←back to thread

Didn’t Homejoy Shut Down?

(medium.com)
1121 points alokedesai | 1 comments | 28 Oct 15 19:51 UTC | HN request time: 0.234s | source
Show context
aarontcheung ◴[28 Oct 15 22:42 UTC] No.10467925[source]
I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

replies(30): >>10467939 #>>10467957 #>>10467983 #>>10467987 #>>10467997 #>>10468007 #>>10468009 #>>10468010 #>>10468016 #>>10468028 #>>10468043 #>>10468068 #>>10468072 #>>10468078 #>>10468091 #>>10468187 #>>10468193 #>>10468221 #>>10468225 #>>10468376 #>>10468464 #>>10468597 #>>10468684 #>>10468700 #>>10468782 #>>10468805 #>>10468825 #>>10469434 #>>10472300 #>>10505131 #
chris_wot ◴[28 Oct 15 23:08 UTC] No.10468068[source]
It is completely unacceptable that you have kept your customer's credit card details. You are completely violating Requirement 3.1 of the latest PCI-DSS (which has been the same since I looked at v2.x of the standard, incidentally):

  3.1 Keep cardholder data storage to a minimum by implementing data retention 
      and disposal policies, procedures and processes that include at least the 
      following for all cardholder data (CHD) storage:
       Limiting data storage amount and retention time to that which is required 
         for legal, regulatory, and/or business requirements
       Specific retention requirements for cardholder data
       Processes for secure deletion of data when no longer needed
       A quarterly process for identifying and securely deleting stored cardholder 
         data that exceeds defined retention.
These standards can be found here: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.

You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?

replies(1): >>10468102 #
codezero ◴[28 Oct 15 23:17 UTC] No.10468102[source]
I am going to sound contrarian, but I don't mean to be.

How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.

There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.

The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.

replies(1): >>10468108 #
chris_wot ◴[28 Oct 15 23:18 UTC] No.10468108[source]
I thought it was pretty clear, but I'm willing to elaborate.

The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.

Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.

replies(2): >>10468161 #>>10468220 #
codezero ◴[28 Oct 15 23:31 UTC] No.10468161[source]
Yeah, I get your position (hopefully!), but I think I'd rather hear from a lawyer whether this is OK or not, my guess is that it is OK.

The snippet you pasted says also:

... regulatory, and/or business requirements

A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.

Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.

As long as the credit card data is transferred in a PCI compliant way, it's legal.

You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.

It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!

I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.

*I said Zenefits :( :(

replies(2): >>10468210 #>>10468405 #
yuhao ◴[29 Oct 15 00:20 UTC] No.10468405[source]
Nitpick: Actually it was ZenPayroll that changed their name to Gusto. Zenefits is definitely still Zenefits.
replies(1): >>10468449 #
codezero ◴[29 Oct 15 00:31 UTC] No.10468449[source]
You're right! Sorry about that.

Obviously, I am a huge fan of nit picking, so it's always welcomed :)

replies(1): >>10468477 #
chris_wot ◴[29 Oct 15 00:39 UTC] No.10468477[source]
Nit picking is fine. I think I was a little bit unfair in my tone towards you in a few of my comments, for which I apologise!
replies(1): >>10468574 #
codezero ◴[29 Oct 15 01:07 UTC] No.10468574[source]
No. I opened this up with a contrarian tone, you were completely civil. Thanks for that!
replies(1): >>10468730 #
1. paxtonUX ◴[29 Oct 15 01:55 UTC] No.10468730[source]
get a room you two ;)