Dwolla (the online payment system) claimed that it encrypted all sensitive personal information and that its security practices exceeded industry standards and achieved compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
Supposedly the (USA) Consumer Financial Protection Bureau thinks that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access and has imposed a $100,000 fine, requires them to fix alleged security flaws and train employees in security processes. The financial part of the fine will likely be the least expensive of the 3 imposed measures. And the fine is the first of its kind imposed by the Consumer Financial Protection Bureau.
Some interesting excerpts from the Administrative Proceeding:
- On its website or in direct communications with consumers, Respondent made the following representations regarding its encryption and data-security measures: Dwolla is “PCI compliant”.
- Respondent represented to consumers that its transactions, servers, and data centers were compliant with the standards set forth by the PCI Security Standards Council.
- In fact, Respondent’s transactions, servers, and data centers were not PCI compliant.
Might be a good time to re-read CapGemini’s report on the impact of regulatory compliance on the card industry. Written in October 2012. That mentions Dwolla! I would call that ironic, but the misuse of that label is a pet peeve.
Ad below this line: