
Ask HN: Should I report my main competitor for PCI Violations? - altron
It has recently come to my attention that my largest competitor (B2B SaaS in a niche market) has blatantly disregarded all PCI regulations for close to a decade.<p>He uses a multi-tenant database, stores CC numbers in plain-text (full 16 digits, CVV and Expiration Date), and shows that data to the user, in plain-text, at the time of payment.<p>I discovered this in the process of helping a new customer export their data from the old system.<p>I&#x27;ve spent days debating the ethics of reporting or making this public. On the one hand, I&#x27;d be putting him out of business (and I&#x27;m well poised to scoop up those new prospects). On the other hand, he&#x27;s putting people&#x27;s finances at risk and I feel obligated to say something that the public may not be able to discern.<p>Any advice would be greatly appreciated.
======
notwedtm
I guess I'm the odd one out on this, but why not send your competitor an email
and let him know what he's doing is risky and dangerous. Perhaps he doesn't
know? Perhaps he had a developer who told him everything was fine, and a
friendly, across-the-aisle approach could help things.

As you said, you'd probably put him out of business, and regardless if that's
your competitor or not, it's still a human being with a life that will be
ruined.

As icebraining mentioned earlier, it's not illegal to not be in PCI
compliance, just really, really dumb.

~~~
Klinky
This might be the nice thing to do, but anything that points back to him being
the source of the complaint may not be best for him in the long run.

~~~
notwedtm
Why not? If the competitor decides not to take his advice, and he then reports
him for violating PCI, he can say, "Hey look, i reached out via email to him
and tried to help, he blew me off/didn't fix anything, so I then took steps to
protect his customers, since he wasn't."

~~~
Klinky
It's about retaliation and legal issues. The guy could easily retaliate with a
smear campaign or even take legal action saying he was "hacking" or doing
"espionage".

Whistleblowing often has negative consequences for the whistleblower.

------
jacquesm
I would go for a multi-stage approach here:

\- first let them know you know, and that you'd like for this to be handled in
the best interest of the users (that's who you're doing this for, right?)

\- then, depending on the response you have several options:

\- If they stonewall, alert the public

\- If they respond, figure out what a reasonable timeframe should be for them
to become compliant

\- Then give them that much time and review the new situation

\- If they're still not compliant but have made progress review the situation
from the new vantage point

\- If they have not made meaningful progress, alert the public.

Don't let this 'opportunity' get the better of you in the ethics department,
what goes around comes around and since you're doing your utmost to be
anonymous here be aware that you too might have a skeleton or two in your
closet and making enemies with nothing to lose might not be in your advantage.

On the other hand: building a bridge for a competitor to walk over when they
were vulnerable might place you well some years down the line when that
founder is looking for succession.

As for the whole PCI compliance thing: depending on where this all happens in
the chain the company might be lying about them being PCI compliant _or_ their
auditors have messed up, either way nobody appointed you judge, jury and
executioner so tread with some care, the whole thing might backfire in some
unexpected and spectacular way if it turns out you were mistaken.

~~~
kabdib
I wouldn't set myself up as a judge. How do you know what a reasonable time-
frame is, or meaningful progress?

I'd report it and be done with it. Minimal drama and involvement. Alert the
public as a very last resort, if the PCI folks are uninterested (and I
guarantee you, they _will_ be interested).

------
CodeWriter23
Disclaimer: I choose to treat people the way I would like to be treated.

My $0.02: maybe this is just one way your competitor is inept at running their
business. I'd say the probability is very high of that. An overwhelmed founder
IMO may be a sweet acquisition target. If he knows he is in over his head,
maybe he would be happy to sell you his company for terms you can accept.
You'll get all the customers, and you'll also know those customers are in your
good care.

If you whack him upside the head with a report to Visa, MC, etc. he'll fix it
and continue to be ignorant or negligent in all the other ways he is failing
to adequately serve his customer base.

Lastly, and please know I am not accusing you of a nefarious plot here. But
anyone reading this will see the potential prize of acquiring a competitor's
client base. I want to dispel the myth that a report would be a fatal blow to
his company that would result in your company ending up with all his
customers. His merchant bank who is really on the hook for his PCI compliance
will not terminate his account over a first offense. They will instead make
even more money off him by imposing remediation consulting. And if those
expenses were to put him out of business, there would still be an acquisition
cost in reaching his customers, letting them know that your company exists and
selling them on your solution.

