Didn’t Homejoy Shut Down?

(medium.com)

1121 points alokedesai | 3 comments | 28 Oct 15 19:51 UTC | HN request time: 0s | source

Show context

aarontcheung ◴[28 Oct 15 22:42 UTC] No.10467925[source]▶

I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

replies(30): >>10467939 #>>10467957 #>>10467983 #>>10467987 #>>10467997 #>>10468007 #>>10468009 #>>10468010 #>>10468016 #>>10468028 #>>10468043 #>>10468068 #>>10468072 #>>10468078 #>>10468091 #>>10468187 #>>10468193 #>>10468221 #>>10468225 #>>10468376 #>>10468464 #>>10468597 #>>10468684 #>>10468700 #>>10468782 #>>10468805 #>>10468825 #>>10469434 #>>10472300 #>>10505131 #

chris_wot ◴[28 Oct 15 23:08 UTC] No.10468068[source]▶

>>10467925 #

It is completely unacceptable that you have kept your customer's credit card details. You are completely violating Requirement 3.1 of the latest PCI-DSS (which has been the same since I looked at v2.x of the standard, incidentally):

  3.1 Keep cardholder data storage to a minimum by implementing data retention 
      and disposal policies, procedures and processes that include at least the 
      following for all cardholder data (CHD) storage:
       Limiting data storage amount and retention time to that which is required 
         for legal, regulatory, and/or business requirements
       Specific retention requirements for cardholder data
       Processes for secure deletion of data when no longer needed
       A quarterly process for identifying and securely deleting stored cardholder 
         data that exceeds defined retention.

These standards can be found here: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.

You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?

replies(1): >>10468102 #

codezero ◴[28 Oct 15 23:17 UTC] No.10468102[source]▶

>>10468068 #

I am going to sound contrarian, but I don't mean to be.

How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.

There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.

The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.

replies(1): >>10468108 #

chris_wot ◴[28 Oct 15 23:18 UTC] No.10468108[source]▶

>>10468102 #

I thought it was pretty clear, but I'm willing to elaborate.

The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.

Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.

replies(2): >>10468161 #>>10468220 #

chetanahuja ◴[28 Oct 15 23:41 UTC] No.10468220[source]▶

>>10468108 #

and umm... the OP was able to access their account details, including CC data over a plain HTTP connection.

replies(2): >>10468239 #>>10468242 #

codezero ◴[28 Oct 15 23:44 UTC] No.10468239[source]▶

>>10468220 #

Not the entire card, just the last four digits and expiration date. Is there anything that says that's not allowed? The PCI is about storage of the data.

It's bonkers to display it over an insecure connection, but I don't think that it's disallowed.

replies(1): >>10468252 #

chris_wot ◴[28 Oct 15 23:47 UTC] No.10468252[source]▶

>>10468239 #

You really need to read the PCI-DSS standard before you make comments like that.

Rather than me point out exactly why what you just said was completely wrong, I suggest you download it from here:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.

replies(2): >>10468288 #>>10468430 #

1. syed99 ◴[29 Oct 15 00:26 UTC] No.10468430[source]▶

>>10468252 #

If they were using stripe how did they pass details through onto HTTP? as far as I remember their webhook won't even communicate with an unsecure page. They must be using some other payment gateway.

replies(1): >>10468629 #

2. chris_wot ◴[29 Oct 15 01:25 UTC] No.10468629[source]▶

>>10468430 (TP) #

I sure hope they don't gather the data via calls to Stripe's API then push it out via HTTP (and vice versa!)

replies(1): >>10470007 #

3. chris_wot ◴[29 Oct 15 09:59 UTC] No.10470007[source]▶

>>10468629 #

Oh brother - surely they weren't storing that data themselves?!?

↑