By Tim McWeeney
Earlier this year, VeriFone Inc. Chief Executive Officer Douglas Bergeron posted a video on the Internet showing how easily the Square Inc. reader could be compromised. In fact, Bergeron's own staff did it with less than an hour of effort.
Normally, this would have generated an outcry from all members of the electronic payments community, including the card brands themselves, demanding the removal of such an unsecure device from the market, but we don't live in normal times.
What reaction there was came, mostly, from the world of blogs, and mostly the reaction condemned VeriFone for piling on poor little Square. That's right, most of the reaction came down against the organization that "outed" Square as an unsecure device subject to easy hacking and theft of credit card information.
Recently, at another conference, Square's vulnerability was demonstrated again, not by VeriFone but by nonpartisan individuals who, once again, hacked the Square reader.
Square responded to the VeriFone video by saying, essentially, that hacking credit cards is a way of life, and the server Square uses is secure. The problem Square CEO Jack Dorsey conveniently ignored was that the compromise happens long before the transaction ever hits the server. The data is stolen at the point of the swipe.
With the exception of a few mobile payments industry leaders, our side of the industry has been quiet about the lack of security in the Square reader. And what was Visa Inc.'s reaction to all this? Outrage? Demands for the removal of all unsecure Square devices in the market? Immediately shutting down of Square's ability to process credit cards?
No, Visa invested an undisclosed amount in Square; venture capital firm Kleiner, Perkins, Caufield & Byers subsequently invested a paltry $100 million. Toto, I have a feeling we're not in Kansas anymore.
While not formally endorsing Square at the May 2011 Electronic Transactions Association Annual Meeting & Expo, Steve Wozniak (Woz) told a group of listeners that he liked the device and appreciated the simplicity of it. Woz did not address the security concerns because, seemingly, he did not care about them. ... They would get worked out somehow.
All Woz cared about was simplicity. And why not? He helped launch a company with open architecture that redefined the word: Simple.
Dorsey said after the VeriFone assault that Square was coming out with a secure reader, but Dorsey has never promised to remove all the unsecure readers the company has flooded the market with thus far. This leaves a significant vulnerability Square must correct.
We are left to one conclusion: no matter what Visa has said about how it frowns on aggregation and demands security, clearly, in the case of Square, the rules do not apply. The question is why?
Think about it: micro merchants processing less than $500 a month. These are people who would never have signed up for a legitimate merchant account in the first place. Square has created a new level of merchant ("Level 5") and the numbers are in the millions. These people don't care how long it takes to get their money or the discount fees associated with it. They want it free and simple to get started.
Historically, these "merchants" have been of little interest to the ISO or banking community unless fees were associated with the account to make it profitable - statement fees, monthly minimums, etc. Square has blown that model to smithereens.
No equipment to buy, rent or lease and no monthly fees, but the company isn't stopping there. Square is now moving into traditional spaces for legitimate merchant accounts.
The big question on everyone's mind: Is the Square model sustainable? I know many experts who work in the mobile payments industry, and each one believes it is not. The fees collected are too small, and the merchant acquisition expense is too high. It is bound to crash like so many other Silicon Valley startups.
Add to this the flood of competitors who use mobile payments as an ancillary product to their existing, profitable lines of business, and you have a waiting game being played on the Indianapolis 500 speedway because the mobile payments sphere is moving at the speed of light.
Those of us who still believe security is important and merchants ought to have more invested in their businesses than a smart phone and an unsecure reader will continue to build business safely and effectively.
Square continues to operate on its own, completely independent of the traditional payments industry. Time will tell if its model will sustain.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next