My general approach to life: I do my best to limit my actions to those that
will enhance or maintain the quality of my reflection in the mirror.

~~~
fubarred
Most def. Modified Golden rule: "Treat others _as they wish to be treated_ "
Some people wish to be treated different than I would, so it might be worth
anticipating their expectations.

Meta: [http://inewsdesign.com/2012/11/21/richard-bransons-tip-
why-y...](http://inewsdesign.com/2012/11/21/richard-bransons-tip-why-you-
should-treat-your-company-like-family/)

------
pm24601
Yes you should. You are following the rules and no doubt at a cost.

You should report him for the same reason that you should report a competitor
that is dumping toxic waste in a stream.

They are externalizing costs to society as a whole to maximize their gain.

There is no malice is demanding that everyone respect the law that safeguards
us all.

If the competitor does not wish to follow the law then they can move to a
locale that does not have that law.

~~~
briandear
I think it's a dick move. It's like calling the cops because your neighbor is
smoking pot in their garage. The activity isn't harming you, it only "harms"
the people with a relationship with the company. If it were me, I'd likely use
the competitor's lack of PCI compliance as a tool for my own marketing -- I
wouldn't even use the competitor's name, but do something like "Unlike many of
our competitors <my_awesome_product> is fully PCI compliant because we care
about your security." Turn the "weakness" of the competitor into your
strength. But reporting him to the authorities? That's very Stasi-esque.

Unless a law is being broken AND it's creating an unsafe situation for your
customers or your company, leave it alone. In my opinion it's a classless move
to go after your competitors in that fashion. Beat them with a better product.
In this case, a "better" product would seem to be one with PCI compliance.

As far as the "toxic waste" analogy -- I've never heard of anyone getting
cancer and dying from a lack of PCI compliance. In fact, there are likely more
important things to worry about than PCI compliance -- Target and all of the
other high profile retailers that were credit-card hacked -- they were all
allegedly PCI compliant, yet it still didn't do much good. I'm not hear to
debate the value of PCI compliance -- if it's a requirement of your business,
then obviously you have to do it. But I am debating the ethics of reporting a
competitor for an activity that is NOT illegal, nor is it directly harming
your customers or your business.

~~~
tzs
> Target and all of the other high profile retailers that were credit-card
> hacked -- they were all allegedly PCI compliant, yet it still didn't do much
> good.

How do you conclude that it didn't do much good? The Target breach involved
installing malware on the point-of-sale terminals to grab the data as the
customer was paying.

As far as I know, the attackers didn't get to the stored credit card data. I
suspect that they didn't get to that data in large part because Target was
mostly in PCI compliance, meaning that the stored data was encrypted, on
database servers isolated from the databases not involved in payment
processing, on separate networks with strong access restrictions.

If Target had been treating PCI the way OP's competitor is, the Target breach
could have been much much much worse.

> But I am debating the ethics of reporting a competitor for an activity that
> is NOT illegal, nor is it directly harming your customers or your business.

For a small business that is doing its own credit card storage, PCI compliance
costs can be significant. They can easily double or triple the number of boxes
you need at the data center.

The competitor is saving a lot of money by completely ignoring credit card
security, which gives him an unfair advantage over OP. I'd consider that
sufficient harm to OP to justify taking action.

~~~
jacquesm
Your underlying assumption is that they are doing this to save costs or that
there is malice involved. I see no evidence of that, merely either
incompetence or a company struggling to get with the times or built at a time
when this stuff wasn't so much on the radar as it is today.

