StorefrontBacktalk

This is page 2 of:

Blippy Fiasco Shows PCI Applies To Everybody—At Least It Should

April 29th, 2010

In a posting on Monday (April 26), Ashvin Kumar, Blippy co-founder & CEO, promised to take several steps to address the problem. These steps include hiring a Chief Security Officer and having regular third-party infrastructure and application security audits. These are positive steps. But we have to wonder why they weren’t taken from the beginning, when it had to be obvious to Blippy that it was dealing with cardholder data.

Then again, as has been noted before, cardholder data can leak into all kinds of places where you don’t even think to look.

For the sake of its customers and its brand, security should have been a part of Blippy’s business model from day one. In this case, security never seems to have appeared on anyone’s radar. Where were the adults? Where were the investors who should have asked how the company was going to protect its data, its brand and, by the way, their investments?

I don’t know which company Blippy will choose to assess its security (after this column, I feel I can safely say which one won’t be doing it), but I hope the site uses PCI DSS or even PA-DSS as a model. I also hope Blippy applies the standard not only to its cardholder data but also to all the PII on its systems. I particularly hope Blippy orders comprehensive internal and external penetration tests, because it has managed to paint a big target on its chest, and my guess is the bad guys are scanning the site a few zillion times a day.

In a much larger sense, this situation is not about Blippy. Nor is it about any one company. The breach raises a curious PCI enforcement issue the card brands will have to address. Specifically, how can they enforce their rules on a whole range of new companies and industries that “store, process or transmit” cardholder data but have no connection–directly or indirectly–to a merchant or service provider? Should the brands develop a new security standard for these companies?

The card brands could hold each merchant responsible. After all, some merchant had to send the PANs in the first place. The theory is that if you share cardholder data with, say, Blippy, then you share in the responsibility for that data.

I worry this approach won’t work, though, because an underlying principle of PCI is that you are responsible for your own compliance, not someone else’s. You have to take precautions (per Requirement 12.8) when you share cardholder data, but that’s it. Even so, the threat might be enough to send a lot of merchants running away from these new companies or at least have merchants rechecking how they are complying with 12.8.

Today, the card brands lack any leverage to enforce compliance or even basic responsibility on a whole class of emerging companies that use or depend on cardholder data. We all should hope that clever people at Amex, Discover, JCB, MasterCard and Visa can figure out this issue without shifting the burden to the merchant. If they can’t, Blippy will only be this week’s example of a data breach that should have been prevented.

What do you think? I’d like to hear your thoughts. Either leave a comment or e-mail me.

Posted in CRM, E-Commerce, IT Strategy/Industry, Payment Systems, Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.