By Patti Murphy
Jack Dorsey - a serial entrepreneur who cofounded social media phenomenon Twitter Inc. and founded payment upstart Square Inc. - finally rolled out the Square mobile payment dongle in the latter part of 2010 after getting off to a rocky start. And he was promptly derided by banks and their partners.
Douglas Bergeron, Chief Executive Officer of terminal manufacturer VeriFone Inc., even took Dorsey to task publicly over alleged security lapses created by Square. (For more information, see "Square gaining momentum despite security concerns," The Green Sheet, March 28, 2011, issue 11:03:02). Square was among a group of innovators releasing promising mobile payment solutions of their own. In April 2010, Roam Data Inc. earned the Electronic Transactions Association's Technology Innovation Award for ROAMpay, a miniature card-reader, or dongle, that plugs into the headphone jack on smart phones. It resembles Square but is said to be more secure.
Not long after criticizing Square, VeriFone unveiled PAYware, a "sleeve" placed over smart phones to facilitate payments. That was followed in short order by Intuit Inc.'s GoPayment toggle and a plug-in device developed specifically for mobile sales forces by SalesVu, an Austin, Texas-based firm supported by a cloud-based network. Several others followed. Now Erply Ltd., a global software-as-a-service company with roots in Estonia, is rolling out a card swipe plug-in for Apple Inc. iPhones and iPads that integrates with a cloud-based inventory management system claimed by the company to be operating in over 20,000 retailers. Attach the Erply device to the charging port on an iPad and, with one swipe, a merchant captures encrypted payment information that initiates transaction processing and simultaneously updates inventory.
The Erply device, which sells for $50, supports near field communication (NFC) technology as well as traditional swipe authorization. NFC requires radio frequency identification (RFID) chip cards and compatible readers to support two-way communication using the existing payments infrastructure.
Mixing NFC and mag stripe functionality is a feature combination that positions the company and merchants to evolve with the market, according to Erply CEO Kris Hiiemaa. "As technology changes, we are giving consumers the ability to pay for items the way they want to," he said, adding that transaction fees using Erply represent 1.9 percent of the ticket. In comparison, Square charges 2.9 percent.
Dorsey said his motivation for creating Square was to allow the smallest merchants to accept credit and debit card payments. This summer Sitter Pals LLC, a social network connecting parents with "trusted" babysitters, launched with much fanfare a partnership with Square that provides babysitters with free application downloads and Square dongles, thus enabling babysitters to accept card payments.
"This is something that could spur us all to start up cottage businesses," said Linda Echard, President and CEO of ICBA Bancard Inc., an affiliate of the Washington, D.C.-based Independent Community Bankers Association.
Dan Kramer, Senior Vice President at electronic funds transfer network Shazam, agreed, but cautioned that Square is not a product for every customer. "Banks are going to need assurances of creditworthiness," Kramer said.
Provided that small merchants are not dealing with high-dollar tickets, "those doing one to two transactions a month, it's not a bad option," said Markiyan Malko, Product Manager at Boston-based ISO Merchant Warehouse. But she believes the Square device itself is no great shakes. "Square is essentially PayPal with a card reader," she said.
Merchant Warehouse offers two MagTek devices: iDynamo, a card reader that plugs into Apple devices, and BulleT, a Bluetooth card reader for non-Apple smart phones and tablet PCs - popular devices with the ISO's merchants, according to Malko.
Despite the competition, Square is gaining traction. Its coffers brimming with $100 million in fresh funding, the company stated in late July 2011 it was processing $6 million in card payments daily and expected to double that daily total by October.
The company claimed to have shipped more than 500,000 Square card readers in the past year, although this number cannot be independently verified. Square's plug-in devices are also available for sale through Apple Stores.
Still, Square has detractors, especially among bankers and bank consultants who view Square as another attempt on the part of nonbanks to squeeze financial institutions out of the payments value chain.
"American consumers are losing their affinity for what constitutes a bank account," said industry consultant Paul Martaus. They use PayPal, Square or Google as dispassionately as they write checks or use credit cards. "Eventually, they won't care because their decisions are just buttons on a [smart] phone." Martaus believes that eventually "an overwhelming number of mobile systems will not be bank-centric. It will be Google or Amazon or something like that."
Lee Manfred, a partner with First Annapolis Consulting Inc., isn't convinced of that, however. He noted that most person-to-person payments, absent a solution like PayPal or Square, are done with cash and checks. "Square could be very important from an acquiring perspective," he said. "It enhances the utility of a network and the [bank's] deposit relationship with its customers."
Consumers appear not to be convinced about newer payment contenders either. When advertising and public relations firm Ogilvy & Mather recently asked consumers what entity they most trusted to handle mobile payments, the traditional card brands - Visa Inc., MasterCard Worldwide and American Express Co. - got the highest ratings.
Survey respondents were also more likely to trust the United States Post Office with mobile payments (24.6 percent) than Apple (22.9 percent), Microsoft Corp. (22.3 percent) or Google (19.5 percent), the firm reported.
