Can Your Monthly Donors Be Held Hostage?
If you care about the future of your monthly giving program I urge you to take 2 minutes and complete this confidential Agitator Survey.
Here’s why.
As technology changes and competition increases, many organizations are switching CRM database vendors and credit card payment processors.
SURPRISE! Many organizations making this switch are discovering to their shock that either their old CRM or old payment processor—or both– are refusing to transfer their monthly donors’ credit card or other payment data to the new vendor.
The result? Nonprofits are often left to fend for themselves. Kind of like changing banks and having the old bank refuse to transfer your funds. Holding your money hostage as the next month’s bills come due.
How often does this happen to nonprofits? That’s the purpose of this Agitator Survey. Recently, we’ve encountered many frightening examples of hostage-taking by vendors and we want to know more so we can alert the sector. So please take 2 minutes and complete the Survey .
Click here to complete the Survey.
Can Hostage-Taking Happen to You? Sadly, The Agitator has uncovered cases where large, sophisticated organizations with thousands of monthly donors have been blocked or grossly delayed in transferring their data…cases where organizations that have invested tens of thousands in building a new sustainer program have been shocked find their data held hostage by a CRM or payment processor who refuses to cooperate. One purpose of this Survey is to find out just what Agitatorreaders have experienced.
And when the hostage-taking occurs, how doorganizations get their monthly donors’ credit card or EFT data to ensure uninterrupted payment and communication?Do they hire lawyers? Spend endless hours battling their old vendors? Go through the painstaking and expensive task of calling/writing/emailing their monthly donors and asking them to submit their credit card or EFT information anew? This Survey will help shed light on the course of action and options open to nonprofit victims.
All too many nonprofits are unaware of their rights and simply assume that because payment data of monthly donors is their own property, they can, of course, transfer it when they wish. But sadly, some vendors far more fearful of losing business and income don’t see it that way. And these uncooperative vendors resort to technical explanations, phony data privacy claims and other barriers of denial and delay.
This Agitator Survey seeks to find out the awareness-level of nonprofits and the steps some take when confronted by recalcitrant vendors. If you currently have a monthly giving program or are contemplating launching one in the coming year I hope you will take 2 minutes and complete the Survey.
Be Prepared for Success
Normally, we wouldn’t burrow down into the “processing” weeds like this. However, Monthly Giving is far too important to tolerate any slimy vendor practices that can sabotage these vital programs.
Working with monthly giving guru Erica Waasdorp we’ve so far produced a Four Part Series on Monthly Giving ( Part 1, Part 2, Part 3, Part 4) and we simply don’t want to see all the good work that has gone into building these programs be sabotaged. So, we’re digging in and sounding the alert.
Our goal is simple: Encourage as many organizations to build monthly giving programs –now. And to help them be alert and guard against nasty little vendor surprises.
Once we have the results of this survey we’ll report back. Meanwhile, we’re gathering case histories, drawing up a list of good and bad actors and will keep you posted. Together we can end the hostage taking of Monthly Donors and grow your pool of tremendously powerful, loyal and sustainable revenue-generators.
Roger
P.S. Agitator readers whose organizations’ data fall under the European Union’s General Data Protection Regulation ( GDRP ) have an advantage over their US counterparts. The GDRP mandates that vendors must transfer data when requested to do so.
Thanks for sharing and creating the survey Roger, as this is a REAL problem and is not being resolved by most payment processing organizations.
Shining a bright light on this issue should speed up the process.
I look forward to seeing what your survey reveals…
Hey, I recognize this business model! It was in GoodFellas (extremely not safe for work): https://www.youtube.com/watch?v=3XGAmPRxV48
Roger, I’m not often surprised by fundraising news. Congratulations! You surprised me. I had no idea that this problem exists. I look forward to learning more once your survey results are in. I hope your follow-up report will name names. Doing so will perhaps encourage the offending businesses to correct their bad ways or it will warn nonprofits to seek another service provider who will be more responsive to their needs.
I echo what Michael wrote. Thanks for doing this great service for the sector Roger!
Very timely. We’re switching payment processors as we speak and are meeting with resistance regarding our data.
We don’t give up easily…
We have over 70,000 monthly donors, nearly 50% of our donor file.
It’s a huge and critical part of our program.
As a former owner of a payment processing gateway that was around during the time of “tokenization”, I can tell you that this was commonplace and you wouldn’t dare not “give-to-get”.
The client would request all of their tokenized CC/PII PCI-compliant data be shipped to their new processor on a certain date/time. We would charge $500 because it would have to be near real-time and often off-hours, requiring additional support personnel. The migration process is highly secured and monitored. Once complete, all data must be destroyed and a verification of that destruction provided to ensure PCI compliance.
All non-profits should ask this question upfront when signing up with a new provider – “Can you, and what would it cost me to, migrate all of my subscribers’ CC/PII data to another provider should: we choose to switch, we have a contract conflict, or you go out of business ?” Yes, the latter still happens.
Great advice Tim!
I can tell you that when I worked at ROI Solutions we were able to move a few programs that were previously reported as “unmoveable” by the prior vendor. If they are charging the donor monthly and reporting the gift back to you to add it to the file, there is SOME connection between the donor and the payment method. They may just not be in the same place due to PCI compliance issues.
It is not impossible and now that I am no longer in the industry I can say this — it’s a real shame that some vendors feel like this is an acceptable business practice, especially in the nonprofit world.
Roger, Thanks for doing this. Great work, as usual. And perhaps you can name names…
I feel like this one needs a follow-up post. There seems to be some confusion about PCI compliance.
First, it’s voluntary. Of course most card issuers won’t do business with you if you’re not compliant, but there’s no fine for not being compliant (except in some states but that has nothing to do with PCI). Gulp.
Second, it’s not that hard. As an organization, just use someone who is PCI compliant and never, ever store a credit card number. Simple, right? Well, I can tell you that 30% of the organizations in my neighborhood still write down credit card numbers. Shame.
Third, PCI compliant vendors DO STORE CREDIT CARD INFORMATION. That’s the whole point of being PCI compliant, so you have the proper policies, controls, and procedures in place to store PII/PAN/CC information. So for any vendor to say it’s a violation of PCI compliance to transfer said data is a cheat and a liar. There’s no entry (https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI_DSS-v3_2.pdf?agreement=true&time=1527258833938) for transfer of cardholder data to another PCI-compliant provider because that would be redundant. There’s always at transfer of cardholder data because that’s how transactions are done!
I’ll personally prepare a list and call each one and see what excuses they offer. I’ll then see who would be willing to share it. I think I may know of someone …
Thanks Tim. It’s very good of you to jump in and help prepare some comparative information that we can share with the sector.
The response to the Survey has been both voluminous and somewhat venomous in terms of how nonprofits are being treated when it comes to transferring data.
We’re shooting to publish the results next week. Once that’s done we’ll then issue comparative information/guidance on the “what do I do?” part of the problem. So, thank you for jumping in on this.
Roger
I was shocked to read about this scam.
Indeed charities should be protected against these type of scam if they work under GDPR. But, not automatically. GDPR requires you to have a processor agreement in place. It does not imposes the content of that agreement.
Charities should make sure in all circumstances and in all stages of the data live cycle that they and only they are what GDPR calls the data controller. Software vendors, payment processors, marketing agencies… should always be just processor acting only under authority of the charity acting as the controller. The should refuse when a service provider proposes an agreement granting controller status to themselves.
Too much charities, also in Europe, do not consider this enough when contracting a processor.