Complying with the Payment Card Industry Data Security Standards, established by the five major card-issuing companies, was, until recently, seen as something all businesses must do to avoid security-related consequences enforced by regulators, banks or other industry parties.
Now, payment safety means more than complying with PCI standards. As recent actions from the Consumer Financial Protection Bureau indicate, misrepresenting security could land a business in trouble.
The case against Dwolla
On March 2, 2016, the CFPB announced it took action against Dwolla, Inc. for allegedly misrepresenting its security practices. The online payment company, which had over 650,000 users as of May 2015, was instructed to fix its security, retrain employees and ensure all of its security claims are accurate. Dwolla was also fined $100,000.
According to the regulatory agency, Dwolla failed to fully protect customer data from December 2010 until 2014. The company claimed it provided safe and secure transactions and set “a new precedent for the payments industry.” However, the CFPB found that Dwolla did not take reasonable steps to protect customer data, let alone exceed industry standards. In fact, the bureau stated that Dwolla only encrypted some personal consumer data, not all of it. In addition, Dwolla did not take proper steps to ensure its applications were secure before releasing them to the public.
“With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” said CFPB Director Richard Cordray in a statement. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
The Wall Street Journal reported that Dwolla neither admitted to nor denied the allegations, and neither the company nor the CFPB found evidence of a data breach. In addition, Dwolla claimed that the CFPB is fining it for practices that ended in 2012 and that it’s current security measures are fully accurate and compliant.
Addressing payment security
This is one of the first instances where the CFPB took action against a financial technology company. What’s more, the CFPB penalized Dwolla without any sign of an actual data breach. This indicates that the government body will join the Federal Trade Commission, the Securities Exchange Commission and other regulators in enforcing proper data security in the future, according to the law firm David Polk.
“This case is a perfect example of why businesses should outsource their payment processing and security.”
Dwolla’s case might discourage some retailers from partnering with a PCI-compliant credit card processing company. These businesses might be convinced to handle consumer data in-house instead instead of risking partnering with a payment processor that misrepresents its services and is fined by the CFPB. However, this case is actually a perfect example of why businesses should outsource their payment processing and security. The PCI Data Security Standards are incredibly detailed, and some businesses simply do not have the knowledge or resources to meet them. If details are accidentally overlooked, the retailer could face severe consequences not just from banks or card issuers, but from government regulators as well. In addition, companies that choose to handle payment security on their own must complete the more difficult Self-Assessment Questionnaires.
In essence, partnering with a PCI-compliant card processing company keeps businesses from misrepresenting consumer safety and from facing consequences related to a payment security breach. It decreases a company’s burden in protecting customer data, letting them focus on other aspects of a quality customer experience.
Brought to you by PacNet Services, your one-stop global payment processing solution.