Open Letter to the CEO's of Paypal and Authorize.net: Help End the Credit Card Data Hostage Situation

Posted on May 11, 2010 by Bryan Johnson

Dear Scott Thompson and John Bodine,

As you may have heard, we recently announced a Credit Card Data Portability initiative. We created it to try and solve a major problem in the industry: vendor lock-in due to stored credit card data being held hostage. Following the recommended guidelines outlined in the initiative, service providers can ensure that any data transfer, whether it's provider-to-merchant or provider-to-provider, is done in a PCI Compliant and secure manner.

Today, both Paypal and Authorize.net offer credit card storage services whereby merchants can remotely store this sensitive information to reduce the scope of PCI Compliance and increase security. As you both know, if one of your merchants ever wants to change to a new provider, your organization will hold that stored credit card data hostage. This is obviously very problematic for merchants.

If your organization chooses not to support Credit Card Data Portability, you could assume a leadership role in proper disclosure. You could determine to act in good faith and disclose to merchants, before they begin doing business with your organization, that they will never be able to get the stored credit card data back under any circumstances.

We work with merchants every day that are in this serious predicament. Just as you've worked extremely hard to build your businesses, so have they. It's unfair and bad business to put others into this situation without foreknowledge.

We hope that both of you will use your influence to do the right thing.

Sincerely,

Bryan Johnson
CEO, Braintree