What is Credit Card Data Portability?

Credit card data portability is a mechanism to transfer customer payment data, specifically Primary Account Numbers, between different payment service providers (with security and compliance considerations). This indicates a possible correlation between diversifying financial institutions for card storage and certain business advantages.

Here are the main characteristics of portable systems:

•       Secure Exporting: The system offers a process for exporting PCI-compliant data to another provider, subject to a formal request.
•     Format Standardisation: Guaranteeing that the data transferred is in a form that the recipient party can use.
•       Tokenization Compatibility: Employing tokens that can be switched or redirected among different processing gateways.
•   Compliance Preservation: Keeping an unbroken chain of custody that meets Payment Card Industry Data Security Standards (PCI DSS).

Merchant data transfer can influence their interactions with payment providers and potentially involve dependencies on specific processors or vendors. A common practice among providers involves proprietary tokenization systems; when cards are stored with these providers, the resulting tokens typically function only within their environment.

When a merchant departs, exit fees can be applied by the provider, and data release may present format compatibility considerations for various systems. Finextra suggests a possible relationship between vendor lock-in and businesses experiencing a 20% to 30% difference in processing fees, which may correlate with changes in negotiation positions with their current vendor.

Portability is significantly affected by PCI DSS requirements (Payment Card Industry Data Security Standard). Specifically, merchants often avoid or are prohibited from storing unencrypted credit card numbers on their servers, which may reduce certain risks. Consequently, instead of handling the data themselves, merchants use the provider’s services that store the data and then issue a “token.”

On the giving and receiving “end,” the providers must comply with PCI Level 1 standards for the data migration to be possible. Furthermore, the data must be transferred securely and encrypted during the migration process, which is a “vault-to-vault” process. Such a transfer keeps the merchant out of the PCI scope, the data does not pass through the merchant’s hands, but still allows the movement of the data.

Conceptually, this is a transfer between two separate, secure environments. The merchant requests data migration, and the current provider uses the new provider’s public key (the Destination) to encrypt the database of card numbers.

1.   Inquiry: The merchant initiates the data export from Provider A.
2.   Securing: Provider A protects the PANs and expiration dates through encryption.
3.   Sending: Data is transferred employing secure SFTP or dedicated API.
4.   Receiving: Provider B decrypts the information and issues new tokens for the merchant’s usage. ​‍​‌‍​‍‌​‍​‌‍​‍‌

A​‍​‌‍​‍‌​‍​‌‍​‍‌ neutral or centralized token vault refers to a third-party entity that is separate from the payment processor’s environment. Instead of the processor maintaining the card data, the vault does. When it’s necessary to make a card transaction, the vault transmits the information to the processor that the merchant has selected.

Access to portable data allows companies to consider a multi-PSP approach. This enables a merchant to connect to multiple betalingsverwerkers concurrently. For example, if Processor A offers a better rate for European cards and Processor B is cheaper for US cards, the merchant can direct the transactions to the appropriate processor.

Things to consider when deciding on a multi-processor strategy:

•   Geografisch bereik: Is the provider offering lokale betaalmethoden?
•   Cost Optimization: Do you have the option to “least-cost route” in real time?
•   Technical Overhead: Does your team have the capability to handle multiple API integrations?