That happens a lot and there are ways to deal with it, ratting out your
competitors to authorities with silent hopes of crippling them and taking
their business in the name of protecting the consumer is bad form at best and
will come back to bite you hard at worst.

~~~
tzs
I don't think I made such an assumption. He's saving money, regardless of
whether ignoring credit card security was an intentional money saving move, or
merely a happy side effect of ignorance or incompetent.

The person I was responding to was taking the position that you should not
take against against someone if they are not harming you. That money saving,
regardless of how it came about, harms OP's business, and so justifies action.

Note I didn't say the action should be calling authorities. Contacting the
competitor and letting him know there is a problem would be action, too.

------
dctoedt
1\. FALSE ADVERTISING: If the competitor _advertises_ PCI compliance --- or
even advertises "we're secure" \--- that's very possibly false advertising in
violation of Section 43(a) of the Lanham Act [1] and perhaps various state
deceptive-trade-practices statutes. Some years back, U-Haul got a $44 million
judgment against a competitor whose ads for rental trucks included inaccurate
dimensions. The damages award was tied to the cost of corrective advertising
that U-Haul would theoretically have to do. [2]

2\. TORTIOUS INTERFERENCE COUNTERCLAIM: The competitor's terms of service with
the customer probably include restrictions on access to the competitor's
system. The competitor thus might claim that the OP's accessing of the
customer's data constituted "tortious interference" with the competitor-
customer contract. [3] The competitor's lawyers are likely to pursue such a
claim, because it lets them reframe the issue in their favor, it might allow
them greater discovery from the OP, and it could also lead to a punitive-
damages award. (Whether a tortious-interference claim would _succeed_ depends
on a lot of facts that we don't have.)

3\. CFAA VIOLATION: As others have pointed out, depending on the
circumstances, the OP might have violated the Computer Fraud and Abuse Act.
[4]

All of the above assumes U.S. law applies.

[1]
[http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=...](http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=4322&context=lcp)

[2] U-Haul v. Jartran, 793 F. 2d 1034, 1041 (9th Cir. 1986)
[http://scholar.google.com/scholar_case?case=1381884152605222...](http://scholar.google.com/scholar_case?case=13818841526052225736)

[3]
[https://en.wikipedia.org/wiki/Tortious_interference](https://en.wikipedia.org/wiki/Tortious_interference)

[4]
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
diminoten
Yeah, this is a point that needs to be driven home, and you're the only guy
making it: talk to a damn lawyer before doing _anything_.

------
verystealthy
QSA here. In a nutshell, I'd say don't. PCI compliance is enforced by the card
brands and acquirers, so it's not up to you to raise a flag here. Maybe they
have compensating controls in place to address those issues (one can be PCI
compliant while storing cardholder data in clear-text) and, depending on the
line of business, they might have a business justification for storing
security codes (unusual, but it can happen). Ultimately, it's not your call.
What you might perceive as a violation could very well be a known issue with
several compensating controls in place to minimize the risk and, if that's OK
with the card brands and/or acquirers, your competitor is doing nothing wrong.
Leave it to their QSA to determine their compliance status and to their
acquirer to make sure that they're compliant.

------
grandalf
Your competitor's merchant processor should have an audit process where this
is discovered.

It is unlikely that reporting it to said merchant processor will result in
account termination since if your competitor is not at the level where an
audit is required, he/she is simply filling out a form.

Incidentally, PCI-DSS 3.0 went into effect today, so _anyone using Heroku_ for
commerce became non-compliant today!

[https://www.google.com/#safe=off&q=add%20to%20cart%20site%3A...](https://www.google.com/#safe=off&q=add%20to%20cart%20site%3Aherokuapp.com)

~~~
verystealthy
The Heroku situation is more nuanced than it seems. This is not a PCI DSS 3.0
issue. The thing is that Heroku provides a platform and this platform is not
PCI DSS compliant (1.21, 2.0, 3.0, you name it) and Heroku is not willing to
let QSAs verify their compliance on behalf of their clients (and, yes, I have
first hand experience with this very scenario). There's a caveat, however: if
your payment platform is completely segregated from your Heroku environment,
you might be good to go. Let's say you use a payment gateway and cardholder
data never touches your Heroku environment (e.g. you're redirected to Payment
Gateway XYZ's app to enter your payment information). In this case your Heroku
environment would be potentially out of scope, as you're not transmitting,
storing or processing cardholder data. If you're handling cardholder data in
any capacity in your Heroku environment, then, yes, you're in for a big
compliance surprise.

~~~
grandalf
> Heroku is not willing to let QSAs verify their compliance on behalf of their
> clients

This is the issue. Chances are Heroku has a very secure infrastructure, but
the world will never know unless it allows various audits to be generated for
compliance purposes.

> There's a caveat, however: if your payment platform is completely segregated
> from your Heroku environment, you might be good to go

Not true, see below:

[https://www.pcicomplianceguide.org/new-saq-a-ep-hones-in-
on-...](https://www.pcicomplianceguide.org/new-saq-a-ep-hones-in-on-e-
commerce-merchants-using-payment-redirects/)

~~~
verystealthy
>This is the issue. Chances are Heroku has a very secure infrastructure, but
the world will never know unless it allows various audits to be generated for
compliance purposes.

