Avoid payment processor "lock-in"


According to PCI rules (and Vista/MasterCard guidelines) merchants are not allowed to store CVV (CVV2) numbers. To process recurring payments (monthly subscription etc.) most payment processors offer “Subscription” payment option, where full credit card details (including CVV) are submitted only during the first (initial) transaction. Subsequent payments are than handled by payment processor, so merchant don’t have to store/resubmit credit card details. This obviously means all subsequent payments have to be handled by the same payment gateway.

Now my question: What if I wanted to change my payment processor? What if my payment gateway (for whatever reason) ceased to exist? Is my only option to ask all my customers to re-submit their card details? How to avoid payment gateway “lock-in” described above?

The solution would be of course to store full card details (including CVV) and submit them in monthly (or whatever other) billing cycles to whichever payment gateway I want. But this is not allowed…

I would very much appreciate any suggestions from eCommerce experts here.

Is my only option to ask all my customers to re-submit their card details?

Yes this is the only way you can proceed with the recurring billing, back in the old days before PCI and where credit card fraud wasn’t an issue for most processors one could simple ask the current processor to move CC data to the next processor to be used… thats not possible any longer.

According to the PCI DSS regulations you are not allowed to store any CVC / CVV numbers at all, doing so will be against the regulations and you will be penalized for this if something goes wrong.