There are a few posts on this topic already, all of them closed, and all of them with (now?) out-of-date info, so ... here we are.
I need to migrate away from Authorize.net. The short answer is that the fee structure of having a separate gateway and payment processor is, for us, antiquated and expensive. We have two companies: one with relatively high volumes and one with relatively low volumes. The high volume one works fine with this structure (though we'll be moving that one, too), the low volume one ($2k/month) winds up paying an effective 16% in fees. That's worth considering a move. ;)
I discussed this with Authorize.net support this morning, and just as a heads-up, here's the answer I received from Cassandra in online chat:
Cassandra: 09:35 Good morning David. I see the importance of knowing more about submitting a Legal Data Extraction request and am glad to assist you with some information today! Cassandra: 09:37 To have this data extracted, The cost of the data extraction is $250/hour with a minimum of 4 hours ($1000.00 in total). The default payment method for the fees is via the bank account on file with Authorize.Net. It can certainly be sent via the PGP key and am glad to email you with the waiver you can fill out to submit via eTicket, along with more information.
Yep. Four hours of time to export and encrypt the data. And a minimum $1,000 price tag for what, as near as I can tell, would be a 30 minute job (though I realize I may be missing something entirely).
That seems like a great way to screw a ~15+ year partner. Be warned.
I'm deeply sorry about this, but I believe you've been given incorrect information here. There was a time when exporting customer profile information was a terrbily manual process involving database administrators taking time to extract records directly. If that was the case, a hefty charge like this would make more sense.
However, we now have the ability to do this in a more automated fashion. It's still something done through the support channels, but there shouldn't be a charge for this.
I'm following up with the appropriate people now to make sure the message is getting across correctly.
I agree @Aaron. Turns out the charge is now $500/- and it will expose the data of the customer, thereby exposing payment details that we do not want to be exposed to.
Cant we just get the data transfered to a system that is PCI compliant?
Can you please assist?
Edited:Grammer to clarify meaning
There is no standard format for a bunch of sensitive card data that would be encrypted enough that you couldn't see it, but that another company would know what to do with it. If you want to get your card data from us in a form that another company would be able to understand, you're going to have potential exposure to the data, and would have to take the responsibility of complying with PCI-DSS standards for safeguarding that data.
We want to change that, so we've been working with other companies to develop processes for handing off data directly to them or receiving data directly from them when a merchant switches from one to another. There's always some initial reluctance when we approach a company and try to start discussions about making it easier for their customers to leave them and come to us. But, if they see that this is a two-way street we're building, they see how it provides value to their merchants and makes it easier for merchants to switch to them as well.
Where are you trying to transfer your data to? I might be able to help if it's someone we're already working with.
As far as the fee goes, the new process for just retrieving customer profile/CIM data should involve no fee, but I understand that there are still some approvals that support is waiting on before communicating that widely. If you're asking for something more than just customer profile data (like subscription data) there would be additional fees. I can't comment any more on the fee without knowing what exactly you're asking for.
I'm wondering if there is any new information on data transfer from Authorize.net to possibly Braintree or Stripe. Your customer service department suggested you may be beta testing import from Stripe soon, but not exporting to them. We are unfortunately in a position where we're going to need to move away from Authorize.net at the end of our term in order to meet PCI SAQ A compliance on a Magento platform (your Customer Hosted Form is not being supported by any current extensions with CIM capability on Magento 1). Braintree and Stripe both have extensions with hosted field options that will meet our requirements.
Do you have an encrypted data handoff of CIM data to any companies yet?
We are working on a more streamlined (and direct) import/export process between ourselves and other gateways, including stripe, we're still in testing phase with that but will be sure to report back here with any news.
I did also want to mention that Paradox Labs has a fantastic PCI compliant plugin for CIM on Magento 1. It's definitely worth checking that out.