Paypal and Authorize.net: Help End the Credit Card Hostage Situation

Braintree is one of the most forward thinking payment providers out there. A good number of startups on HN have integrated with them (we have, too). They have an excellent policy about porting customer data (e.g., stored credit card numbers) when moving to a different provider. Amazing customer service overall.

It seems kind of lame to beg the incumbents to make it easy for you to poach their customers. The big evil guys have their customers by the balls. It's safe to assume there's no way they're going voluntarily let go.<p>They need angry former customers to do the talking. Maybe this raises awareness a bit, but what really resonates is horror stories. A few high profile former Authorize.net/PayPal customers that are angry and willing to tell people about it would probably go much further.<p>The sweet begging approach isn't likely to work.

I got frightened by all the PCI DSS fear that permeates this board. I assumed you guys had it all figured out, and to a man, you seem to all be of the same mind on this issue. Fear, fear, fear.<p>When I actual Read the F----ing Manual about this ...., actually read that what was required was peanuts compared to the thousands of posts and comments I've read here pontificating on how to safely store a freaking password to a dating site, I am perplexed. How can a group of people who can talk your arm off for two hours about salts, rainbow tables, hashes, and password entropy, be frightened of PCI? <a href="https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml" rel="nofollow">https://www.pcisecuritystandards.org/security_standards/pci_...</a><p>I store my own credit card info. Exactly how I do it is none of your business, as, while I don't rely on obscurity for my security, I'd be foolish to deny myself it's added protection. I don't just meet PCI standards, which are easy, I greatly, greatly, exceed them. Why anybody would use a third party billing company is not mysterious, but why somebody who reads HN would do so, is strange to me.<p>I already know the comments I'll get for uttering such blasphemy. I would respectfully request that you actually spend 10 minutes reading actual PCI DSS guidelines before doing so, however.

If I'm one of the mentioned CEOs, here's what I just read:<p>"Dear guys who are bigger than me: please make it easier for me to steal your customers."

I'm not aware of how exporting the credit card data stored in the databases of these companies could ever be valid under PCI compliance rules.<p>They <i>say</i> it is, but I don't think it is up to braintree to say that it is, it would be up to the issuers to say that it is, and as long as they don't come out on the subject nobody is going to risk getting fined 10 million bucks or so by VISA or MC (or worse, to get shut down) to find out.<p>Braintree should probably do it's best to lower the barrier to entry to their services rather than to try to create a portability layer with competitors that don't care. And then braintree could give the right example by allowing merchants to take their data with them to other providers of payment services.<p>Note that just as you can't 'export' from Paypal or authorize.net you also can't simply 'import', the reason for that is that bulk import with random 3rd parties is extremely risky, it bypasses all the safeguards that have been installed to prevent all kinds of fraud.

Braintree is great for bringing this issue to light. I've personally been hurt by the lack of portability and have seen it affect several other companies. Here is Recurly's response:<p><a href="http://blog.recurly.com/2010/05/credit-card-portability/" rel="nofollow">http://blog.recurly.com/2010/05/credit-card-portability/</a>

At some point, your customer's card expires, and you need to ask them to re-enter their details. New details -&#62; new provider. It might take two years to migrate most of your clients - even if it isn't ideal, it's not like you're locked in <i>forever</i>.

This is cute. Not even Chargify or Recurly support[1] the "standard" (as far as I know), and they have vaults! Show me a list of other gateways that support the standard, and then maybe you can get the big boys on board.<p>I used to work in politics. This is the sort of poke-the-giant thing that longshot candidates do, and it actually ends up reflecting more negatively on Braintree than anyone else. It's a tone-deaf PR move from a great company.<p>EDIT: Looks like Chargify sends the CC details to the gateway and they don't have their own vault: <a href="http://chargify.com/features/pci-compliant-security/" rel="nofollow">http://chargify.com/features/pci-compliant-security/</a>

The problem: not many people actually switch <i>payment processors</i>. Once you get with Auth.Net, you spend a lot of time negotiating better rates with different companies, but your Auth.Net gateway stays the same.<p>I could see data portability being an issue in the long run, but for now, with Auth.net being basically one of two gateways, not enough moving around happens for their to be a "call for portability" (that will actually be heard).<p>I do, though, applaud a forward-thinking move like this. It may be looked back on as the small spark that got the fire going.

Or just forget about credit cards and use FaceCash!<p><a href="http://www.facecash.com" rel="nofollow">http://www.facecash.com</a><p>(My startup.)<p>Seriously, the industry has no incentive to change. They make a killing. Merchant contracts are strict and likely forbid alternative standards such as the one being proposed here.

I have fun questions: Who is the target audience for this letter? What is it trying to achieve? How effective is this letter in its current state in a) reaching the target audeience and b) achieving its goals?

If braintree cares this much about this, why don't they allow people who use authorize.net currently to store their credit cards in the braintree vault?