The Green Sheet Online Edition
March 28, 2011 • Issue 11:03:02
Square gaining momentum despite security concerns
Twitter Inc. creator Jack Dorsey released in a statement on Twitter that his mobile payment startup, Square Inc., had reached a milestone. On March 2, 2011, Dorsey tweeted that Square is processing more than $1 million in transactions daily and that the company is signing as many as 100,000 new merchants each month. Dorsey serves as Chief Executive Officer of San Francisco-based Square, which he co-founded in 2009.
Square's platform for credit and debit card acceptance uses a mini square-shaped credit card reader that plugs into the headphone jack of a smart phone or electronic tablet, which it offers free to users of Apple Inc. iOS and Google Inc. Android devices.
To operate the service, users download an application and pay a flat fee of 2.75 percent for swiped transactions, and 3.5 percent plus 15 cents for keyed-in transactions, which Square deducts when transactions occur.
Brandes Elitch, Director of Partner Acquisitions for CrossCheck Inc., said that when the card is swiped through the Square device, it reads the data and converts it to an audio signal, which the phone's microphone picks up and transmits to processors.
"They send it through the processor, and then it's routed to Square's software application on the iPhone," he said. "The encrypted data is then transmitted using either Wi-Fi for the iPod Touch or 3G Internet to back-end servers, and then they communicate with the payment network to complete the transaction."
Square doesn't suit all merchants
"While it's clear that that's the correct approach right now, it's certainly not a viable long-term approach, because there is enormous fraud in the payment system," Elitch said. "The mag stripe is a vulnerable technology, which is why people are talking about migrating to what is called chip and PIN. It's not entirely secure technology either; it can be hacked as well."
However, chip and PIN adoption in the United States is not expected in the immediate future. "I've actually had discussions with Visa, and they have been consistently clear that it will take them five years to convert to chip and PIN, so that isn't going to happen anytime soon," Elitch said.
Elitch believes that in the interim, Square's model will continue to serve certain types of merchants, particularly smaller merchants who operate in the person-to-person (P2P) sphere. "I don't see it as a solution for top 200 retailers or POS for that matter," he said.
Elitch also expects newer technologies to make inroads in both processing and security, including radio frequency identification, hardware security tokens and biometric authentication, among others.
Elitch also indicated that larger payment processors, such as Chase Paymentech Solutions LLC, which processed 18 billion transactions in 2009, may be better equipped to handle merchant support issues. "Maybe only 1 percent of those are going to come back with chargebacks, but 1 percent of 18 billion is a big number, and that requires a lot of people on the phone to deal with," he said. In the Internet world, customer service is frequently lacking, he added.
Square defends its security
Concerned about potential security risks associated with use of the Square device, VeriFone Inc. Chief Executive Officer Douglas Bergeron issued an open letter on March 9, warning the industry and consumers of "a serious security flaw that Square has overlooked that places consumers in dire risk." He cited flaws in Square's hardware, which he said is "poorly constructed and lacks all ability to encrypt consumers' data," and this creates a window for skimmers.
In his letter, Bergeron stated that a skilled programmer can write an application that skims personal information from the device and that VeriFone "wrote an application in less than an hour that did exactly that."
According to Paul Rasori, VeriFone Senior Vice President, Global Marketing, "Square disregards the core issue of encryption and acknowledges their devices have no layer of security to protect mag-stripe data on consumer credit cards," he said. "They are deflecting responsibility and are solely relying on card issuers to protect consumers."
In response to VeriFone's accusations, Square's Dorsey issued a letter to dispel allegations that the device is not secure.
"This not a fair or accurate claim, and it overlooks all of the protections already built into your credit card," Dorsey stated. "Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to 'skim' or copy numbers from a credit card.
"Our partner, JP Morgan Chase, continually reviews, verifies and stands behind every aspect of our service, including our Square reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction."
Despite the debate between Square and VeriFone over security issues, both companies appear to be faring well. VeriFone just posted a 27 percent year-over-year increase in net revenues for the first quarter of 2011.
"It's a big world out there, so for some types of P2P transactions, where you don't need Windows Mobile, and the person already has an iPhone, [and you have] a small merchant who doesn't want to pay for hardware, it could be a viable device," Elitch said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.