= Subscriber content; or subscribe now to access all American Banker content.

Dwolla Says Its Grid Payment Network Is More Secure Than Card Networks

Using a mechanism similar to Facebook Connect, Dwolla stores payment information in such a way that merchants can't get to it.

Bank Technology News  |  June, 2011

Online and mobile payment startup Dwolla says it has been building a payment network called Grid that will be more secure than Visa and MasterCard’s card networks. Curious, we visited with Dwolla founder and CEO Ben Milne recently to find out more.

Most of the $1 million per week in transactions coming through Dwolla are online payments, Milne says, the highest dollar transactions being business-to-business transfers and consumer-to-business payments such as rent. But the new growth is in mobile, Milne says. “This makes a lot of sense because we just recently rolled out updates to our iPhone, Android and Windows 7 apps to add social context, or peer to peer transactions,” he says.

Dwolla has made sending person to person transactions easier on its iPhone app. Now users can pay another person by simply clicking on that person’s name in a contact list, whereas before the recipient had to set up an ID number that the sender would need to type in.

Visa's and MasterCard’s payment networks have been in place for a long time and the card associations have built in mechanisms to try to help banks identify fraud and handle dispute resolution and chargeoffs.

But Milne says that the Visa and MasterCard world is vulnerable to fraud. “Every time you swipe your card, you're leaving behind the actual information that would be used with that card,” he points out. “Every time you engage in a transaction, you're leaving behind information in places you don't even know you're leaving it. That's an exposure potential. This is something we all live with and it's part of the system. What we're trying to ask is, if they had or could start over today, would they knowingly let merchants or hardware providers store credit card information that could be used to commit fraud?”

Milne believes, naturally, that they would not. “They would probably do it in a way that allows them to securely connect, authorize the payment, and get paid without leaving that critical financial data behind that could be used for fraud and increases cost for everyone,” he says. This is what Dwolla’s Grid does, according to Milne. It lets people use third-party apps to make purchases, the way Facebook Connect presents a user’s credentials and profile to a new site. “It allows you to actually engage in a transaction without that piece of software ever getting access to your bank information,” Milne says. “It can't be stolen after that, or it’s less likely to be stolen. It adds an additional tier to protect the consumer.” Once the consumer connects, he can manage which applications have rights to his account information. He can also remove permission to access individual pieces of data such as account history, ability to spend money, and contacts.

So what exactly is Grid? “Grid is the software that connects to other software that securely allows people to connect,” Milne says. “It's a relatively simple concept, but the implementation is very complicated.”

The software mimics the way social networks attach to third-party networks and applications without allowing direct access to your data. “We're using the social network model and putting the consumer in control,” Milne says. “You basically authorize an app to charge you, rather than enter your credit card number. At the end of the day, that software will not have access to information that can be used to commit fraud.”

Grid uses industry standards and procedures similar to banks to prevent unauthorized entry, the company says. It also requires users to enter their PIN codes to change or revoke data sets specific to that user. For example, to remove a social network you'd previously connected to Dwolla (so you could send and receive money through Twitter or Facebook), you'd have to enter your PIN.

Some observers question whether Dwolla's service is truly more secure than the card networks. 

"With a service like Facebook connect, you’re still subject to your user name and password being hacked," notes Gartner analyst Avivah Litan. "Security is only as strong as its weakest link, which is the user name and password, which can be hacked. Malware has attacked every mobile platform out there."

One thing the credit card networks do right, she points out, is provide consumer protection through Reg Z. In the event of fraud, a credit card the cardholder liability can't exceed $50.   

Dwolla's dispute resolution process is similar to that used for debit cards, which fall under Reg E. This regulation requires consumers to prove their money was stolen but then they do get their money back. "We're relying on the decades of experience of The Members Group," a technology partner that provides card processing technology for banks and credit unions, says Jordan Lampe, director of communications at Dwolla. "They're sharing their best practices for security, risk mitigation and arbitration."