April 26th, 2010 by Jamie Estep
Blippy is why Visa and MasterCard should protect their merchants
This last week, a social networking company Blippy, notified the world that at some point they suffered a small data breach involving a handful of their customer’s credit card numbers.
Blippy is a service that allows people to share and discus, the purchases that they are making in near real-time. Basically, every time a Blippy user makes a purchase using their credit card, it shows up on Blippy. A little bit like twitter, a user can also embed their blippy feed on their blog, facebook profile, other social network, or website, and their followers can track and discuss every purchase that they make. For this to work smoothly, Blippy obviously needs to store and access some very sensitive information.
This data breach looks like it was extremely small, completely insignificant for realistic purposes, but I think it brings up some very strong points that should question card issuers stance on protecting their card holders.
The reason that Visa and MasterCard should provide some sort of protection for merchants, is that if card holders are stupid enough to share their credit card and bank login information with a social networking site such as Blippy, there’s really no reason that they should be continue to be protected at the expense of merchants. It’s simply absurd to think that merchants should bear the cost of people so ignorant that they would give their banking information out to some random website. “Social networking” and “security” are 2 terms as synonymous as fire and water.
One could always argue that Blippy should have kept the information more secure, which is obvious, but the real problem here is that credit cards are not meant to be used in this manner. It’s just baffling to me that someone would actually enter their card or bank login into any site that they do not have a close relationship with, or are making a purchase from. Then to expect their bank to cover them from unauthorized charges, is just beyond any reason. It’s reckless on Blippy’s part to make a service based on and requiring such sensitive information, and it’s even more reckless for card holders to share this information.
A quick example of the absurdity of this service is a line in Blippy’s terms of service:
Privacy: You may not publish or post other people’s private and confidential information, such as credit card numbers, street address or Social Security/National Identity numbers, without their express authorization and permission.
Hey, but Blippy can publish yours…
To me, this service is clearly crossing the line where credit cards were not mean to and should not go until major modifications to security and merchant protection are established!
To top it all off, Blippy issued this statement on their blog:
In general, it’s important to remember that you’re never responsible if someone uses your credit card without your permission.
As a merchant and a merchant service provider, I don’t want to end up taking a stolen card because a card holder decided to hand out their banking information to a social networking site, who thinks that chargeback expenses are somehow covered by a magical chargeback fairy. It’s the merchant that accepted the card who eats the cost of your poor programming, and complete lack of data security. I think Visa and MasterCard need to step in right now and quash this type of service, and specifically Blippy. It’s really simple, as Blippy is not involved in any part of a credit card transaction, they have no right to a card holder’s transaction information.
Blippy has issued resolutions to prevent this from happening again, but realistically their service should be canned now! My hat goes out to anyone who can get a $12M investment in a service that lets people share their purchases with the world, but it’s time that this is stopped before it gets out of hand.