API and Data security

Hello Dwolla team,

We are exploring Dwolla APIs and have some question around API and data security.

We will be integrating Dwolla API in B2b model (server-to-server).

  1. Does Dwolla support mTLS or communication with Dwolla will be over tls/https? if it supports mTLS, can you share detail on certificate exchange process?

  2. Some of the APIs have sensitive information in request payload. Example
    https://api.dwolla.com/customers/{id}/funding-sources
    Fields: routingNumber & accountNumber
    Does Dwolla supports payload encryption (field level or entire request) while making the call so that data will be secured while transferred over internet?
    If it supports, can you share detail about how to protect data?

Thanks in advance!

Hi @hshah2811

Dwolla protects sensitive data in-transit, at-rest, and throughout a transaction using a combination of cryptographic protections and tokenization. Dwolla requires strong Transport Layer Security (TLS) with downgrade protection for data in-transit. Dwolla protects data at-rest through a cryptographic service that uses strong symmetric encryption (AES 256, GCM with ongoing key rotation), and removes high-value data within a transaction using a time-based token.

For more information on Dwolla’s approach to data security visit https://www.dwolla.com/security/

Thanks Kmoreria for your prompt response.

" Dwolla requires strong Transport Layer Security (TLS) with downgrade protection for data in-transit."

  • so you mean client (our server) can communicate to Dwolla over TLS/HTTP and does not have to present any client certificate while communication with Dwolla as it is mTLS is not mandatory from Dwolla side. Is that correct understanding?

Regarding 2nd question,
I know overall communication is protected over TLS/HTTP but how about field level encryption? Do you have any mechanism where we can pass just routingNumber & accountNumber in encrypted with pre-agreed shared-secret or using PKI based crypto?