A US finance watchdog has slapped e-commerce and mobile payments processor Dwolla with a hefty US$100,000 (A$140,000) fine for deceptive practices and making false representations about its data security.
The Consumer Financial Protection Bureau said [pdf] Dwolla had broken data security practices, finding it had "failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorised access".
Dwolla also claimed that its transactions, servers and data centres were PCI-SSC compliant, when in fact they were not, the CFPB said.
Appropriate data security policies and procedures have been lacking at Dwolla since the company started in 2008, with the situation continuing until 2013.
Staff training on security was not mandatory until 2014, CPFB said, and sensitive personally identifiable user information was transmitted without encryption "in numerous instances". Risk assessments and penetration tests were not conducted by Dwolla either.
Dwollalabs, the payments processor's software development arm, also got a serve by the watchdog for poor data security practices. These included storing sensitive consumer data on the Dwolla and Masspay apps for Apple iOS and Microsoft Windows, which were not tested for security before being released.
On top of the fine, CPFB ordered Dwolla to stop misrepresenting its data security practices. Dwolla must also improve on its security, and ensure consumer personal information is stored safely on its computers and applications.
US-based Dwolla is one of several payments processors that have sprung up over the past years, along with Stripe, Braintree and others, seeking to capitalise on internet and mobile transactions.
The watchdog noted that Dwolla in May 2015 had around 653,000 members and transferred as much as US$5 million a day.
Updated: Dwolla said its current data security practices met industry standards.
"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices," a spokesperson said.
"Dwolla had many other layers of data security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers.
"We’ve never been more proud of our information security policies, practices, and technologies, and have gone to great lengths to implement them up, down, and across the company."