Blog

When going to market using subscription billing there are three diametrically opposed forces fighting you, the person who owns the active subscriber count as you try to acquire and retain the most customers possible.

These forces are PCI, Account Updater, and customer data ownership. I want to focus on the balancing act between the first two.

These days, one of the primary mechanisms (other than using something like HOA on CashBox) to lowering the compliance burden and the actual risk of card disclosures is to use tokenization of those cards from your merchant acquirer, or gateway. Tokenization is simply an infrastructure at, for example, your gateway that will take the card you obtain from your customer on your checkout page, encrypt it for storage in their database, and hand you back a ‘handle’ to that card for future use. It doesn’t remove much of the compliance burden as credit cards still flow through your webserver and thus you still have to fully comply with PCI, but it does lower the risks of actual disclosure and shrinks the scope of your compliance efforts.

A surprising number of merchants are unaware of or don’t implement Account Updater, which is available from Visa and Mastercard in North America and some of Europe. Account Updater functions in two ways. The primary way will automatically send card changes for customers that you’ve billed in the last six months to you so that you can seamlessly update their card before a billing event. The alternative way is for you to either proactively or after a billing failure ask if there has been an update on any given card. We’ve found that the absolute best result is to run Account Updater in both modes and spend time optimizing the latter mode for specific billing plan frequencies.

Unfortunately, the requirements of Account Updater and its impact on customer retention are at odds with the requirements of tokenization in support of PCI. Most of the tokenization projects at the various vendors do not take the product requirements of Account Updater into consideration. How does one query the Account Updater service for the new card that may have replaced the one that failed when all you have is a handle to the old card? Unless your vendor has specifically added this to their tokenization implementation you are hostage to their product roadmap to save some significant percentage of subscriber churn. When you recall that few vendors are focused on the challenges of digital content and services with subscriptions, and instead get the bulk of their revenue from one time purchase physical goods merchants it makes sense that these tokenization projects have usually not addressed Account Updater functionality.

At Vindicia, we’ve built CashBox to both take you completely out of the PCI compliance burden with HOA and to directly and richly implement Account Updater with our merchant acquirer partners. We’ve also made the commitment to you that your customer data is yours should you want to move on. Once you experience the revenue increase we deliver through increased customer retention, we doubt you will. But that commitment is there to help end the tension between customer data ownership and tokenization as well – which is something I’ll touch on in a later post.