Last week, social networking site Blippy issued an apology to customers for accidentally revealing personal information on the internet, including credit card numbers. This shouldn’t really be a surprise, since Blippy is a service that lets you reveal your credit card purchases to your friends. This isn’t as bad as it seems, since Blippy takes the raw credit card transaction data and sanitizes it. Rather than seeing JCPENNEY PAYMT 304021 8402 BOSTON MA, my purchase would show up as “Ron spent $24.95 at Amazon” or “Sheila got 2 apps from iTunes for $2.98”. A Blippy user designates that all activity on a certain credit card is displayed on their page.
Blippy sees itself as an aggregator of information that people want to share. It’s similar to Facebook and Twitter in that sense. When I first heard about it, my concern was not whether I want to use it, but why would I tie a credit card to a service that is not a merchant?
Online merchants are very careful about using and storing credit card information. Merchants who take credit cards comply with PCI DSS (Payment Card Industry Data Security Standard) standards. Among the many PCI requirements is that credit card information must be encrypted during transmission across open, public networks. Another one is to maintain an information security policy. Many merchants don’t want the liability of storing cardholder data, so they don’t. If you use PayPal, a merchant never sees your credit card information. You select PayPal as a payment method and the merchant receives an electronic payment transaction from your account. Your number doesn’t go across the wire.
Since Blippy is not a merchant nor do they conduct any online transactions, they didn’t see the need to conform to these standards. Maybe they were naive and didn’t think it through, but they do keep credit card information in their systems, which inadvertently got onto the internet. This brings up a larger question of privacy with any site on the internet. Unless you know that a site is run by a reputable firm and that they comply with PCI DSS standards, you should question giving them your credit card information. Many sites don’t store this information, they only use it for the transaction. Services like PayPal simplify this for the customer and merchant.
Today we are all used to purchasing things online and don’t tend to question its safety. For the most part it is safe, since online merchants and financial institutions comply with security and privacy standards. If they didn’t, they would go out of business fast. But social networking and aggregation services need to think about the same things. If someone is asking me to hand over any personal information, I want to make sure they are handling it properly.
To Blippy’s credit, they are addressing this issue. In a recent blog post by their CEO, Ashvin Kumar, they stated:
After reaching a resolution, we spent today working on a go-forward plan to ensure that this never happens again.
- Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
- Have regular 3rd-party infrastructure & application security audits.
- Continue to invest in systems to aggressively filter out sensitive information.
- Control caching of information in search engines.
- Create a security and privacy center that contains information about what we are doing to protect you.
Developing and implementing information security and data governance policies are some of the first things any organization should do. Your customer’s information is the lifeblood of your business and compromising it is the fastest way to the poorhouse or jail. If you have no trust, you have no business. Hopefully Blippy learned its lesson. Make sure you don’t have to learn yours the hard way.
Do you have an information security and data governance policy?
Photo credit purpleslog