notices just can't summon.

For any business model where customers pay on a monthly pay-as-you-go basis, session control makes a lot of sense.  It's one less administrative task for the accounting group, and one more control that keeps you from giving your stuff away through inattention to administrative detail.