Today, Bryan Johnson, CEO of Braintree Payment Solutions, wrote an open letter to Authorize.NET and PayPal about the importance of credit card portability. It's a major problem in the industry that affects us as well. At Recurly, we're proud to join the Credit Card Data Portability Standard initiated by Braintree.
For whatever reason, if you use Recurly and you decide to use another provider down the road, we will return to you all your credit card data in a secure, encrypted format. Your customer data belongs to you and we are not going to hold your data hostage.
The Dangers of Authorize.NET CIM
Once upon a time, a previous company I worked with used Authorize.NET's CIM to store credit card numbers for all their customers. Unfortunately for the company, they were too successful... their revenue grew and there were zero chargebacks. With increased revenue, the merchant bank became concerned with the increase in liability. So, the bank closed the merchant account. No big deal, except the company signed up for an Authorize.NET account through a referral from a bank. That prevented Authorize.NET from letting the company switch merchant accounts. Authorize.NET's answer: go get a new payment gateway account and bank account. Oh, and forget about ALL of your customer's credit card numbers.
With today's payment providers, there is little reason for a merchant to ever store the sensitive credit card numbers. However, you should carefully consider whether you own your card data when you pick a payment provider. Braintree will return your card data to your company. Recurly will too.
This idea is not new to Recurly. Since day one, we have been willing to return any data to any client. I want to thank Bryan for doing his part to educate the market.