Exactly. And, personally, I think this is rather odd. They could solve this in
a heartbeat.

>Not true, see below:

Duly noted and thanks for the link, but here's the thing, though: what if
you're not eligible for a self-assessment?

~~~
grandalf
> what if you're not eligible for a self-assessment

If you're doing higher transaction volume and are not eligible for a self-
assessment, you have to have a certified QSA sign off on an audit of the
internal processes.

The QSA will make sure that all the required systems and processes are in
place and sign off on it.

PCI is definitely a fairly frustrating thing to deal with but there are some
good practices underlying it that many orgs would simply not do if it weren't
required by their merchant processor.

------
Animats
Who is their Visa Qualified Security Assessor? If there is a corrupt Security
Assessor, the problem is bigger than one processor. Are they on the Visa
registry of Qualified Service Providers
([http://www.visa.com/splisting/searchGrsp.do](http://www.visa.com/splisting/searchGrsp.do))?
If either of those is the case, this is a big problem. Report it to Visa.

Or is this some small operation which provides services for a niche market and
is below the 300,000 transactions/year where it gets serious? Then, maybe not
so much.

Visa is quite serious about enforcing those standards. They took away every
user-facing credit card reader from Barnes and Noble for a year after a
breach. They took away Sony Online's ability to accept credit cards _at all_
for several weeks after Sony had a breach.

~~~
phil21
> If there is a corrupt Security Assessor, the problem is bigger than one
> processor

Huh? As a service provider who has to deal with these third parties (for our
hosted/colo type of clients) I would say I have yet to find one that isn't
corrupt.

They basically are completely worthless, at least at the lower-tiers. They
more or less run nmap and a nessus scan, and then tell the client how to game
those scans without improving security whatsoever (e.g. hiding an exploitable
version of PHP's version banner, firewalling the test probe IPs from certain
ports the world can see, etc.).

In fact, from a service provider perspective PCI has made things less secure
since we no longer have as much traction with clients when we tell them they
need to do X to store financial data securely. Now they can point to their
"audit" and say it's fine.

> Visa is quite serious about enforcing those standards.

Not in my experience. They only seem to care after a breach happens and only
for PR purposes. Report anything before that, and from what I can tell it's
completely ignored.

That said, we generally don't deal with the higher compliance levels - those
that do, seem to get it more or less right (or at least put resources and
thought into it if nothing else).

------
BorisMelnik
Why are so many people pretending this is being done for the good of the
users? I got started in my business because I loved what I was doing (for my
users). I stayed because it makes me a boatload full of money. If I see my
competitor slipping, I want to take advantage of them. Sure I do have empathy
for the users but at the end of the day it is pretty clear.

