Software as a Service affects compliance with a number of regulations, but most notable is the Payment Card Industry Data Security Standard (PCI DSS). This standard explicitly calls for "service providers" and merchants of any size to be be compliant and acknowledge their responsibility in protecting client credit card data, and that each client of the hosting provider only have access to its own cardholder data environment. As SaaS providers service many customers, this means user or company data may be sitting on the same servers as someone else's data, potentially a competitor. Additionally, access controls of this data sit in the hands of the providers, meaning that login credentials are stored on provider servers.
While they can claim for these to be secure, careful management of user accounts is imperative when the provider handles authentication. "Access has to be revoked for users leaving the company, which is easier when done in-house" by the company's own systems(Cloud). Direct integration with the companies directory services for authentication is an option now available from a number of service providers. Finally, as access to logs is required for PCI compliance at the request of auditors and regulators, it is important to negotiate access to internal logs from the provider as a part of your service agreement to make for easier monitoring and in the event of an investigation.