Fundraising, Resources

The Ultimate Double Standard: Why For-Profits Get Payment Data Protection While Nonprofits Face Ransom

George Weiner, Founder Whole Whale.comGeorge Weiner, Founder Whole Whale.com186 Mins Read

How a $30,000 hostage fee exposed the regulatory hypocrisy that protects for-profit e-commerce customers while abandoning nonprofits

Two Phone Calls, Two Different Worlds

Call #1 – E-commerce Business Owner “I want to switch from Stripe to Braintree and take my recurring customer payment data with me.” “Absolutely. We’ll coordinate the secure transfer with both processors. There’s no fee from either side, and your subscription customers will continue being charged seamlessly. Should be complete within 48-72 hours.”

Call #2 – Nonprofit Development Director “We need to migrate our 20,000 monthly donors to a new platform.” “That’ll be $30,000. $10,000 flat fee plus $1.36 per payment token. We can schedule the transfer for sometime in the next 3-6 months. Or you can start over and ask all your donors to re-enter their payment information. Your choice.”

Welcome to the ultimate double standard in payment processing: E-commerce businesses enjoy free data portability and industry-standard protections, while nonprofits—organizations serving the public good—face monthly donor lock in for the exact same technical service.

The Tale of Two Business Worlds

For E-commerce: Industry Standards and Fair Competition

When e-commerce businesses need to switch payment processors, the industry recognized data portability as essential for fair competition. In 2010, Braintree created the much-needed credit card portability standard with objectives including “eliminating vendor lock-in for merchants reliant upon a service provider storing their customers’ credit card data”.

Today, e-commerce businesses enjoy:

  • Free data transfers between processors like Stripe, Braintree, and Square
  • Industry-standard portability protecting recurring subscription businesses
  • 48-72 hour transfer timelines as the accepted norm
  • Competitive pressure that prevents payment hostage practices
  • Multiple processor options with standardized switching procedures

For most e-commerce merchants, “switching to a new payment processor” is described as “a simple and painless task that can save you money from day one” with transfers that “usually last less than an hour”.

For Nonprofits: A Regulatory Wasteland

Meanwhile, nonprofits using donation platforms face a completely different reality:

  • Complete lock-in of donors blocking any transfer
  • Ransom fees ranging from $5,000 to $30,000+ are standard practice
  • No industry standards protecting against vendor lock-in
  • Multi-month delays at platform discretion (3-6 months common)
  • No competitive pressure to offer fair data portability
  • Zero regulatory oversight of hostage fee practices

The same payment data that e-commerce businesses transfer freely costs nonprofits thousands to access.

The Anatomy of Institutional Hypocrisy

Here’s what makes this double standard particularly galling:

The Technology is Identical Both e-commerce businesses and nonprofits use the same underlying payment processors (Stripe, Braintree, PayPal) and the same payment tokenization technology. The technical process for exporting payment tokens is identical whether you’re running a subscription software business or a monthly giving program.

The Data is the Same Whether it’s a customer’s monthly SaaS subscription or a donor’s monthly gift, we’re talking about the same type of encrypted payment information stored in the same way by the same processors.

The Underlying Cost is Zero Payment processors charge nothing for token exports to either sector. The ransom fees are pure profit for donation platform intermediaries. Small fees may be justified for labor costs of exporting in secure ways.

Yet somehow, when an e-commerce business wants to switch processors, it’s considered normal business operations protected by industry standards. When a nonprofit wants to switch platforms, it’s treated as a luxury that justifies extortion.

Find out which donation platforms are charging tolls and which are fully blocking transfer of donor payment tokens.

By the Numbers: The Scale of Institutional Discrimination

E-commerce Sector (Protected by Industry Standards)

  • Data portability fees: $0 (prevented by competitive pressure)
  • Transfer timeline: 24-72 hours (industry standard)
  • Competitive oversight: Processor competition prevents hostage fees
  • Business protections: Extensive industry standards

Nonprofit Sector (The Afterthought sector)

  • Data hostage fees: $5,000-$30,000+ (unregulated)
  • Transfer timeline: 1-6 months (at platform discretion)
  • Competitive oversight: None
  • Business protections: Zero

The result: Organizations serving homeless veterans, fighting cancer, feeding hungry children, and protecting the environment face predatory practices that would trigger federal intervention if applied to a checking account.

The Profitable Architecture of Discrimination

This double standard isn’t accidental—it’s architected for profit:

Step 1: Regulatory Capture While banks lobbied for and received data portability protections, nonprofits lacked the political capital to demand equal treatment.

