Credit Card Data Portability
Credit Card Data Portability is supported by an opt-in community of electronic payment processing providers (service providers) that agree to provide credit card data and associated transaction information (sensitive data) to an existing merchant upon request in a PCI Compliant manner.
Patterned after telephone number portability that was part of the 1996 Telecommunications Act, the objectives are:
- Eliminating vendor lock-in for merchants reliant upon a service provider storing their customers' credit card data
- Creating a secure, PCI Compliant, and standards-based process for data transfers
- Embracing free market principles and fair competition
For Service Providers
Contact your service provider regarding their terms, conditions, and fees associated with providing sensitive data.
Suggested questions to ask service providers:
- Does your organization adhere to Credit Card Data Portability?
- What is required of us to receive the sensitive data we process and/or store with you?
- What is the process of receiving the data and how long does it take?
- Are there fees associated with releasing the data to us?
- What data will be released and is there a time limit?
- Where can I get a copy of the terms?
Here are some resources for service providers wanting to participate in Credit Card Data Portability:
Service Provider Recommendations for Data Portability:
STEP 1: Verification of Merchant PCI Compliance
- Have the merchant demonstrate PCI Compliance by providing an attestation of compliance from a qualified provider.
STEP 2: Sensitive Data Transfer
- Participating Members must maintain a secure sensitive data transfer process that is compliant with the most recent version of the PCI Data Security Standard.
- Secure Data Transfer Process Recommendations:
- The originating service provider use an asymmetric key algorithm with the strongest possible key size.
- The originating service provider may request either from the merchant or receiving service provider a public key that is usable with the desired encryption algorithm.
- After the originating service provider uses the public key to encrypt the sensitive data, they may transmit the encrypted data to the merchant using any secure transport method including physical media such as a CD by secure courier or other deliver method that can be tracked or electronic transmission such as SFTP, SCP, or FTP over SSL.
'Sensitive Data' includes full credit card numbers and expiration dates. Additionally, the term can include cardholder names, shipping/billing addresses, phone numbers, email addresses, and any additional information processed and/or stored with a service provider. The PCI DSS prohibits the storage of magnetic stripe, CVV and PIN data so service providers do not store this data therefore it cannot be provided to a merchant.
'Service Providers' include any company involved in the processing, transmission and storage of credit card information for merchants. Examples include providers of merchant account, payment gateway, point of sale, risk and fraud, and chargeback management services.
1. Is there a list of all the participating service providers?
2. What if my provider does not support Credit Card Data Portability and they're holding the credit card data hostage?
If there are multiple businesses servicing your account, for example, a payment gateway and merchant account provider, and one provider declines your request, you could inquire of the other. Credit Card Data Portability was created to avoid situations like this so it's recommended that you encourage your Service Provider to participate in Credit Card Data Portability and/or choose a participating member going forward.
3. I am a payment processing provider, how do I participate in Credit Card Data Portability?
Your organization can highlight participation by maintaining this logo on your website as well as provide the data portability terms, conditions, and fees (if applicable) in your merchant agreements and/or on your company website.
4. Can my current service provider transfer sensitive data directly to my new service provider?
Certainly, a provider-to-provider transfer is ideal as it prevents merchants from being required to handle sensitive data. You can speak to your current provider to inquire of their data portability options.
5. Where can I discuss Credit Card Data Portability?
You're invited to join the Credit Card Data Portability Google Group.