Data Hostaging in the Payment Processing World. You may have heard of someone’s computer being hijacked with messaging demanding they pay for alleged wrongdoings or to be able to get important data back. Typically referred to as Ransomware, this malware holds your computer hostage by encrypting its data or by making it inaccessible in some way. The user is then hit then demands to pay ransom money to the cybercriminal who installed the malware. For more information a good post by Andy O’Donnell [http://netsecurity.about.com/bio/Andy-O-Donnell- 82564.htm] is at: http://goo.gl/3ymh6d.
In the payment processing space there is another form of data hostaging. In most cases businesses don’t know that data they believe is theirs really is owned or controlled by their payment gateway and/or merchant account provider. Unfortunately the only time the business discovers this is when they ask their provider for full customer credit card data.
There are multiple reasons why a business would want this. One very common reason is they are leaving one SAAS/software provider for another. E.g., they might want to move from QuickBooks to FreshBooks or vice versa. With the proliferation of technology providers and new solutions this need for data migration becomes increasingly important. Another common data exchange scenario is the business wants to change their merchant account provider from eg FirstData to Global. If the credit card processing is accomplished via a gateway with multiple back end processor integration [like FirstData| Vital | Global etc. the ability to change processors without migration concerns is mitigated.
Unfortunately for many businesses and either their gateway provider or SAAS provider the fact that the business may not be able to get what they consider to be their data is not known until the business owner desperately needs that data.
Consider the business owner selling all or part of his business. If that business assets includes recurring billing customers then without the payment data associated with that customer the business owner has no asset to sell. In certain industries like the security/alarm space it is relatively common to see a sales organization acquire a customer and then sell that alarm monitoring recurring billing account to another provider. Clearly the billing information is critical. Not having a defined compliant method to exchange this sensitive data can create significant issues.
The data exchange problem is of course data security. With PCI [Payment Card Industry] requirements that data be handled and stored securely [https://www.pcisecuritystandards.org/] the handover of this data must be done while remaining in compliance.
To remain compliant full card data must be exchanged in a secure manner. If two payment processors are involved both must be Level1 PCI compliant. The card data MAY be provided to the business if the business has fulfilled its PCI requirements.
So there are definite ways that data exchange MAY happen. If your gateway provider or SAAS partner has a defined plan to exchange data with another Level 1 PCI compliant partner and the receiver of the sensitive data also can accommodate the transfer you are in luck and the process can move forward.
Unfortunately we have seen first hand multiple instances where this process was either significantly delayed or in some instances was not successful. Not surprisingly the root issue with moving that credit card data is the processor holding the data will see a loss of business and the ensuing revenue stream. There are some well-known industry names that if you were to call and ask about the data migration process the reply would be a flat “We don’t do that”. PCI concerns will be sited and as much as the business owner pleads the response does not change. Even if legal action is threatened there is no movement as the gateway/SAAS/merchant account provider knows the contract the business owner signed spells out their right to hold the data.
Even if you are lucky enough to get your provider to agree to migrate the data you may still be forced to wait [we have seen 3 months or more] and may have to pay significant fees [$5000 from certain providers].
If you are using a payment aggregator or payment facilitator [PayFac] like Stripe or PayPal they own the customer data and it is highly unlikely you will ever be able to obtain payment related data.
The PayFac model allows service providers like PayPal or Stripe to create credit card merchant sub accounts on the fly. The issue is that they also control the customer payment experience. The business must decide if the ease and quick account set up are worth giving up control of the customer’s payment information. For one-time payments the aggregation model may be attractive. For recurring billing needs thought must be given as to whether the PayFac provider will be your forever partner.
The business must be proactive in understanding their payment partners data migration policies. As you might expect it would be rare to hear “Thank you for partnering with ABC for managing your recurring billing needs. Just so you know we will never provide any customer data if you leave-settle in for the long haul.”
Whether you are in the process of choosing a provider or have been using a solution for years you need to discover what options you have should your business needs change. In today’s world where new technologies and tools emerge daily you might have a need to change as well. In addition if an exit strategy is on the horizon you don’t want data to destroy your ability to sell your company. As a SAAS provider your clients will look to you if there are issues with obtaining data. Your business needs to understand and let your users know about potential issues if they are in need of “their” payment data.
About Agile Payments: Agile Payments [AgilePayments.com] has been strategically partnering with SAAS and software companies for over 15 years. Agile has helped these same partners add millions to their bottom line. The ability to deliver value for the SAAS provider and just as importantly their client base is their competitive differentiator. For more information and how your company can take advantage visit AgilePayments.com.