Step 2: Vendor Lock-In by Design Platforms deliberately structure their services to create maximum switching costs, knowing nonprofits have no regulatory recourse.

Step 3: Exploitation at Scale
Once locked in, platforms can raise prices, reduce service quality, or impose new restrictions without fear of client defection.

Step 4: Systemic Entrenchment As more nonprofits become trapped, the platforms gain market power that makes regulatory change even more difficult.

Data Portability Laws & Frameworks

What is Donor Tokenization (this is the thing nonprofits think they own but probably don’t)

GDPR (European Union) Under GDPR, payment data including “credit card numbers, expiry dates, CVV codes, and cardholder names” is classified as personal data requiring protection GDPR and Payments: A Guide to Data Protection Compliance – GDPR Local. However, the European Article 29 Working Party has stated that even when a token is created by choosing a random number, the resulting token typically does not make it impossible to re-identify the data and, as a result, the token is best described as “pseudonymized” data which would still be “personal data” subject to the GDPR Is it possible for a token to still be considered “personal information?” – Lexology.

This means payment tokens may still fall under GDPR’s data portability rights, giving customers the right to obtain their data in a structured format.

PCI DSS (Payment Card Industry) PCI DSS requires tokenization systems to use “strong cryptography” and be stored in “segmented, PCI-compliant environments,” with tokens generated using “robust algorithms” and protected through encryption ThoropassSISA. However, PCI DSS doesn’t explicitly require data portability – it focuses on security standards.

How Major Processors Handle Portability

Braintree’s Leadership Braintree was the first to champion credit card data portability in 2010, creating “a secure, PCI Compliant, and standards-based process for data transfers” with objectives including “eliminating vendor lock-in for merchants” What is Credit Card Data Portability? | Chargebee Glossaries. Braintree supports credit card data portability stating “Your data belongs to you” and they “support credit card data portability – we’ll import your sensitive customer data into your new Braintree gateway, as well as export it if you ever need to leave” Data Migration – Braintree SDK Docs.

Stripe’s Approach Stripe “will even help you migrate user data if you leave the gateway” Stripe vs. PayPal vs. Braintree: Choosing a Payment Gateway, indicating they support data portability as a business practice.

Industry Reality While this standard has been in effect for many years and is slowly becoming the norm, “some payment providers still don’t support it” and many merchants “don’t find out until it’s too late” What is Credit Card Data Portability? | Chargebee Glossaries.

Key Limitations

Token vs. Raw Data The critical distinction is between raw payment data and tokenized data. While companies can export customer relationship data and transaction histories, the actual payment tokens often can’t be transferred between systems because:

  1. Tokens are system-specific – Each processor uses different tokenization methods
  2. Security by design – Tokens are meant to be non-portable for security
  3. PCI compliance – Raw card data can’t be exported without strict security measures

Bottom Line

While data portability laws like GDPR create pressure for exportability, payment tokens specifically are often intentionally non-portable for security reasons. What’s typically portable is:

  • Customer transaction history
  • Billing relationships and preferences
  • Non-sensitive customer data

But active payment authorizations usually require re-establishment with new processors, even when customer data is successfully exported.

By George Weiner, Founder Whole Whale.com

In 2010, George Founded Whole Whale, a digital agency that leverages data and tech to increase the impact of nonprofits and for-benefit companies. He is also the co-founder of Power Poetry, the largest teen poetry platform in the U.S, a safe, creative, free home to over 500k poets and CTOs4Good.com, a group of technical leaders at nonprofits that deliver social impact primarily through technology and digital strategy. Prior to Whole Whale George was the CTO of DoSomething.org. Over the course of 7 years, he managed the platform overhaul of DoSomething.org twice (winning a Webby Award ) and helped to build a community of over 1.5 million young people taking action. Realizing that much of DoSomething’s success was owed to smart, lean use of many democratized tech tools (including SMS, Google Analytics and the Google Ad Grant), George founded Whole Whale with the goal of helping nonprofits both storied and start-up to move their missions forward with the tools at hand. In over a decade of operations, Whole Whale has worked with over 100 nonprofit and social-impact organizations, spent over $6 million in Google Ad Grants dollars, and supported an additional 200,000+ organizations through free online content and training. An evangelist for democratized data and measuring success, George has presented Whole Whale-related case studies at conferences and workshops around nonprofit technology, including NTC, Cause Camp, the Youth + Tech + Health Conference, and IECC Thrive’s Nonprofit Capacity Building Conference (he’s also been seen on the karaoke stage at many other nonprofit conferences and has been known to turn the Nonprofit Tech Conference into the Nonprofit Toto Conference).

Related Posts