Home | News Alerts | Blippy Breach Spurs Payment Card Conversation

Blippy Breach Spurs Payment Card Conversation

Data protection standards should apply to everyone, says blogger

April 30, 2010

A lot has been made of the recent credit card number snafu at Blippy, the social networking startup that encouraged customers to make their purchase habits public. Some have called it a lesson in how not to respond to a breach of credit and debit card data. Others have pointed to it as another example of the potential pitfalls of “oversharing.”

Now, for all you data protection aficionados, here’s some more food for thought: To whom, exactly, should the Payment Card Industry Data Security Standards — more often known as PCI-DSS — apply? Or rather, what should be done to rectify situations in which PCI-DSS may not apply directly? These are the questions raised by Storefront Backtalk blogger Walter Conway.

As reported earlier this week, Blippy inadvertently exposed card numbers for eight customers when it accidentally included transaction data within HTML code that appeared on certain pages back in February. Though the code was only live on Blippy’s site for a half-day before it was taken down, it remained online via Google’s system of “cached” web pages, says eweek. Blippy began investigating the situation April 23, worked with Google to make sure the sensitive pages were taken down, and has announced steps it is taking to enhance security protocols.

For commentators like Storefront Backtalk’s Conway, the Blippy case raises an interesting conundrum. The PCI-DSS were established by five major credit card brands for the purpose of providing a baseline set of data protection standards for companies that handle credit card data—like merchants and service providers. On the other hand, “Blippy is emblematic of many similar emerging companies that deal with cardholder data but are not directly involved in the payment system,” he writes. How can the card brands “enforce their rules on a whole range of new companies and industries that ‘store, process or transmit’ cardholder data but have no connection–directly or indirectly–to a merchant or service provider? Should the brands develop a new security standard for these companies?”