Believe me, if your competitor saw you doing this stuff they would definitely
report you. Kill or be killed. You think Marc Cuban or Donald Trump is worried
about their users when they have an opportunity to take advantage of a
competitor?

~~~
jacquesm
If your competitor saw you doing 'this stuff' they might report you, they
might not. It's not a certainty and having seen enough situations like this
over the years it strikes me as immature to think that by damaging your
competitor you are immediately strengthening your own position. Rather the
opposite, you are damaging the entire field in which you operate, which
_includes_ your own company.

Second, it's not kill or be killed, if that was all there was to it then why
not hire some Russian goon squad to bring down your competitors web-site?
After all, they could do the same to you... Most likely the idea that all of
the competitors business would be taken over and that they'd go spectacularly
bust is a pipe dream at best.

And let's let Marc Cuban speak for himself (as far as I know he's not going to
stoop so low as to intentionally damage a competitor for his own advantage),
for Donald Trump I'll hold up the inconclusive data flag.

If you run your business the way you do then it will _definitely_ reflect back
on you in most cases, you'll find that one day the tables are going to be
turned and then you'll be all out of sympathy.

Sure, business is ruthless. But it does not automatically mean that you can
back-stab your competitors for your own glorification. And if it does then I'd
rather not be part of your circle, toxic attitudes create toxic environments.

If you think that the only way you can grow your company is at someone else's
expense then maybe it's time you spent a few $ on marketing instead? Very rare
to find an ocean empty of fish.

------
hluska
First, a disclaimer. I am not a lawyer, nor am I even American, so all of this
should be taken with the understanding that I'm really not qualified.

I don't know how you found these violations and, for all I know, you may not
even be in the United States, but if you are, I would consider speaking with
an attorney (preferably one with experience working cybercrime cases) to make
sure that you aren't going to stumble into CFAA territory.

If I were your competitor, if I happened to find out that it was you, one
option would be to call, "HACKER!! EVIL HACKER!!" And, looking at some recent
cybercrime prosecutions (ie - aaronsw), if your competitor happened to catch
the ear of the right prosecutor, you could be in heaps of trouble.

I hope that you do report this - your competitor honestly sounds like a
scumbag. But, because he/she sounds like such a scumbag, they may not fade
gracefully into obscurity. Protect yourself accordingly.

------
click170
Unabashedly, Yes you should report them.

Yes it will benefit you, but more importantly it benefits his customers
because it gives them additional facts they did not have before about the
trustworthiness of the vendor they're using.

The fact that you are a competitor with this malicious actor should have no
bearing on your decision.

~~~
briandear
Assuming malice is rather presumptive. There's a big difference between
negligence and malice. I'm certainly not defending the actions of this company
(I have no idea who they are,) but I certainly wouldn't want someone's
potential ignorance to be used to assert that they acted with an intent to
harm. Malice requires intent. Acting stupidly isn't malicious.

~~~
click170
Ignorance of the law will not protect you from it, neither will ignorance of
security precautions prevent you from being hacked. People will always make
mistakes, but you don't raise the bar by merely tolerating the status quo.

I think more people need to understand that security _is_ important,
implementing the security precautions that _you 're aware of_ isn't enough
anymore. You need to be active in the community to make sure you're up to
speed on recent developments, and that you're following Best Practices where
possible. Anything less is insufficient.

It's us the customers who are hurt the most when company databases get hacked.
Companies should start showing some respect for that fact by taking security
seriously.

------
stevebmark
"Reporting" someone for a PCI violation won't do much. At most they might lose
their certification level temporarily as their PCI auditor makes them
implement fixes. In fact there might even be a grace period for them to fix
problems, so no action will be visible to their customers. Even if they lose
PCI certification, that's not something customers look for or know about.

If you want to damage their reputation, write a blog post in a way not
traceable to your company exposing the actions of your competitor. Or get a
news agency to notice, and be an anonymous source. This probably isn't worth
the trouble.

The white hat solution, as others have mentioned, is tell them. If they don't
have the problems resolved within some reasonable time span (a month if you're
feeling mean, 6 months if you're feeling nice), then I would say you're
morally justified in smearing the hell out of them.

------
kabdib
Definitely.

This will also bring to light anyone complicit in the violations as well
(e.g., companies contracted for performing audits, who aren't taking due
diligence), so the benefit to everyone is more than just having your
competitor clean up his act.

~~~
altron
I hadn't thought of that. Very interesting insight. Thanks!

------
gojomo
Perhaps, just start emphasizing your superior security (and PCI compliance) in
your marketing, in a very pointed way. ("Some competitors don't..." or "If
considering a competitive offering, ask if they..." – but without specifically
naming the competitor.)

Note that this doesn't always impress customers – and sometimes mentioning
security concerns activates customer paranoia such that they convert at lower
rates! So you may need to test this.

But, if your customers _are_ security conscious, they'll notice the
differences when comparing offerings. When they ask your competitor for
details, the competitor will either offer false reassurances, _or_ become
increasingly aware of their deficiencies, and fix them. (And them fixing their
issues may be in your best interest: a famous failure by your competitor could
stain your whole category as too-risky for wider adoption by your target
customers.)

If and when there is a damaging breach at any competitor, your practices (and
marketing) going back to _before_ the breach can help immunize you somewhat
from the fallout, even without you ever directly naming the competitor or its
failings. (To directly mention a competitor, or its specific troubles after an
incident, could be seen as classless and easily backfire. Not only may you
have a lapse yourself someday, but any 'gloating' may draw retaliation from
competitors or extra attention from criminal hackers who get more glory when
compromising systems that brag about their security.)

