Blippy Fiasco Shows PCI Applies To Everybody—At Least It ShouldWritten by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Most people know PCI applies to merchants. But PCI also applies to any entities that “store, process or transmit” cardholder data. If you do any of these three things, PCI applies to you.
In our increasingly strange new world of social networking and mobile commerce, a whole range of unexpected places will need to deal with PCI DSS. This week’s example is Blippy, the social exhibitionism site that last week posted more than just some members’ purchases online. It also posted their payment card numbers for the world to see.
PCI enforcement is the province of the five card brands. I wonder what the brands will do to Blippy? I also wonder whether other companies that handle cardholder data and can’t yet spell PCI will get the message that it applies to them, too.
What happened last week was a cardholder data breach. It was a small one, to be sure–only eight PANs acknowledged so far–but a breach nonetheless. That the breach was due to internal errors (sort of a PCI “own goal”) is not particularly relevant either, except to the extent that Blippy has now identified itself as a plump target for any number of carder gangs.
If this breach happened to a merchant, there would be consequences. The card brands might order a forensic investigation to assess whether the merchant was PCI compliant at the time of the breach and to understand exactly what happened. The merchant would, of course, have the pleasure of paying for the forensics and fixing the problem. Fines might also be levied, and they might continue until the situation is corrected, although that is not a certainty.
Finally, if the merchant is not Level 1 already, the brands or the merchant’s acquirer could exercise their option to make it validate as a Level 1 merchant from here onward. This sanction means the merchant will require a Report on Compliance by a QSA and cannot validate compliance using a Self-Assessment Questionnaire. And if the merchant did use a QSA, then that poor soul might suffer collateral damage, too (I’m a QSA; let me get defensive).
What will happen to Blippy as a result of its breach? Probably nothing. Because Blippy is not a merchant, it doesn’t have an acquirer. Similarly, it is difficult to see how Visa, MasterCard, American Express or any other brand can exert much pressure on Blippy, let alone fine the site. About the worst any brand could do is take away its corporate travel cards.
Blippy is emblematic of many similar emerging companies that deal with cardholder data but are not directly involved in the payment system. Although it stores, processes and transmits cardholder data, it doesn’t seem to take much responsibility for its actions. The good news is that more recent comments on Blippy’s blog indicate that it appears to be taking responsibility.