Built by former Romney digital director Zac Moffatt and his team at Targeted Victory, Victory Passport does away with the complicated payment forms that consumers often find on other Web sites. It replaces all that with a one-click donation feature that charges your credit card as soon as you hit the "contribute" button. Moffatt's vision is to put Victory Passport in the hands of conservative campaigns everywhere, leading to a boom in grass-roots donations.
But Victory Passport was hit by an early snag Thursday when liberals from the political action committee ActBlue pointed out that some of the technology it relies on doesn't conform to credit card security standards. A provider for the tool's Web site, they charged, could wind up exposing consumer information because the provider, Austin-based WP Engine, is not compliant with so-called Payment Card Industry, or PCI, standards.
The accusation touched off a storm on Twitter, where technologists on the right as well as the left were quick to weigh in.
It turns out, however, that progressives' concerns about data security were probably overblown. Here's why.
WP Engine doesn't claim to be PCI-compliant because it's not in the payment business. It provides server space for organizations to run their own WordPress installations on. Those organizations may partner with third-party payment processors; in fact, this is exactly what Victory Passport does. It uses Rally (formerly known as Piryx, which was also used by the Romney campaign) and Braintree to handle credit card transactions with the NRSC. But WP Engine says it's not responsible for how its clients build their own Web sites. WP Engine just helps transfer consumers' credit card data to the third-party plugin.
This might be a problematic defense if the data were being sent in the clear with no protections. But according to two independent security analysts who reviewed ActBlue's evidence, the information does seem to be encrypted by SSL — just as Targeted Victory claims.
"The fact that our Democratic opponents rushed to judgment without thorough information to make blatantly false and disingenuous claims shows the extent to which they will go to mislead the public," said NRSC communications director Brad Dayspring.
WP Engine affirmed in a two-minute phone call with Republicans today that no credit card information was being stored on its servers, and that it had run a full system scan to make sure. The fact that the data never rests on WP Engine's property is an important detail, as companies that do hold onto data can become vulnerable to hacking attempts resulting in a data breach.
So, conservatives — donate away. Your credit card information is (probably) secure.
Correction: While the credit card information is secured by encryption as it gets passed to the third-party payment processor, the fact that WP Engine acts as a middleman (however briefly) introduces an element of risk. If WP Engine were somehow compromised, that hacker would theoretically be able to scoop up the financial data moving through its infrastructure whether WP Engine stores the information in its database or not (WP Engine, for its part, publicly confirmed that it does not store the data but both Targeted Victory and WP Engine admit that it does touch WP Engine's systems as it gets passed to the payment processor).
This is where PCI compliance from WP Engine would really help increase confidence in Targeted Victory's system. According to a payment security analyst at Javelin Strategy and Research, Nick Holland, organizations that handle financial data but aren't PCI-compliant potentially face "hundreds of thousands of dollars" in penalties if the big payment networks find out. That's because a data breach anywhere can affect confidence in the payment system everywhere.
"The idea that we don't store, we just transmit — lots of really successful attacks against payments target the data transfer and capture it traversing the network," added Jacob Ansari, a PCI forensic investigator with 403 Labs.
Just because a vendor is PCI-compliant isn't a rock-solid guarantee of safety. PCI is not a magic wand; it's just a piece of paper saying that you've been tested and meet industry security standards, kind of like a driver's license. WP Engine may actually have decent security practices of its own, but it hasn't signaled it in an industry-recognized way.
How much of this is WP Engine's fault? Well, while it would be good for their business to be able to say they're PCI-compliant, the fact that they're not is disclosed on their Web site and they suggest ways to adapt if a client is interested in doing e-commerce like Targeted Victory is. Targeted Victory, meanwhile, tells me that they chose WP Engine for holistic reasons that account for "all the elements" of a campaign. The firm also says that it's working with Braintree on a payment system that takes WP Engine out of the equation (or more specifically, Targeted Victory's server that's hosted on WP Engine). That new system will be live within a week, and is the approach that WP Engine itself recommends on its Web site.