[j42]

It's really interesting to see services like this emerge.

In my opinion, the merchant processing/gateway revolution happened when providers (Stripe, Braintree, et al) started providing quality APIs for user/profile/subscription management and took the burdens of PCI compliance off of the companies building consumer products.

On the surface, I feel like this is a great way to offload the liability of storing sensitive user data -- though it also creates a central source of failure. Success is predicated on Luno securing their data; if they can't, the model would die.

If they can, it's possible we'll start to see a mass-migration of authentication-based apps switching to these service, if only for the legal intention of offloading liability.

Really, a fascinating model.

[kapad]

Definitely a fascinating model and there are other doing it too, but the founder's (rbin's) post pretty much read "blah... blah.. blah.. trust and security.. blah blah.. sersiously.. blah blah blah.. "

Until there is a service that has shown it has the chops it takes to securely store user data for a third party, its an uphill battle for these services.

[tarr11]

I could see this being an issue if there were penalties for PI storage violations like there are for PCI.

PCI is the main reason to use something like Stripe.

Right now, if you store pi and get hacked, you just apologize in a post mortem blog post and move on.

[kapad]

PCI also comes with a bunch of rules that companies that store card data need to adhere to. Obviously the idea is that adhering to these rules ensures (there are arguments for and against, but lets skip those. :P) that data cannot be hacked.

With PI, if you're data is hacked, there is no penalty from a consortium, like in the case of PCI data being hacked, but it is ludicrous to say that there is no penalty at all. When a website is hacked and loses customer data, it also loses customer trust. The websites revenue is based on it's users trusting the site and coming back to it over and over again. A data leak would (rather has the potential) to be disastrous to the site and it's business. (Ashley Madison is the most recent example I could think of).

I do agree with the fact that for a lot of small sites that just want to identify the user, leaking PI will have almost no negative result. But then, such sites have already moved over to OAUTH, and there purpose is already served.