There’s a lot of talk in the industry about the proliferation of subscriptions – from software and music to movies and shaving blades. So much so that apparently 15% of online shoppers are enrolled in subscription plans (estimate from McKinsey) – while in the software world, subscription percentages have reached the high 70’s within overall sales.
There is also a lot of talk about improving client lifetime value (CLTV) and about increasing renewal and authorization rates and customer experience. Subscribers are keen supporters of seamless, personalized experiences and if companies do not deliver on those expectations, they will quickly be looking for alternatives.
But what happens when the merchants themselves are looking for alternatives, for technology replacements, in order to do just these things: improve CLTV, renewal and authorization rates, customer experience, etc. To use alternatives as their business needs change, merchants must have control over their subscription data, which includes being able to move some of the data associated with the subscriptions from one provider to another.
In order to ensure business continuity in the case of a technology or payments provider switch, merchants need to pay attention to several categories of data, and understand what rights they have over each data type to get more control over their subscriptions.
What types of subscription-related data do I need to pay attention to?
In the case of subscription purchases, there are lots of data sets that are implicated. These include subscription-related data such as start date, expiration date, recurring enabled (Y/N), product code, price or price options, and billing cycle units. These also include customer-related data such as name, company name, address, and language, and transaction-related data such as purchase date, payment method used, payment-specific data, order amount/billing cycle value, currency, order reference, next billing date and contract period.
Payment methods can be credit/debit cards and other types of payment methods, from PayPal to direct debit. In fact, direct debit is very commonly used for recurring payments; for example, in the UK, nearly half of consumers want to pay for subscriptions with direct debit according to GoCardless.
What data do I need to migrate to ensure business continuity?
Clearly, you need access to all types of data when you want to switch providers. Some of the data, including customer or transactional data, you may already have in your systems through direct integration or regular imports. We’ll assume here that GDPR and other compliance are already met through proper protections by your company. If you are using a reseller model where your payment provider serves as the merchant of record, the digital commerce or payments provider typically owns the transaction data and, in some cases, co-own it with you, the merchant. If you are using a Payment Service Provider (PSP) model, where you (the merchant) is also the merchant of record for that transaction, then you typically own the transaction data.
The difficult part is related mostly to the very sensitive, highly secure payment-related data. I should clarify that neither the merchant nor the payment processor “own” the payment data. This data is only used and stored, and neither the payment processors nor the merchants own it, regardless of the contract or terms and conditions they have in place.
Who stores the payment data?
In the case of cards, payment data is only stored and tokenized by PCI compliant companies and – evidently – it can only be transferred to a PCI compliant party based on transfer documents to be signed prior to the actual move.
In some cases, the subscription management/recurring billing engines that integrate with payment gateways or payment processors have agreements in place for the credit card data to be stored in vaults, so that credit card portability is ensured regardless of the payment gateways or the payment processors. Vaulting is important as opposed to just tokenizing data, as the tokens refer to data stored elsewhere.
In the case of direct debit or PayPal, the data is either linked to a bank account or a PayPal account, which are related to a shopper, and can be subject to local regulations such as GDPR in Europe.
How can I, as a merchant, initiate payment data transfer to a new provider?
For card data, you need to make a formal request for the transfer and the new selected provider may start a process to validate the risk associated with your sales (statement from the current processors, refunds and chargeback rates, etc.), to validate also the integrity of credit card data via the PCI certification and, ultimately, to get access to the card data via your current provider after transfer documents have been signed by all parties.
It goes without saying, a secure environment needs to be in place for the data transfer to happen, as well as a secure transfer, since we are talking about high-sensitivity data. Once the transfer takes place, a series of data consistency and validation tests are performed, with the goal of ensuring that data is mapped accordingly in the new system once imported (more technical details on the import in a future article!). In some areas you, as a merchant, are required, from a regulatory perspective, to create a new mandate with your customers and the stored data can be used to limit data entry.
In the case of other payment methods, such as direct debit, things are a bit easier. The SEPA Direct Debit (SDD) mandate is mostly set on the merchant level; hence the merchant is able to switch providers based on that mandate. The good news is that for card-based subscriptions, the merchant-initiated transaction (MIT) will also become mandatory.
Nevertheless, where applicable, prior to any data transfer, you need to sign specific agreements as per GDPR requirements for transfer of personal data to a third party or an international organization ensuring the adequate level of protection.
What happens when the current payment processor refuses the transfer?
Some providers will invoke several reasons for refusing to migrate card data, mainly that the contract signed by the merchant stipulates the processor has the right to hold the data. As a rule of thumb, you should watch out for this type of verbiage in the contract, and make sure you get the right to transfer data. This is more complicated when the eCommerce/payments provider is the merchant of record, in which case they own the data according to the contract. In the case of the payments service provider model (PSP), the merchant has more control, and the provider needs to only execute the instructions of the merchant and ensure proper protections are in place.
Other reasons invoked are that the “transfer violates GDPR”, that it is “against privacy laws”. Essentially, the purpose for which the data is used, even after the transfer, remains the same, and the data should be stored and processed observing GDPR (where the case) and PCI rules. In almost all cases, the reasons offered by the provider for refusing to migrate and transfer data are bogus and generally excuses to hold your data hostage and keep processing the transactions.
Other things to consider
It’s advisable for the contract to make note how long would such transfer process take (a decent timeframe should be around two to six weeks), how much it will cost (some providers will not charge for this, others will charge around 40 to 80 hours of professional services work) and how much historical data can be imported. It is best to ensure reasonable terms are in place for a potential future transfer before it is needed because some providers raise needless obstacles that make transfers very difficult, expensive and cumbersome.
Also, pay attention to renewal notifications and auto/manual renewal mechanisms that are in place, in order to replicate what worked in the previous system within the new system of your choice. Any payments due by shoppers on the time of the export also need to be accounted for. For example, if a subscription is past due at the time of the export, the merchant would not want to lose that information during the transfer.
Finally, we believe that payment data portability and control should be supported by every provider, and merchants should be free to choose their providers and not be forcefully locked in a certain arrangement. This is healthy from many points of view: for ensuring business continuity, for not jeopardizing subscription companies’ valuation and – eventually – for offering a better service to the end-customers. Do share below what issues you have encountered when attempting to switch providers and migrate such data.