LifeLock Inc. left many of its customers "extremely frustrated" when it pulled its mobile wallet app off the market last week because of potential security gaps, but those customers understand it was the right thing for the company to do, CEO Todd Davis says.
LifeLock, an identity theft prevention services provider, alerted customers through e-mails and a blog post that parts of the LifeLock Wallet were not in compliance with the Payment Card Industry security standard.
"We filed with the Federal Trade Commission on a self-report that we were taking down the app, and we did it because our brand is security," Davis said May 21 during a presentation at the annual JPMorgan Chase technology conference in Boston.
LifeLock obtained the mobile wallet app through its $42.6 million acquisition of Lemon late last year. Lemon had converted its wallet, essentially a place to store cardholder credentials, into a payment mechanism during June of 2013.
The PCI standard describes how companies that handle card data must protect it. Even though Lemon had "represented and been audited and certified to have PCI compliance," when LifeLock began integrating Lemon's technology, it determined this may not be the case, Davis says.
"It was not because of any data breach. We have no indication that there was any type of data compromise," Davis adds. "We took decisive action, and it was a bit of an unusual action to pull the app off the market temporarily and begin purging data from people tapping into the app."
Customers may not be happy about the wallet app's disappearance, but they understand the message that LifeLock "takes security very seriously," Davis says.
LifeLock cannot predict what the FTC may decide, but Davis predicts the agency will be understanding. LifeLock plans to reinstate its app after the repaired version is cleared as being PCI compliant, he adds.
The LifeLock Wallet app "is still a strong asset and will be a part of the business ongoing," Davis says. LifeLock recently tested the next version of the wallet app and received positive feedback, he adds.
The compliance questions surrounding the mobile app have no connection with LifeLock's core business of safeguarding consumer accounts and identity credentials, he says.
LifeLock is benefiting from "a bit of a tailwind" from Target's holiday-season data breach because it made data security top-of-mind for many consumers.
The U.S. migration to EMV smart cards will help fraud prevention, especially with the added security of a PIN. "I am a huge fan of chip-and-PIN because it will help reduce significantly the amount of identity fraud in people using existing accounts and existing credit and debit card numbers," Davis says.
However, when criminals find that card numbers and cardholder verification codes are not as valuable, they will turn their attention to stealing names, birth dates and Social Security numbers, Davis says.
"Those don't expire, and you can't just call and a get a new one and have it replaced," Davis adds. "Those are the 'key to the kingdom' types information that they are going to target more."