When we first started in Iowa, we were a young company trailblazing new technologies, possibilities, and concepts in payments. Our biggest challenge was describing to customers the innovation and value we were creating for them.
One item we were specifically proud of was the way we were rethinking payments and developing a system that did not disclose sensitive financial information at the time of transaction, such as credit card numbers on file with merchants, and bank account numbers printed on checks.
Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.
Since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We’ve continuously matured our data security practices since that snapshot in time and have never been more proud of our information security policies, procedures, and technologies.
Below are just a small handful of the meaningful protections we’ve implemented up, down, and across the company.
Data Protection and Encryption
The Dwolla platform is equipped to protect sensitive data by encrypting it when it moves, when it is stored, and replacing it with tokens in transactions.
Data in transit is information as it moves across networks, like the Internet. For example, when users submit their credentials and logs into Dwolla.com the data moves from their computer to Dwolla’s systems. During this ride, the data needs protection. To do this, Dwolla and other companies, like Google and Wells Fargo, use Transport Layer Security (TLS) to encrypt the information and prevent data from being captured or seen by bad actors. Other protection measures, like TLS downgrade attack prevention and HTTP Strict Transport Security (HSTS), also help provide data integrity between you and Dwolla.
After the data moves across networks, it is received and may be stored. This is called “data at rest” and the Dwolla platform is equipped to protect sensitive data from exposure. To enable this, we use a trusted and specialized encryption service for storage based on the Advanced Encryption Standard (AES) algorithm with strong 256-bit keys with automated rotation capability and Galois Counter Mode (GCM) providing authenticated encryption. In addition to encryption, Dwolla also protects sensitive data (like passwords or tokens) using strong, iterated password-based hashing.
Sensitive information, like social security, bank account, and routing numbers, are valuable to bad actors because of the privileges they represent. That’s why for nearly five years, Dwolla has been using tokenization. This process replaces “high-value” information with specialized low-value digital cryptographic tokens. So instead of sharing your bank account and routing numbers each and every time you’d like to send or receive money with another party, Dwolla generates and exchanges unique tokens to facilitate authorization and transactions. Tokens can only be used between two specific parties, expire after a short period of time, and can be revoked at any time.
Like customer data, Dwolla’s software platform needs protection too. That’s why we’ve built layers of technology and processes that complement each other and provide a holistic security model. The layers used include strong border protection, an industry-leading hosting provider with security and compliance capabilities (e.g. ISO and SOC), network firewalls, intrusion prevention and segmentation, access control, continuous security monitoring (24x7x365), and strong authentication. Dwolla offers two-factor authentication, an optional feature that helps safeguard your account and data at login. In addition, Dwolla employees use two-factor authentication for remote access and administration of the Dwolla platform.
Security by design (including culture)
But how do you innovate new products and services and still maintain security? At Dwolla, we’re placing security in the software platform’s DNA. That means that we manage and develop using consistent automation, test-driven development and security testing during the build process. As new products and features are integrated, Dwolla aligns with established protocols and frameworks (e.g. OAuth) and uses Threat Modeling to deliver secure solutions. Our platform is routinely scanned for vulnerabilities, is subjected to bi-annual penetration tests and follows a responsible disclosure process to support and manage concerns reported by the community.
Dwolla employees participate in mandatory information security awareness training with additional technical developer training based on the Open Web Application Security Project (OWASP) top 10 risks. The company performs social engineering, pre-texting and phishing exercises and reinforces these topics through both routine internal messaging and externally shared best-practices such as Tips for Information Security.
Security is never done
Dwolla recognizes that security is never done, rather, it is a process. We are proud of our information security program and our continual focus on providing a platform to safely move money. Please reach out to firstname.lastname@example.org with questions and comments.