------
iloveluce
You definitely should. It's unacceptable to have CC numbers in plain-text
regardless if they are your competitor or not.

~~~
altron
That's my biggest issue. The people who end up seeing the CC numbers are
minimum wage receptionists.

I have a customer who told me that her manager's boyfriend was writing down
customer's addresses to go rob them. The nature of the business indicates that
the customer is not at their home for extended periods of time. We ended up
building in user permissions to see name, address and phone number.

~~~
cirdoc98
Whoa, call the police maybe?

------
SEJeff
I would very strongly suggest you speak with a lawyer. What if you do the
moral thing and said competitor sees you as trying to blackmail him or
something even if your intentions are good? What if he responds with a
proactive lawsuit? This isn't about anything other than CYA. An hour or so
from a lawyer could save you a LOT of pain down the road.

------
tzs
> I've spent days debating the ethics of reporting or making this public. On
> the one hand, I'd be putting him out of business (and I'm well poised to
> scoop up those new prospects). On the other hand, he's putting people's
> finances at risk and I feel obligated to say something that the public may
> not be able to discern.

This raises an interesting hypothetical.

Let's suppose that there was no PCI violation, or any other ethical or legal
problem with his business, but that through better pricing, service, more
effective advertising, or something like that, you found yourself taking away
business from him to the point that he might be driven out of business.

Question: would you put limits on your growth, or cut back on your
advertising, or raise prices, or take some other steps to keep him in
business?

------
droopybuns
>> I discovered this in the process of helping a new customer export their
data from the old system.

If you report him, you're going to have to explain how you discovered
everything you've outlined without exceeding the intended access to the
system.

I see a lot of downside here for involving law enforcement. You run the risk
of being accused of hacking your competitor.

If I was in your shoes, I probably wouldn't report him, but I probably
wouldn't be quiet about the weaknesses of your competitor's security.

------
mindcrime
Personally, I would not report them or call them out publicly. I wouldn't see
it as my responsibility, and as far as the competitive aspect goes, I don't
necessarily think that it would be advantageous in the long-run. Calling them
out strikes me as a chance for some short-term gain in a way that I would
personally find distasteful, if not unethical.

I agree with the sentiment of "reach our to your competitor privately, inform
them of the problem, and suggest they fix it". They may be your competitor,
but they probably aren't Satan incarnate, and they'll probably be grateful,
and building that relationship may actually be beneficial down the road.

Look at the history with Peter Thiel and Elon Musk before they merged their
respective companies. They were competitors, yes. But if either had chosen to
make things personal and go into full on attack mode, they might never have
merged, we would not have gotten Paypal, and Peter and Elon probably wouldn't
be billionaires now. To be fair, you can argue whether or not it's a Good
Thing that we have Paypal, but from their subjective perspective, it was
better that they were on good enough terms to have the merger conversation.

------
slm_HN
I don't know anything about PCI violations but I doubt that reporting someone
would "put him out of business".

Reporting someone is a pretty weak move. A strong move would be a campaign
emphasizing the superior features of your product, such as PCI compliance.
Seems like a pretty easy sell, especially in today's environment when there's
a security breach every five minutes.

------
jakejake
I would personally alert your competitor before disclosing anything the
public.

As far as putting them out of business, I wouldn't be so certain of that
outcome. For one thing the matter of PCI compliance is between your competitor
and their payment processors. If you figure out a way to report them, their
processor may just give them a chance to fix it and it will all be handled
quietly. Or it could result in an audit, fines, their processor dropping them,
etc. Those are all bad for the competitor, but not necessarily something that
will put them out of business.

Posting on a public forum has potential to scare customers if there is such a
place to post your message for your niche where "everybody" will see it. But
there's a lot of ways for that to backfire as well depending on how you handle
the posting of the message.

------
mtabini
I would only go to your competitor if you have a really good relationship with
them, and you know that your report won't be taken as a threat.

