LifeLock’s Digital Wallet Not (Completely) Secure: Deleting Software From App Stores

LifeLock recently alerted its customers that its digital wallet — a piece of smartphone software that holds folks’ personal credentials — is not PCI compliant.

That means, according to a consensus in the payments industry, the technology is just not safe for people to use.

As a result, the Arizona company is deleting the software from all of the app stores, Google Play and Amazon, included. Separately, LifeLock is also deleting customers personal information from its internal servers. Just to be sure.

The payments card industry standard dictates how payment card information should be stored.

From a disclosure:

We have determined the app is not fully compliant with payment card industry (PCI) security standards, and we are taking immediate steps to correct this and ensure the ongoing safety of your personal information. 

It’s important for you to know that we have no reason to believe your personal information, including credit card numbers and other data, has been compromised as a result of the PCI compliance issue. 

This does not affect [a customer’s] ability to use your credit cards or other information you have uploaded to LifeLock Wallet.

Late last year, LifeLock acquired Lemon Wallet for $42.6 million. (Read the TechCrunch story, here.)

More on payments card standard (from Wikipedia):

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debitcreditprepaide-purseATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraudvia its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

It’s worth keeping in mind that PCI standards are the bare minimum that every business has to comply with — from the deli on the corner to, yes, even Target before and after its infamous data breach debacle.

The LifeLock snafu also calls into question Lemon Wallet’s founder, Wences Casaresthe same dude behind Bitcoin vault Xapo.

Just another reason for top banking regulators, both state and federal, to be concerned.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s