As a result of PCI compliance a lot of merchants are relying on 3rd parties to store their credit card info. That does make sense for many merchants, large and small. However, it is imperative, especially if you are a subscription based service or have "1-click" accounts set up for your customers that should you leave that particular service provider, there is an agreement and the processes in place to securely and in a timely fashion get your data back.
Here at Vindicia, we have a standard clause in our agreement that covers this possible outcome and as long as the merchant has become PCI compliant themselves or is switching to another PCI compliant vendor they can have it back.
Unfortunately, as we have recently learned, not all outsourced providers are treating this issue this way and in fact are using PCI as an excuse to handcuff their customers and potentially bring great harm to them financially if they ever leave.
We brought on a new customer about 9 months ago and have been engaged, along with the customer, every since in trying to help them get their data back. First we were told No, then Yes, but they claimed they did not have the capability to extract the data argument and the latest is No again. I will not name the provider (yet), but they are hiding behind PCI. PCI is not an excuse for handcuffing your customers. More on this as it evolves, but be careful who you trust with your data.