GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Getting real about payments

Patti Murphy

News

Industry Update

EMV liability shift challenged in federal court

TSYS, Ethoca unite against CNP fraud

CFPB fines Dwolla over data security lapses

The high cost of omnichannel retail

Features

Prepare now for tax season 2017

Taking your business to the next level - Part 2

Acquirer Earnings Roundup: March 2016

Mobile bill pay on fast track

Views

POS for all seasons

Dale S. Laszig
DSL Direct LLC

Resolutions + neutraceuticals = chargebacks

Monica Eaton-Cardone
Chargebacks 911

Education

Street SmartsSM:
Notes on the path less traveled

Jeffrey I. Shavitz
TrafficJamming LLC

What to do when a processor stops paying

Adam Atlas
Attorney at Law

Chargebacks, fraud in high-risk merchant accounts

Matt O'Shea
National Bank Services

Company Profile

BlueSnap

New Products

Database security, enterprise scale

HexaTier 4.0
HexaTier

Flexible, reliable, secure card reader authenticator

eDynamo
MagTek Inc.

Inspiration

Keep it neat and clean

Departments

Readers Speak

Letter from the Editors

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 28, 2016  •  Issue 16:03:02

previous next

CFPB fines Dwolla over data security lapses

The Consumer Financial Protection Bureau slapped a $100,000 penalty on the payment network Dwolla Inc. for deceiving consumers about its data security practices. The fine is part of a consent agreement between the CFPB and Dwolla announced on March 2, and marks the federal consumer watchdog's first enforcement action related to data security.

"Consumers entrust digital payment companies with significant amounts of sensitive personal information," CFPB Director Richard Cordray said in a statement about the enforcement action. "It is critical that companies put systems in place to protect this information and accurately inform consumers about their data security practices." Dwolla failed on both counts, the CFPB asserted.

In a blog post on that same day, Dwolla apologized to the public, explaining, "[W]e may not have chosen the best language and comparisons to describe some of our capabilities." The post noted that since its launch over five years ago, "Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event."

Dwolla was launched in 2010 as an e-commerce alternative for credit and debit card acceptance. Since then, the Des Moines, Iowa-based company has expanded to also support low-cost, real-time mobile payments for consumers and businesses. All transactions are cleared through the automated clearing house system and priced at a flat per-transaction fee of 25 cents regardless of value.

As of May 2015, Dwolla had logged more than 650,000 users and was transferring as much as $5 million a day on behalf of customers, according to the CFPB's complaint. For each account Dwolla signs, it collects personal information, including name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password and a unique four-digit PIN.

Failing to deliver on claims

According to the CFPB's complaint, Dwolla made false claims between 2010 and 2014 that customer information was safe, secure, and in compliance with Payment Card Industry (PCI) data security standards. In addition, the CFPB found Dwolla also claimed, falsely, that sensitive personal information it collected was encrypted, and that its mobile apps were safe and secure. "Dwolla's data security practices in fact fell short of its claims," the CFPB stated. The CFPB said Dwolla failed to use reasonable and appropriate measures to protect customer data from unauthorized access and that despite claims by Dwolla that "information is securely encrypted and stored," some personal consumer information did not get encrypted. What's more, some Dwolla applications were released to the public without rigorous security testing, according to the CFPB.

In addition to paying a $100,000 fine, Dwolla agreed to stop deceiving consumers about the security of the network and enact comprehensive data security measures and procedures. The company also has to fix security flaws in its web and mobile apps and work to ensure ongoing security of consumer data in transit and at rest.

Upping the ante

The CFPB was created under the 2010 Dodd-Frank financial reform legislation as a semi-autonomous agency with enforcement authority for federal consumer protection laws, such as those involving lending and electronic payments. (Many of these laws previously were enforced by the Federal Reserve and other regulators.) Dodd-Frank also put the CFPB in charge of policing for unfair, deceptive or abusive acts and practices – consumer protections historically enforced by the Federal Trade Commission.

However, according to legal experts, Dodd-Frank did not grant the CFPB enforcement authority for cybersecurity laws; that was left to the FTC and bank regulators. That's why the action against Dwolla focuses on deceptive claims about the security of the network and consumers' personal financial information. The law firm Ballard Spahr LLP wrote in a March 3, 2016, legal alert that the CFPB's action against Dwolla "significantly ups the ante" for large banks and nonbank financial services company's under the bureau's jurisdiction. "Financial institutions should prepare for increased CFPB activity in the areas of data security and privacy," the firm stated.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.