subscription data risk management

It’s one of the payment industry’s ugly secrets and for companies with a business built on subscriptions, it’s a revenue and business continuity risk that needs very close attention.

Erich Litch, President & COO 2Checkout
Erich Litch, President & COO 2Checkout

The problem is that some company databases are virtually held hostage by their service providers, and that has to change according to Erich Litch, President and COO of global payments leader 2Checkout.

“In order to ensure business continuity when changing technology or payments providers, merchants need to pay attention to several categories of data and understand what rights they have over each data type to get more control over their subscription business,” Litch said.

McKinsey estimates that more than 15% of online shoppers are enrolled in some form of subscription plans including music, movies, fashion, and even shaving blades. As many as 77% of online software sales are now subscription-based and the growth trajectory is upward for subscription revenue models.

As a subscription business matures, Litch expects to see more and more incidents of payments and technology providers holding buyer data hostage.

Your data may be held hostage

Some companies with substantial subscription revenue may not even be aware their databases are not their own property and are in fact owned by their service provider.

data portability and business continuity

The problem will often surface when companies are looking to change or introduce new technologies, switch payment providers, or change other key business operations.

That’s often when companies find their data isn’t portable and sometimes isn’t even owned by them.

“The problem arises when a merchant decides to use another provider for its subscription business and wants to transfer existing subscriptions to the new provider. We see many examples where the existing provider puts up roadblocks in making that transfer or just flat out refuses to provide the data. This usually is a result of merchants not having the experience to request the right stipulations regarding the right for data transfer and terms of data transfer in their contracts BEFORE they start working with a certain provider,” Litch said. 

What data is key to business continuity?

To ensure business continuity, he suggests merchants pay close attention to subscription-related data such as start date, expiration date, recurring enabled (Y/N), product code, price or price options, and billing cycle units.

data mobility key to business continuity

These also include customer-related data such as name, company name, address, and language, and transaction-related data such as purchase date, payment method used, payment-specific data, order amount/billing cycle value, currency, order reference, next billing date and contract period.

“Contract language is important to start with. It’s critical to have “the right to transfer data” included in the contract,” Litch said.  

“In addition, the merchant should have some provisions outlining the method to determine the pricing of the data transfer and the process to make the transfer. Some providers have quoted substantial fees for data transfers that make the transfer cost-prohibitive. These fees usually have no relation to the actual costs incurred by a provider to make the data transfer,” he added.

What data is critical to business continuity?

data portability key for business continuity

Clearly, you need access to all types of data when you want to switch providers. Some data, including customer or transactional data, may already be housed in your systems through direct integration or regular imports, assuming proper GDPR compliance.

“If you’re using a reseller model where your payment provider serves as the merchant of record, the digital commerce or payments provider typically owns the transaction data and, in some cases, co-owns it with the merchant. If you are using a Payment Service Provider (PSP) model, where you (the merchant) are also the merchant of record for that transaction, then you typically own the transaction data,” Litch said.

He said it’s worth noting that sensitive, highly secure payment-related data is not “owned” by either the merchant or the payment processor. Neither “own” the payment data. “This data is only used and stored, and neither the payment processors nor the merchants own it, regardless of the contract or terms and conditions they have in place,” he explained.

Payment data is only stored and tokenized by PCI compliant companies and typically can only be transferred to a PCI compliant party based on transfer documents signed before the actual move.

Some subscription management/ recurring billing engines that integrate with payment gateways or payment processors have agreements where the credit card data is stored in vaults so that credit card portability is ensured regardless of the payment gateways or the payment processors.

data portability and management

“Vaulting is important as opposed to just tokenizing data, as the tokens refer to data stored elsewhere,” Litch said.

In the case of direct debit or PayPal, the data is either linked to a bank account or a PayPal account, which are related to a shopper and can be subject to local regulations such as GDPR in Europe.

GDPR is not a guarantee of protection. “Sometimes you can gather an army of lawyers and still you’re not able to do much if the contract you signed does not state you have the right to transfer data or access the data. In this case, GDPR does not offer much protection for the merchant. More power is in the hands of European end-customers due to GDPR, but they have to request personal information data transfers. Either way, in the case of transaction and payment data, it gets a lot more complicated than that,” Litch warned.

“One thing is for sure, that such subscription data transfer does NOT violate GDPR. Essentially, the purpose for which the data is used, even after the transfer, remains the same, and the data should be stored and processed observing GDPR and PCI rules,” he advised.  

How can merchants transfer payment data to a new provider?

data portability strategies

Litch says most of the time a formal request for a transfer is made, and the new provider starts the process to validate sales risks, including statements from current processors, refunds, and chargeback rates.

For card data, merchants make a formal request for the transfer and the new provider may start a process to validate the risk associated with your sales (statement from the current processors, refunds and chargeback rates, etc.), to verify the integrity of credit card data via the PCI certification and get access to card data once transfer documents have been signed by all parties.

It goes without saying, a secure environment needs to be in place for the data transfer to happen, as well as a secure transfer since we are talking about high-sensitivity data.

Once data is transferred and validated, new protocols are typically put in place to ensure regulatory compliance.

What happens when the current payment processor refuses the transfer?

managing data portability risk

If the current payment processor refuses to migrate data, your contract may have included a clause giving them the “right to hold the data.” You and your legal counsel should be aware of these type of clauses when signing any payments, technology or data agreements and ensure your contract preserves your “right to transfer data.”

Things can get complicated when the e-commerce or payments provider is also the merchant of record. With payment service provider contracts, merchants usually have more control to instruct a transfer to take place when proper protection is provided.

Some service providers may claim a transfer violates GDPR or privacy laws but if the purpose for using the data is the same, then your provider is simply trying to hold your data hostage and it’s time to involve your legal counsel.

Details on how long data transfer should take, how much it costs and what historical data can be imported are best detailed in any agreements at the time of engagement.

Litch says between two and six weeks is a reasonable timeframe for data transfer. Some providers will not charge while others may charge between 40 and 80 hours of professional services time to complete a transfer.

Replicating renewal notifications and auto/manual renewal mechanisms are also key in your new system. Any payments due by shoppers at the time of the export also need to be accommodated.

The bottom line on data portability

Is your data portability protected?

Litch believes payment data portability and control should be supported by every provider, and merchants should be free to choose their providers and not be held to unreasonable contracts. “It’s critical for ensuring business continuity, for not jeopardizing subscription company valuation and – eventually – for offering better customer service.”

He said a lot of companies are new to subscriptions or have been providing subscriptions for a relatively short period of time, so there have not been many migrations of subscription data to other providers.  

“As the industry matures, we are seeing more and more merchants coming to us and asking us to help them increase their renewals and reduce their churn. In all of these situations, we confront the need to migrate existing subscriptions. We see this as a growing issue that many more merchants will face,” Litch cautioned.

2Checkout data portability strategies

With a growing effort to enhance client lifetime value and increase renewal rates, subscriptions are a welcome revenue model for a wide range of businesses. But, is your buyer data at risk?

You can read more about how to protect your critical subscription and payments data at 2Checkout.