Last week, Blippy, a Twitter for purchases, created quite a stir when it was revealed that the company had exposed the credit card numbers of several users.

The company's co-founder, Philip Kaplan, sought to downplay the severity of the mistake but as more and more individuals cozy up to the growing number of services that encourage 'oversharing' of financial-related information online, a number of parties involved with commerce will be affected.

Here's how this could play out.

Credit Card Holders & Issuers

In attempting to reassure Blippy users that the company's faux pas was "a lot less bad than it looks", Blippy co-founder Philip Kaplan wrote:

While we take this very seriously and it is a headache for those involved, it’s important to remember that you’re never responsible if someone uses your credit card without your permission.  That’s why it’s okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers.

Unfortunately, Kaplan apparently hasn't read a cardholder agreement lately. In practice, credit card issuers rarely hold their cardholders liable for purchases that are truly unauthorized. But that doesn't mean that they can't.

Most cardholder agreements protect the cardholder against unauthorized charges provided that the cardholder has taken reasonable measures to protect his or her card against loss or theft. Can individuals willingly sharing purchasing information with a service like Blippy really claim to be exercising reasonable care to safeguard their credit card details? That's a big question.

Blippy is not a virtual waiter or store clerk. Individuals who hand over a credit card to a waiter or store clerk have a legitimate need to do so, and the credit card company has a legitimate interest in protecting its cardholders against the bad apples who abuse legitimate positions to commit credit card theft. Blippy, of course, is not party to any sales transaction. It's simply obtaining access to credit card information so that it can share its users' purchases with the rest of the world. Fun, perhaps, but quite unnecessary commercially.

If services like Blippy gain mainstream popularity, it may not take long for credit card issuers to think twice about the protections they're willing to provide to cardholders who authorize third parties to access credit card data when those third parties are not involved in actual sales transactions, especially when some of the people behind these services a "you're not on the hook anyway" attitude.

Credit Card Associations

Credit card associations, such as Visa and MasterCard, have a stake in the sharing of credit card details with services like Blippy because these associations are typically responsible for setting security rules that issuers and merchants must abide by. For instance, merchants falling under Visa's Level 1 categorization are subject to an annual on-site data security assessment.

Such requirements are understandable: a single security breach can cost a credit card association and its issuers upon millions of dollars. Additionally, such breaches may also have an untold cost: reduced consumer confidence in the credit card system may lead some individuals to think twice about pulling out their plastic to make a purchase, especially online.

But what about services like Blippy? They're not 'official' members of the payment processing ecosystem, but they come into possession of credit card numbers and may store them for some period of time. That means that any security mishap on their part could be just as serious (and costly) to credit card associations and their issuers. Given that, credit card associations may look to clamp down, either by targeting these services directly or seeking to limit when and how cardholders can link their accounts to third parties.


Blippy and services like it have the potential to be a thorn in the side of merchants. Already, Amazon has taken a hardline stance by blocking Blippy from tracking Amazon transactions directly. In light of what was revealed last week, Amazon's concerns about Blippy seem understandable.

While the data Blippy obtains directly from merchants doesn't contain credit card information, that doesn't mean that Amazon and other merchants couldn't find themselves implicated by a breach.

After all, Blippy promotes that it supports a number of merchants, including Amazon, on its homepage, and new users may assume that the merchants listed are somehow involved with the service. If any future data leaks result in legal action, merchants could conceivably find themselves mixed up in the mess, even if they're not really involved.

At some point, more merchants may follow Amazon's lead in trying to prevent Blippy-like services from accessing customer accounts directly, and they may decide to take action to prevent such services from using their names altogether.


The fact that services like Blippy aren't foolproof isn't going to keep many individuals from oversharing. That means credit card holders, credit card issuers, credit card associations and merchants alike will all have to deal with them. Given the potential risks, they may want to do that sooner than later.

Patricio Robles

Published 26 April, 2010 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2641 more posts from this author

You might be interested in

Comments (2)



Thanks for publishing this news for readers.'s response to the incident has been inadequate and misleading (and of course they should have been aware of the problem themselves before).  It undermines other organisations with better information security and privacy practices.

Yes, I also wondered about whether the testimonials on the home page would begin to be withdrawn.  It makes those organisations look associated with the problem too.

about 8 years ago

Rick Noel

Rick Noel, Digital Marketing Consultant at eBiz ROI, Inc.

Oversharing of information seems to be a phenomena with Social Media. People openly share private pictures of videos of their family with strangers, where they are traveling and when, their actual birthday and other personally identifiable information in their social media profiles. There will always be a trade-off between convenience and security. For instance, you can make video sharing private but it is more work to create and share a private URL or to build friend list to filter content to offline friends only. It is as if somehow, the fact that  social media is "virtual" seems to disassociate and allay fears of protecting personal information after drinking too much of the social media cool aid. I am a strong advocate and social media believer, but for personal and business use, just make sure to apply a good dose of offline common sense while traveling across the virtual universe. Protect your personal information online just as vigirously as you would offline.

about 8 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.