←back to thread

Didn’t Homejoy Shut Down?

(medium.com)
1121 points alokedesai | 5 comments | 28 Oct 15 19:51 UTC | HN request time: 1.336s | source
Show context
aarontcheung ◴[28 Oct 15 22:42 UTC] No.10467925[source]
I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

replies(30): >>10467939 #>>10467957 #>>10467983 #>>10467987 #>>10467997 #>>10468007 #>>10468009 #>>10468010 #>>10468016 #>>10468028 #>>10468043 #>>10468068 #>>10468072 #>>10468078 #>>10468091 #>>10468187 #>>10468193 #>>10468221 #>>10468225 #>>10468376 #>>10468464 #>>10468597 #>>10468684 #>>10468700 #>>10468782 #>>10468805 #>>10468825 #>>10469434 #>>10472300 #>>10505131 #
chris_wot ◴[28 Oct 15 23:08 UTC] No.10468068[source]
It is completely unacceptable that you have kept your customer's credit card details. You are completely violating Requirement 3.1 of the latest PCI-DSS (which has been the same since I looked at v2.x of the standard, incidentally):

  3.1 Keep cardholder data storage to a minimum by implementing data retention 
      and disposal policies, procedures and processes that include at least the 
      following for all cardholder data (CHD) storage:
       Limiting data storage amount and retention time to that which is required 
         for legal, regulatory, and/or business requirements
       Specific retention requirements for cardholder data
       Processes for secure deletion of data when no longer needed
       A quarterly process for identifying and securely deleting stored cardholder 
         data that exceeds defined retention.
These standards can be found here: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.

You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?

replies(1): >>10468102 #
codezero ◴[28 Oct 15 23:17 UTC] No.10468102[source]
I am going to sound contrarian, but I don't mean to be.

How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.

There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.

The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.

replies(1): >>10468108 #
chris_wot ◴[28 Oct 15 23:18 UTC] No.10468108[source]
I thought it was pretty clear, but I'm willing to elaborate.

The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.

Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.

replies(2): >>10468161 #>>10468220 #
codezero ◴[28 Oct 15 23:31 UTC] No.10468161[source]
Yeah, I get your position (hopefully!), but I think I'd rather hear from a lawyer whether this is OK or not, my guess is that it is OK.

The snippet you pasted says also:

... regulatory, and/or business requirements

A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.

Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.

As long as the credit card data is transferred in a PCI compliant way, it's legal.

You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.

It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!

I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.

*I said Zenefits :( :(

replies(2): >>10468210 #>>10468405 #
chris_wot ◴[28 Oct 15 23:39 UTC] No.10468210[source]
Yeah, you don't need to be a lawyer to implement PCI-DSS. You are entirely missing the following dot point:

"Processes for secure deletion of data when no longer needed"

Those dot points aren't using a disjunction, they must ALL be followed. The standard is very, very clear on that point: once you don't need the data, you securely delete it.

That makes sense, incidentally. If you no longer have the data anywhere, then nobody can get to it even if they compromise your systems and gain access to your credit card lists.

If your company winds down and you no longer bill your customers, you are absolutely required by PCI-DSS (and good security practice!) to delete that data.

As for HomeJoy being the same legal entity, that's not the way that the email sent from HomeJoy reads. It says that Fly Maids is their partner, not the same organisation.

That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home.

replies(1): >>10468284 #
codezero ◴[28 Oct 15 23:53 UTC] No.10468284[source]
I'm not entirely missing the point, but I don't know enough about the PCI-DSS to be too much of a contrarian here :)

Processes for secure deletion of data when no longer needed

Is "needed" defined anywhere?

As far as I can tell this requires companies to create a plan – that plan could be very different between companies.

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

Let me restate what I think you're saying though: When they shut down Homejoy, they should have immediately deleted all the data they had stored in Stripe (or what ever payment system they use)?

"That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home."

Totally agree, maybe let's leave it at that :)

replies(1): >>10468304 #
1. chris_wot ◴[28 Oct 15 23:58 UTC] No.10468304[source]
Is "needed" defined anywhere?

Speechless!

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

No, Stripe would then be violating PCI-DSS themselves.

replies(1): >>10468374 #
2. codezero ◴[29 Oct 15 00:12 UTC] No.10468374[source]
How could Stripe know if one of their users is out of business and should delete their data? I'm a bit confused (as you already know!)

Stripe has API calls to get the last four digits and expiration date.

Also, it's not clear that the /payments page isn't secure, the screenshot is of the Profile page.

*edit: see my reply to your other comment, didn't realize you were OP, so I will now assume you did check the payment form for security and it was not there, which is definitely even more shocking.

replies(1): >>10468472 #
3. chris_wot ◴[29 Oct 15 00:37 UTC] No.10468472[source]
First, I want to apologise if my tone has been a bit off on a few of my replies.

Stripe is very unlikely to transfer credit card data to an entirely different organisation. They also require evidence of PCI compliance before they will do business with you.

As for knowing when your business is being dissolved: I have to refer you to their terms of service, found at https://stripe.com/us/terms

You agree to give us at least 30 days prior notification of your intent to change your current product or services types, your trade name, or the manner or types of payments you accept. You agree to provide us with prompt notification if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding. You also agree to promptly notify us of any adverse change in your financial condition, any planned or anticipated liquidation or substantial change in the basic nature of your business, any transfer or sale of 25% or more of your total assets or any change in the control or ownership of you or your parent entity. You will also notify us of any judgment, writ or warrant of attachment or execution, or levy against 25% or more of your total assets not later than 3 days after you obtain knowledge of it.

You are guessing, however, that they are using Stripe or another credit card provider to store that data. But given Stripe need to handle charge backs and other things, I can't see them not knowing about HomeJoy, given how public the windup was.

replies(1): >>10468590 #
4. codezero ◴[29 Oct 15 01:11 UTC] No.10468590{3}[source]
Yep this all makes sense. I still think there's a chance it wasn't transferred at all. Since the founder of Homejoy runs the new site it could be that they're still the same entity and business with the same stripe account. Maybe this has its own implications.

Unfortunately it sounds like the worst case for them is that enough people report them to their payment provider and they get fined. Clearly what they face there is probably not worse than the huge violation of trust their former customers will feel.

By the way thanks for digging into this so much. The Stripe TOS are darn clear here.

replies(1): >>10468625 #
5. chris_wot ◴[29 Oct 15 01:23 UTC] No.10468625{4}[source]
:-) if you hadn't asked a lot of questions, I wouldn't have dug in!