Dwolla Touts Security As Mobile-Payment Startup Pursues Growth

 Online and mobile-payment startup Dwolla Corp. has been building a payment network called Grid that company executives believe to be more secure than MasterCard Worldwide’s and Visa Inc.’s card networks.

At least one observer, however, is not so sure.

Most of the $1 million per week in transactions coming through Dwolla are online payments, the highest dollar transactions being business-to-business funds transfers and consumer-to-business payments such as rent, according to Dwolla founder and CEO Ben Milne. But the new growth is in mobile, he says.

“This makes a lot of sense because we just recently rolled out updates to our iPhone, Android and Windows 7 apps to add social context, or peer to peer transactions,” Milne says.

Dwolla has made sending P2P transactions easier on its iPhone app. Now users can pay another person by clicking on that person’s name in a contact list, whereas before the recipient had to set up an ID number the sender would need to type in.

Visa’s and MasterCard’s payment networks have been in place for a long time, and the card associations have built in mechanisms to try to help banks identify fraud and handle dispute resolution and charge-offs.

But Milne says the Visa and MasterCard world is vulnerable to fraud.

“Every time you swipe your card, you’re leaving behind the actual information that would be used with that card,” he points out. “Every time you engage in a transaction, you’re leaving behind information in places you don’t even know you’re leaving it. That’s an exposure potential. This is something we all live with, and it’s part of the system. What we’re trying to ask is, if they had or could start over today, would they knowingly let merchants or hardware providers store credit card information that could be used to commit fraud?”

Milne believes, naturally, they would not.

“They would probably do it in a way that allows them to securely connect, authorize the payment, and get paid without leaving that critical financial data behind that could be used for fraud and increases cost for everyone,” he says.

This is what Dwolla’s Grid does, according to Milne. It enables consumers to use third-party apps to make purchases, the way Facebook Connect presents a user’s credentials and profile to a new site.

“It allows you to actually engage in a transaction without that piece of software ever getting access to your bank information,” Milne says. “It can’t be stolen after that, or it’s less likely to be stolen. It adds an additional tier to protect the consumer.”

Once the consumer connects, he can manage which applications have rights to his account information. He also can remove permission to access individual pieces of data such as account history, ability to spend money and contacts.

So what exactly is Grid? “Grid is the software that connects to other software that securely allows people to connect,” Milne says. “It’s a relatively simple concept, but the implementation is very complicated.”

The software mimics the way social networks attach to third-party networks and applications without allowing direct access to your data.

“We’re using the social-network model and putting the consumer in control,” Milne says. “You basically authorize an app to charge you rather than enter your credit card number. At the end of the day, that software will not have access to information that can be used to commit fraud.”

Grid uses industry standards and procedures similar to banks’ to prevent unauthorized entry, the company says. It also requires users to enter their PINs to change or revoke data sets specific to that user.

One observer questions whether Dwolla’s service truly is more secure than the card networks’. 

“With a service like Facebook Connect, you’re still subject to your user name and password being hacked,” notes Gartner analyst Avivah Litan. “Security is only as strong as its weakest link, which is the user name and password, which can be hacked. Malware has attacked every mobile platform out there.”

One thing the credit card networks do right, she points out, is provide consumer protection through Regulation Z of the Truth in Lending Act. In the event of fraud, a credit card cardholder’s liability cannot exceed $50.

Dwolla’s dispute-resolution process is similar to that used for debit cards, which fall under Regulation E of the Electronic Funds Transfer Act. Reg E requires consumers to prove their money was stolen but then they do get their money back.

“We’re relying on the decades of experience of The Members Group,” a technology partner that provides card-processing technology for banks and credit unions, says Dwolla spokesperson Jordan Lampe. “They’re sharing their best practices for security, risk mitigation and arbitration.”

Dwolla also is developing technology to help banks cut fraud as they start allowing transactions from mobile devices–and also help them decide which mobile devices are worth investing in to begin with. Its Dashboard will provide aggregated, anonymous geolocation and device-printing information to determine, for example, whether customers accessing the bank's website on a mobile device use Google Inc.'s Android over Apple Inc.'s iPhone (see story).