Data portability
Hi,
Could you let me know if / how you have addressed card data portability? Taking the following scenario (and with the chargify.com price hike fresh in my mind) could you let me know what would happen:
- I integrate with CheddarGetter because I'm a big fan of cheese
- My company grows steadily and I have 7,000 paying customers happily being recurringly billed through CheddarGetter
- Then, shock horror, you hike your prices (notwithstanding your Grandfathering commitment), and I decide to move to hmm, recurly.com
- What happens to my clients' card data? It's mine, right? Even if it's encrypted and stored by you in an a PCI compliant way? So I should be able to agree with you to transfer the data to my new provider (provided they're PCI-compliant and are able to understand your datafile)
So yes, put simply. By electing to integrate with CheddarGetter am I locking myself in to a major gotcha in the future, with you holding my payment data ransom?
(I do hope not, as I really am a big fan of cheese).
Cheers,
Karl
Discussions are closed to public comments.
If you need help with Cheddar please
start a new discussion.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Marc Guyer on 21 Oct, 2010 07:16 PM
Ok, unfortunately the answer to that question isn't straightforward. First of all, CG does not currently store cardholder data. We leverage the data vault services of the gateways. That means we are dependent upon the gateways' data portability policies.
Authorize.Net
If you use Authorize.Net, they will not let you have your customers' card data. You might be able to talk them into it if you try extra hard. That said, as long as 1) you're ok with staying with Authorize.Net as the gateway and, 2) you want to move to another subscription billing service provider and, 3) the service provider you've chosen is compatible with the Authorize.Net CIM system then there is likely a migration path for you. I know that there is from CG. You can autonomously pull all of the CG data which includes the data vault tokens. In the case of the Authorize.Net CIM, there are 2 for each customer: 1 for the customer and another for the customers payment profile.
CheddarGateway
If you use CheddarGateway, you have the option to enable the Data Decryption service. In order to enable the service, you must first provide your PCI compliance certification. To my knowledge, you cannot pull the card data in bulk (via an API). It is only available in the merchant GUI interface. If you have 7000 credit cards to retrieve, that could prove to be a laborious task. It is, however, possible. I suppose it's also possible with some extra effort to convince the gateway provider to give you a bulk list. That remains to be seen.
Support Staff 2 Posted by Marc Guyer on 21 Oct, 2010 07:18 PM
Ah, I see that you're in the UK. Assuming your merchant account is not based in the US, Authorize.Net isn't an option for you anyway. We can help you get setup with CheddarGateway, however. Let us know what you decide!
3 Posted by Karl on 22 Oct, 2010 12:20 PM
Marc,
Thanks for your detailed respose. Yes, I'm UK-based and so Authorize.net isn't an option for me.
With regards CheddarGateway... isn't that you guys? So can't you control this a lot more? From the way you're speaking I get the impression that CheddarGateway is separate from ChedderGetter.... I realise that CheddarGateway is new, but I think you need to provide more information on the relationship between the two companies (if indeed they are separate) and more details on the gateway itself (fees, overview, features, etc). Either a separate site, or at least an individual page on your current site.
Braintreepaymentsolutions has made much of its data portability standard, which I think (assuming it works) is a nice thing for other subscription billing companies to work towards. (Braintree is not an option for me as they are also only US-based).
Regards,
Karl
Regards,
Karl
Support Staff 4 Posted by Marc Guyer on 25 Oct, 2010 02:32 PM
CheddarGateway is a private label of NMI gateway technology. In other words, we have a close relationship with NMI but not much control over their policies.
We're working on this.
5 Posted by Karl on 25 Oct, 2010 03:13 PM
Thanks for your answers. I look forward to seeing more on CheddarGateway when you get a chance.
Regarding my initial question: data portability. Is this something that you plan to actively address, or is the manual decrypt and export going to be my only option? (I don't really hold out much hope for getting a bulk export from a 3rd party provider).
Thanks,
Karl
Support Staff 6 Posted by Marc Guyer on 25 Oct, 2010 07:13 PM
We would like to be able to provide bulk portability but unfortunately we have to rely on the provider. Storing credit cards ourselves would be the only option which is cost prohibitive and would certainly translate to a much higher cost to the merchant.
7 Posted by Karl on 28 Oct, 2010 03:23 PM
OK. Thanks for your help with this. I guess we can close this thread, but if you do ever find out more from NMI regarding card data portability, then I'd appreciate knowing about it.
Support Staff 8 Posted by Marc Guyer on 28 Oct, 2010 03:41 PM
Ok, I'll resolve this thread. Rest assured that if we ever do get NMI to make this easier, we'll make alot of noise. The weird thing is that they already provide the decryption service, they just don't provide it in bulk. In other words, they've already taken a step in the right direction but still hanging onto the idea of making it difficult. I think it's clear that the value of the merchant's comfort in knowing that the data is available is greater than the value to NMI of making it difficult to leave.
Marc Guyer closed this discussion on 28 Oct, 2010 03:41 PM.