LifeLock deletes data on 4M users in face of potential PCI violations

Digital wallet app pulled from Apple, Amazon and Google stores

The Lemon Wallet bought by LifeLock for nearly $50 million in December turned out to be just that – a lemon.

The company in a blog post said it was deleting all user data from its servers and pulling the LifeLock Wallet application — formerly known as Lemon Wallet — from the App Store, Amazon Apps, and Google Play, according to company chairman and CEO Todd Davis.

Davis said the company had “determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards.”

He wote in his blog post, “we know we’re asking a lot of our LifeLock Wallet users —to delete and go without this application for a period of time. I personally apologize for the inconvenience.”

Davis said the issues do not affect LifeLock’s subscription identity theft protection services.

The company’s stock took a tumble on news of the problems. It was down more than 17% to $10.70 at 4pm Eastern time on Monday. In after-hours trading, however, the stock was up 2.5% at 6pm Eastern time.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for companies and organizations that handle credit/debit card information, including ATMs and point-of-sale devices. It was originally developed by card issuers to offer themselves better protection by ensuring merchants meet minimum levels of security when they store, process and transmit cardholder data.

The LifeLock Wallet worked by having users snap a photo of their credit cards to add them to their digital wallet. Users can click the photos and see card numbers, security code and expiration data. The app converts the photos to a bar-code format that can be scanned at merchant locations. In August of last year, Lemon said it had four million users.

“We have taken steps to delete all stored information for the mobile app from our servers. Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do, said Davis. “We’ll be working to return a Wallet with the highest level of PCI compliance to users soon.”

The PCI Security Standards Council, an open global forum responsible for the development and management of PCI Security Standards, oversees the PCI Data Security Standard. The Council's five founders are American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

Enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by individual payment brands and not by the Council. Validation of compliance is performed annually, either by an external qualified assessor or a self-assessment questionnaire for companies handling smaller volumes of transactions.

Recently, merchants began questioning fines levied by the credit card companies for PCI violations, with apparel retailer Genesco filing a $13 million lawsuit against Visa.