Blippy Fiasco Shows PCI Applies To Everybody—At Least It Should

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Most people know PCI applies to merchants. But PCI also applies to any entities that "store, process or transmit" cardholder data. If you do any of these three things, PCI applies to you.

In our increasingly strange new world of social networking and mobile commerce, a whole range of unexpected places will need to deal with PCI DSS. This week's example is Blippy, the social exhibitionism site that last week posted more than just some members' purchases online. It also posted their payment card numbers for the world to see.

PCI enforcement is the province of the five card brands. I wonder what the brands will do to Blippy? I also wonder whether other companies that handle cardholder data and can't yet spell PCI will get the message that it applies to them, too.

What happened last week was a cardholder data breach. It was a small one, to be sure--only eight PANs acknowledged so far--but a breach nonetheless. That the breach was due to internal errors (sort of a PCI "own goal") is not particularly relevant either, except to the extent that Blippy has now identified itself as a plump target for any number of carder gangs.

If this breach happened to a merchant, there would be consequences. The card brands might order a forensic investigation to assess whether the merchant was PCI compliant at the time of the breach and to understand exactly what happened. The merchant would, of course, have the pleasure of paying for the forensics and fixing the problem. Fines might also be levied, and they might continue until the situation is corrected, although that is not a certainty.

Finally, if the merchant is not Level 1 already, the brands or the merchant's acquirer could exercise their option to make it validate as a Level 1 merchant from here onward. This sanction means the merchant will require a Report on Compliance by a QSA and cannot validate compliance using a Self-Assessment Questionnaire. And if the merchant did use a QSA, then that poor soul might suffer collateral damage, too (I'm a QSA; let me get defensive).

What will happen to Blippy as a result of its breach? Probably nothing. Because Blippy is not a merchant, it doesn't have an acquirer. Similarly, it is difficult to see how Visa, MasterCard, American Express or any other brand can exert much pressure on Blippy, let alone fine the site. About the worst any brand could do is take away its corporate travel cards.

Blippy is emblematic of many similar emerging companies that deal with cardholder data but are not directly involved in the payment system. Although it stores, processes and transmits cardholder data, it doesn't seem to take much responsibility for its actions. The good news is that more recent comments on Blippy's blog indicate that it appears to be taking responsibility.In a posting on Monday (April 26), Ashvin Kumar, Blippy co-founder & CEO, promised to take several steps to address the problem. These steps include hiring a Chief Security Officer and having regular third-party infrastructure and application security audits. These are positive steps. But we have to wonder why they weren't taken from the beginning, when it had to be obvious to Blippy that it was dealing with cardholder data.

Then again, as has been noted before, cardholder data can leak into all kinds of places where you don't even think to look.

For the sake of its customers and its brand, security should have been a part of Blippy's business model from day one. In this case, security never seems to have appeared on anyone's radar. Where were the adults? Where were the investors who should have asked how the company was going to protect its data, its brand and, by the way, their investments?

I don't know which company Blippy will choose to assess its security (after this column, I feel I can safely say which one won't be doing it), but I hope the site uses PCI DSS or even PA-DSS as a model. I also hope Blippy applies the standard not only to its cardholder data but also to all the PII on its systems. I particularly hope Blippy orders comprehensive internal and external penetration tests, because it has managed to paint a big target on its chest, and my guess is the bad guys are scanning the site a few zillion times a day.

In a much larger sense, this situation is not about Blippy. Nor is it about any one company. The breach raises a curious PCI enforcement issue the card brands will have to address. Specifically, how can they enforce their rules on a whole range of new companies and industries that "store, process or transmit" cardholder data but have no connection--directly or indirectly--to a merchant or service provider? Should the brands develop a new security standard for these companies?

The card brands could hold each merchant responsible. After all, some merchant had to send the PANs in the first place. The theory is that if you share cardholder data with, say, Blippy, then you share in the responsibility for that data.

I worry this approach won't work, though, because an underlying principle of PCI is that you are responsible for your own compliance, not someone else's. You have to take precautions (per Requirement 12.8) when you share cardholder data, but that's it. Even so, the threat might be enough to send a lot of merchants running away from these new companies or at least have merchants rechecking how they are complying with 12.8.

Today, the card brands lack any leverage to enforce compliance or even basic responsibility on a whole class of emerging companies that use or depend on cardholder data. We all should hope that clever people at Amex, Discover, JCB, MasterCard and Visa can figure out this issue without shifting the burden to the merchant. If they can't, Blippy will only be this week's example of a data breach that should have been prevented.

What do you think? I'd like to hear your thoughts. Either leave a comment or e-mail me.