Out-Law / Your Daily Need-To-Know

Mobile payment app withdrawn and customer information deleted amidst concerns over payment card data security

Out-Law News | 20 May 2014 | 4:34 pm | 1 min. read

A digital wallet provider based in the US is to delete all its customers' data after admitting that it may have fallen short of security standards for payment card data.

LifeLock chairman and chief executive Todd Davis said the company may not be compliant with the Payment Card Industry Data Security Standards (PCI DSS) and that because of this it had decided to withdraw its LifeLock Wallet from sale.

"We have determined that certain aspects of the [LifeLock Wallet] mobile app may not be fully compliant with payment card industry (PCI) security standards," Davis said in a company blog. "For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app."

"We have taken steps to delete all stored information for the mobile app from our servers. Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do. As a company dedicated to online security and safety, we are committed to doing everything we can to ensure those who trust us with their personal information can do so without question," he said.

Davis apologised to users and said that the company would work towards bringing the LifeLock Wallet back into use again "with the highest level of PCI compliance".

LifeLock launched its Wallet product after acquiring mobile wallet innovator Lemon for more than $40 million in December last year. The company said it used technology developed by Lemon to launch the app. Users of the LifeLock Wallet could store digital copies of credit card details, amongst other things.

PCI DSS is the main standard related to storing payment card data and it sets out 12 broad requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

New PCI DSS requirements were finalised in November last year, although some of the rules from the existing version of the standard continue to apply until the end of this year. PCI DSS v3.0 has introduced new obligations around security threat monitoring, physical and remote access to data, security testing and responding to security alerts, among other examples.

In the UK, watchdog the Information Commissioner's Office (ICO) has said that that retailers that fail to store payment data in accordance with PCI DSS "or provide equivalent protection when processing customers' credit card details" could be held to be in breach of the Data Protection Act (DPA). The ICO has the power to issue fines of up to £500,000 against organisations that breach the DPA.