Are there any remote credit card data stores out there which don't manage/process payments, just store the data?

Question

Such a service would act similar to a payment gateway, but not actually authorize or charge the card, and would make our lives easier when it comes to PCI compliance.

Our clients want us to hold onto the card information but not act on it. A month later or so, if the customer doesn't hold up their end, they use the card details to charge the card by entering the information into your standard retail card machine. Now for our clients to become PCI compliant, we, who are storing the credit card information, need to do so in a PCI compliant fashion. As far as I know our options are:

1. become PCI compliant ourselves
2. get our clients to switch from us as the data-store service to a new service

With either:
2.1: the new service being a paypal or similar, where they would have to authorize and delayed capture the funds (at a significant additional cost to them per month)
2.2: the new service being a remote data store only as described above (at a small additional cost to them per month)

Any insights welcome, thanks.

Answer 1

I believe that the agreement governing those retail card machines is very specific about how the data may be stored. I'm pretty sure that your customer would be violating their agreement for that machine use if they did what you describe.

If you're not actually processing transactions yourself, I don't know that YOU need to be PCI complaint. It's a voluntary industry standard, not the law. Of course, if you don't follow it, you're not allowed to be involved in the long-term storage of customer details if you want to do business with the payment card industry...

Ask for a copy of your customer's terminal agreement. I am sure it says very specific things about the electronic storage of customer information.

This is really a bad idea. The liabilities involved are enormous (millions of dollars when you have a small scale breach, typically). PCI compliance is going to cost you a minimum of $50k, probably a lot more, especially if you don't already have a team which has built compliant systems before.

You need to find an existing processor that provides the remote datastore for your customer. The providers I've worked with in the past have included MyBillingTree.com and Profitstars. The latter is a larger scale, more professional outfit, but they're still reselling someone else's api. Any major enterprise payment solutions player should have this capability. Don't go with PayPal, they are generally overpriced and of limited flexibility. Unless your volumes are ludicrously low, either of these companies will quote you a competitive rate, probably significantly better than the swipe-terminal your client already has.

You don't necessarily have to do an authorization and delayed capture. With the profitstars API, you can run a pre-auth, get back a stored token representing the customer information set, and (provided you have proper customer authorization), use that to run transactions for arbitrary amounts at a later date.

Answer 2

Fast forward to 2014. Spreedly is a service that stores cards and handles pci compliance for you. You get a token which you can use later to refer to the card. They don't process payments directly, you use their api to process payments against various 3rd party gateways.