Some sellers remain concerned over Etsy’s handling of sensitive information that came to light last week. We’ve been covering the story, and in light of the serious allegations raised by sellers, we reached out to a security expert and gave Etsy an opportunity to respond.
As we reported last week, Etsy announced a new Shop Home and Simple Shop Policies earlier this month. New to the features was a field called Seller Details that Etsy created to help sellers comply with EU directives about providing contact information to shoppers.
When sellers clicked on Seller Details in the backend to see what it contained, they saw it contained their names and addresses. A business seller was concerned that it contained her personal name and address instead of that of her business and she feared it was publicly viewable. After the concerns were brought to Etsy’s attention, the company said seller information did pre-populate the Seller Details field, but said a seller would have to click on the “save” button in order for it to be publicly viewable.
Matthew Glick of the Etsy legal team explained on this Etsy forum thread, “The info that is auto-filled is the seller’s first and last name from our records. The billing address from the credit card on file is displayed for the address. No credit card information is displayed, and, as I mentioned before, the name and address text can be edited at anytime and will only be displayed after you click Save. …”
Note that Etsy later made a change so the field would no longer pre-populate seller name and addresses.
But that did not satisfy everyone. Here’s an excerpt of a post from a seller that describes her concerns:
“I would feel far more reassured if Etsy would officially admit that the address from the credit card is in fact part of the private credit card information and therefore should never even have been available to the programmers involved in coding a shop design update, let alone used for any type of autofill function not connected with a transaction on the card. … I feel as if we have instead so far been told there was no data breach (putting private data into an inappropriate field is a breach), blamed for the breach of our own data because we dared to click on buttons to edit our information, but have generously been helped out by having autofill turned off … on this field, for now, just to calm our apparently silly fears. …”
In light of the serious nature of those allegations, EcommerceBytes reached out to Smrithi Konanur, Global Product Manager – Payments, Web, & Mobile at HPE Security-Data Security and formerly of PayPal.
In response to our question, “How must a merchant (or marketplace) store users’ credit card information, and is the address information treated any differently than the credit card number,” she wrote:
“A merchant should tokenize the credit card number (PAN number and CVV), or any sensitive payment information. Tokenize means to substitute a sensitive data element with a non-sensitive equivalent. However, merchants shouldn’t stop at the credit card number. Industry best practice is to encrypt/secure address, SSN, or any other personably identifiable information (PII). PII information might be liable to General Data Protection Regulation (GDPR) especially in European Unions. Europe, Canada, Australia, etc. other countries have stricter privacy laws when compared to United States. So it is better to secure all private information.”
We also asked Konanur, “Should sellers be concerned if a marketplace accesses their credit card addresses and pre-populates it on fields on its site that with the click of a button from the seller could be viewable online by everyone?” She responded:
“Yes, credit card information in clear text viewable online by everyone is a direct risk of credit card fraud, and would increase the amount of fraudulent transactions to the credit card holder. This could lead to a huge security breach. Moreover this is definitely not a PCI compliant environment which would increase their PCI and auditing costs. The right approach to this scenario is to tokenize the credit card information so that any further transactions would be pre-populated by the token and de-tokenized as needed for further processing (payment processing). This way when a hacker breaches into their environment the information they get is not usable.”
We gave Etsy an opportunity to respond and asked if it believed it was appropriate and PCI compliant when it made sellers’ credit card addresses appear in the Seller Details field.
We also asked, “Why did Etsy say the Seller Details field would be only visible to EU “buyers,” implying “trading partners,” when it could be viewable to anyone and everyone located in the EU or changes their location to the EU, even if they are located in the US?”
An Etsy spokesperson provided the following statement:
“We understand that there was confusion and concern related to the shop policies rollout and privacy. We’ve been listening to feedback and continue to make updates, including removing the auto-populated information, in response to that feedback. We can reaffirm that there was no privacy breach in this scenario.
“All credit card information sent to Etsy is encrypted using secure socket layer technology (SSL), and once received, it is stored in a PCI compliant environment. PCI DSS (Data Security Standard) includes the following data: Primary Account Number (PAN), Cardholder Name, Expiration Date, Service Code. (Page 7 of this document).
“None of these pieces of data were or are accessed by the developers working on shop policies. We’ve recently completed an audit by a third party PCI compliance vendor, who certified our practices.
“We believed we were clear about the seller details section, as well as the requirements of the EU consumer protection laws – which includes providing specific information, including address, to buyers before they agree to purchase – in the relevant Help articles, but we understand that we could have been clearer. Our goal has always been to help sellers more readily comply with local and international regulations, while running their businesses on Etsy. Address information is also used for our billing and payments processes.”
We asked the expert at HPE Security-Data Security, Smrithi Konanur, if credit card addresses must be encrypted – she said the address is considered to be PII (Personable Identifiable Information), which is liable to GDPR and other privacy laws – “hence it is better to secure this information too.”
One of the perplexing things about the way Etsy handled seller data is why it chose to pre-populate the Sellers Detail field with the seller’s credit card billing address instead of the address sellers used in other areas of the site. For example, one seller noted that the address used to populate the field was her credit card billing address and was “not the address I use to associate my shop with to sell, accept returns to, or use for shipping labels.”
Comment on the EcommerceBytes Blog.