Last week, Blippy, a Twitter for purchases, created quite a stir when
it was revealed that the company had exposed the credit card numbers of
The company's co-founder, Philip Kaplan, sought to downplay the severity of the mistake but as more and more individuals cozy up to the growing number of services that encourage 'oversharing' of financial-related information online, a number of parties involved with commerce will be affected.
Here's how this could play out.
Credit Card Holders & Issuers
In attempting to reassure Blippy users that the company's faux pas was "a lot less bad than it looks", Blippy co-founder Philip Kaplan wrote:
While we take this very seriously and it is a headache for those involved, it’s important to remember that you’re never responsible if someone uses your credit card without your permission. That’s why it’s okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers.
Unfortunately, Kaplan apparently hasn't read a cardholder agreement lately. In practice, credit card issuers rarely hold their cardholders liable for purchases that are truly unauthorized. But that doesn't mean that they can't.
Most cardholder agreements protect the cardholder against unauthorized charges provided that the cardholder has taken reasonable measures to protect his or her card against loss or theft. Can individuals willingly sharing purchasing information with a service like Blippy really claim to be exercising reasonable care to safeguard their credit card details? That's a big question.
Blippy is not a virtual waiter or store clerk. Individuals who hand over a credit card to a waiter or store clerk have a legitimate need to do so, and the credit card company has a legitimate interest in protecting its cardholders against the bad apples who abuse legitimate positions to commit credit card theft. Blippy, of course, is not party to any sales transaction. It's simply obtaining access to credit card information so that it can share its users' purchases with the rest of the world. Fun, perhaps, but quite unnecessary commercially.
If services like Blippy gain mainstream popularity, it may not take long for credit card issuers to think twice about the protections they're willing to provide to cardholders who authorize third parties to access credit card data when those third parties are not involved in actual sales transactions, especially when some of the people behind these services a "you're not on the hook anyway" attitude.
Credit Card Associations
Credit card associations, such as Visa and MasterCard, have a stake in the sharing of credit card details with services like Blippy because these associations are typically responsible for setting security rules that issuers and merchants must abide by. For instance, merchants falling under Visa's Level 1 categorization are subject to an annual on-site data security assessment.
Such requirements are understandable: a single security breach can cost a credit card association and its issuers upon millions of dollars. Additionally, such breaches may also have an untold cost: reduced consumer confidence in the credit card system may lead some individuals to think twice about pulling out their plastic to make a purchase, especially online.
But what about services like Blippy? They're not 'official' members of the payment processing ecosystem, but they come into possession of credit card numbers and may store them for some period of time. That means that any security mishap on their part could be just as serious (and costly) to credit card associations and their issuers. Given that, credit card associations may look to clamp down, either by targeting these services directly or seeking to limit when and how cardholders can link their accounts to third parties.
Blippy and services like it have the potential to be a thorn in the side of merchants. Already, Amazon has taken a hardline stance by blocking Blippy from tracking Amazon transactions directly. In light of what was revealed last week, Amazon's concerns about Blippy seem understandable.
While the data Blippy obtains directly from merchants doesn't contain credit card information, that doesn't mean that Amazon and other merchants couldn't find themselves implicated by a breach.
After all, Blippy promotes that it supports a number of merchants, including Amazon, on its homepage, and new users may assume that the merchants listed are somehow involved with the service. If any future data leaks result in legal action, merchants could conceivably find themselves mixed up in the mess, even if they're not really involved.
At some point, more merchants may follow Amazon's lead in trying to prevent Blippy-like services from accessing customer accounts directly, and they may decide to take action to prevent such services from using their names altogether.
The fact that services like Blippy aren't foolproof isn't going to keep many individuals from oversharing. That means credit card holders, credit card issuers, credit card associations and merchants alike will all have to deal with them. Given the potential risks, they may want to do that sooner than later.