If you don't, you're exposing yourself to many problems for very little
upside, and my experience is that, when cornered, most people don't tend to
react in a reasonable and logical manner (or even in a manner that caters to
their own interests). For example, the competitor could accuse you to have
came across this information illegally (whether you did or not in the eyes of
the law is irrelevant: once you're faced with a lawsuit, your best likely
outcome is that you will only have to pay your lawyer's bills); or, they could
think you're preemptively covering your ass before starting a smear campaign
against them, and beat you to the punch with accusations and threats of their
own, and so on.

On the other hand, as some have pointed out, this is a good marketing
opportunity for you—you just need to be careful how you use the information. I
would, however, avoid making _any_ references to competitors (even indirectly
by referring to “our competitors”), because you don't want to be petty, and
you also don't want to ever have to answer the question “Who are these
competitors of yours?” in front of a court stenographer.

You do not mention if the PCI violations could flow through to your
competitor's clients; are the credit cards those that customers use to pay for
the competitor's SaaS, or are they stored on behalf of customers to provide
the service itself (e.g.: the way, say, Stripe stores your customers card data
for you)? A breach that leaks credit card data in this case would be
catastrophic not just for you, but for your customers as well—and these are
consequences that have a material impact on the quality of your product over
your competitors'.

From a marketing viewpoint, keep in mind that the value this piece of intel is
also likely to be proportional to the sophistication of a prospective
customer. A potential large client that could is more likely to be sensitive
to something like PCI than small fish, and knowing that you can plant the bug
in their ear that your competitors might not be as up-to-date on PCI as you
are could make the difference between a sale and a missed opportunity.

------
Kalium
Once upon a time, I actually tried to report a company out of PCI compliance.
It's harder than it sounds, and there's a very good chance the PCI council
will ignore your report.

------
ropman76
As much as you feel a responsibility to the public on this you have a massive
conflict of interest in this area. Sure, be nice and send your competitor an
email. After that stay out of it and move on. There have been plenty of
hackers who felt they were doing the right thing by informing companies of
security issues they found only to have the same companies turn around and
attempt to press charges on them.

------
giggitytex
All in all I'm not sure I believe in karma, but I do believe you should take
the high road here. Simply reporting them doesn't fix it. But telling your
competitor and reporting it as a PCI compliance issue from your company
(because you do indeed have exposed credit card numbers in your possession)
would be the route I would take.

Tell them and let them know you're prudently reporting it for your own sake.

------
cirdoc98
Report it, and let him know too. He must be doing less than $1m/mo if it's
gone on for a while, 3rd party audits are mandatory otherwise. It's a small
time risk to the PCI folks anyway, they're not going to screw up his lively
hood, they're just going to tell him to use a merchant processor or tokenize
would be my guess.

------
mangeletti
It's 2015. If somebody is storing credit card numbers in plaintext, and then
also displaying them, they deserve to be out of business. Don't make this
about business ethics. In business, you are playing a chess game against all
of your competitors. When one of them makes the wrong move you take them out.
It's as simple as that.

------
runjake
As always, "Do unto others..." comes into play. Don't report them or make it
public.

If anything, perform due diligence and get in touch with someone with the
appropriate levels of scruples and power to take action.

Who knows? They may find out something worse about your business and respond
in kind, instead of dragging your company through the mud publicly.

------
fubarred
[https://www.pcisecuritystandards.org/security_standards/why_...](https://www.pcisecuritystandards.org/security_standards/why_comply.php)

(unofficial site) [http://www.pcistandard.com/card-association-
fines/](http://www.pcistandard.com/card-association-fines/)

------
williamle8300
To me, they made the decision to put all of their clientele at risk. There's
no problem with "outing" them.

Sure, if you anonymously tell them about the security loophole, will this fix
future problems?

Likely not.

I say report them.

There's nothing wrong with reporting bad behavior. You're not responsible for
the consequences they have to face for making those decisions.

------
kazinator
Put the buggers out of business and scoop up the new prospects. Doh!

Google, Microsoft, IBM, Apple, ... wouldn't even think twice.

------
feld
I don't like the idea of notifying him and then being responsible for checking
in later to make sure something happened. That's not your job. You should
probably report the violation and let the PCI industry handle it.

------
k33n
Report to whom? PCI isn't a law.

If you want to use this as a selling point when engaging his current
customers, I see nothing wrong with that. If you offer greater security than
he does, it's fine to point that out.

~~~
briandear
That's exactly it. There is no law being broken. The best way to capitalize
off of this is to use the weakness of the competitor as a means to market
yourself as a superior product. You can even use testimonials from the former
customers who switched to you to further boost your own product. It doesn't
sound like this competitor would be too hard to beat on merit rather than
underhanded tactics.

You could also get your sales team to call your competitor's current customers
and ask "How safe is your data with "X"? Are you looking for a super-secure
alternative? Buy my product." Or something...

------
nailer
Is PCI actually enforced? Intrusions at many large organizations have shown
them violating PCI - eg, Sony (not the recent hack, the last one) and I've not
heard about any of them being punished.

~~~
dangrossman
Genesco (which owns Journeys, Lids, Johnson & Murphy, Dockers Footwear) had a
data breach in 2010. Visa fined them over $13 million in PCI penalties.

~~~
jacquesm
_after_ the breach.

Typically any PCI certified installation that does not self-certify will have
something come up in their annual review. That doesn't mean they immediately
lose their certification, it means they get 'x' days to fix the the item and
_then_ they are no longer in compliance.

That's when they _might_ get fined but if a breach occurs the fines are pretty
much a given.

Fines are extra income for VISA, they typically have no clear relationship to
the infraction other than that it is what VISA thinks they can bear or how
much they can get away with. Fines have bankrupted companies and big breaches
have led to fines that were surprisingly low. It's a lottery, for the most
part.

------
bdcravens
_On the one hand, I 'd be putting him out of business (and I'm well poised to
scoop up those new prospects)_

This is hyperbole. His customers are probably running their business, not
monitoring the news for info on every SaaS they use. PCI compliance most
likely isn't what keeps them there: it's friction in leaving, customer
service, possibly features they don't find elsewhere. There isn't some PCI
police that has a list of all their customers and will email them.

If customers are lost, it'll be a trickle. Once they identify what's up,
they'll be all hands on deck to fix it, and this amazing competitive advantage
you feel fell into your lap will disappear. On the other hand, maybe he'll
ignore it - I promise you there will be customers that really don't care.
Yeah, they should. But they won't. Your competitor will still be in business

I'd turn it into a marketing advantage, not treat it like a magic torpedo.
Many of our competitors outsource their programming or are resellers of one of
our competitor's services. (In our industry, whoever has your data has a list
of your customers, so important to control who has access to that information)
In our pitch, I tell them to ask whoever they do business with, even if it
isn't us, if they outsource their operation and who controls the data. In your
situation, point out that some companies in your space, without naming names,
store their payment data incorrectly, and why that's bad. Then hit them with
how you are PCI compliant.

Another thing to consider: if your magic torpedo scenario doesn't play out,
then what? There's people out there using a provider that stores payment
details insecurely. Announce it publicly, and you've just made them a target
for a breach - big payday for those hackers. Muahahahah, I've killed my
competitor! Maybe, maybe not, but you've also just screwed over those
customers. Even if they leave that provider, when they find out the reason
their credit card is being abused is due to your disclosure, there's 0 chance
you'll their business, and it could have long term PR repercussions. Hell,
depending on your jurisdiction, potential legal ones.

(Yes, everyone will say it's not altron's fault - it's his competitor's. It's
both at that point. If I tell the world about someone I don't like who leaves
their house unlocked, I'm an asshole, and don't deserve to be liked)

About the only situation where I feel this works out well for you is to
contact the customers of theirs that you know, and tell them directly.

~~~
rational-future
>> There isn't some PCI police that has a list of all their customers and will
email them.

The payment processor that the competitor uses can stop processing their
transactions. While I was in the PCI consulting space a few years ago, I saw
many cases where small and medium sized companies ended on the credit
companies black list and no payment processor would dare take their business.

~~~
bdcravens
That's good to know. So if you get kicked out like that, will Stripe refuse
your business? Also, would it be a matter of knowing who the processor was in
order to report?

------
DenisM
If you were to worry about wellbeing of your competitors, you would deprive
your users of the fruits of fiercful competition.

------
Aloha
Maybe.

If he advertises PCI compliance, yes, bust his ass for lying. If he doesnt -
thats a gray area ethically to me.

------
nashequilibrium
What would Steve Jobs or Larry Ellison do?