Regardless of which approaches win out, most experts agree mobile payments are on the cusp of something big. Yankee Group Research Inc. predicted $246 billion in mobile payments will be made worldwide this year and expected almost a quarter of that total ($59 billion) to be spent in North America.
In a report released this summer, Juniper Research Ltd. predicted nearly a three-fold increase in mobile payments by 2015, when the worldwide total is expected to reach $670 billion. IE Market Research Corp. is even more optimistic, forecasting $945 billion in mobile payments worldwide in 2015. To put this number into perspective, consider that it took more than two decades for the automated clearing house (ACH) to reach the $1 trillion a year in payments mark.
"Square is just a small part" of a much bigger trend concerning the widespread adoption of mobile payments, Martaus said; recent actions on the part of Visa add substance to this assessment. In addition to investing in Square, Visa has a relationship with ISIS, an NFC-based project spearheaded by AT&T Mobility, Verizon Wireless and T-Mobile. (MasterCard, Discover Financial Services and AmEx also have agreements with ISIS.)
Visa also said it plans to launch an electronic wallet along with several large issuing banks this fall that will be built around cell phone and NFC technologies. And in August, the card giant announced a new scheme to stoke U.S. merchant adoption of Europay/MasterCard/Visa (EMV) chip technology. Merchants installing EMV-compatible terminals will get a pass on Payment Card Industry (PCI) Data Security Standard (DSS) compliance validation, since chip cards eliminate the possibility of merchants storing data, Visa said.
EMV has traction in Europe and is now being rolled out in Canada, but U.S. adoption lags. U.S. Bank, parent of leading acquirer Elavon Inc., recently became one of the first banks in the United States to issue EMV chip cards. Although EMV is promoted as inherently safer than mag stripe technology, that is not always the case.
"It doesn't help with CNP [card-not-present] transactions," said David Abouchar, Senior Director, Product Management, at the PCI compliance specialty firm ControlScan Inc. "To really take advantage of chip card technology, consumers would need personal swipe devices when making CNP purchases."
Bergeron, in his open letter to Square, took issue with a "serious security flaw" in the design of the dongle that could render cardholders vulnerable to skimming - using the devices to illicitly capture cardholder information.
Square responded by agreeing to make design and technology changes. Company executives said a new reader is on the drawing board that encrypts data as it's captured from a card's magnetic stripe, but at this writing, it had not been rolled out. Square's commitment to encryption was announced the same day Visa revealed it made a financial investment in the company. JPMorgan Chase & Co. also has put money behind Square, which processes transactions through its merchant acquiring business, Chase Paymentech Solutions LLC. Despite Square's achievements, and its financial backing, concerns continue to be voiced about the viability of the device. "Spam is a big problem already," said Dee Karawadra, President and CEO of Impact PaySystem LLC, a Memphis-based ISO.
Impact PaySystem charted some early successes with Square, rebranded as iphoneswiper.com and featuring a built-in receipt printer. "We've had many ex-Square merchants come to us as they want a tangible receipt," Karawadra said. But overall demand for the product has slackened lately, he noted. That's not the case at ROAM Data, which stated in August 2011 it had become the "number one provider of secure mobile phone card readers in the world," with 300,000 of its devices distributed so far. The firm said it expects more than 1 million of its devices will be in use by the fall of 2012.
ROAM Data's ultra-secure plug-in card readers can be private-labeled and are sold through several ISOs, including Sage Payment Solutions Inc., North American Bancard, National Processing Co. and Total Merchant Services Inc. The devices are also available for sale through Intuit and Verizon Wireless outlets.
Online reviews of Square point to other shortcomings, including transaction limits, difficulties sorting through transactions that number into the dozens and costs. For example, a former Square customer who runs a beer pub, and recently switched to SalesVu, complained in an interview recorded by SalesVu that, despite Square's published fee of 2.9 percent of the transaction total, that fee jumped to 3.5 percent for transactions keyed in by hand because of mag stripe reader problems, a problem he often encountered.
ROAM Data's August announcement followed two separate demonstrations at a security confab (the Black Hat Conference) of Square's security shortcomings. One demonstrated the ease with which Square can be misused as a card-skimming device, the technology news and product review site CNET reported.
The other used a simple programming script to convert stolen card data to audio tones and fed that information to the Square application by way of the headphone jack, thereby eliminating the need for a physical card, according to CNET.
"ROAM's entire system was designed with PCI security from the start," said ROAM Data CEO Will Graylin. The Square security shortcomings demonstrated at Black Hat are not shared by ROAM "because ROAM's readers fully encrypt the track data before it reaches the phone and the data can only be decrypted by a secure payment server, never exposed on the phone," he added. "By design, neither ROAM's app nor server would recognize third-party audio signals from recorded files."
Some experts have suggested the problems with Square demonstrated at Black Hat say more about the shortcomings of mag stripe cards than of Square. Graylin doesn't agree. "The reality is that, for a variety of reasons, mag stripes in our wallets will be around for a long time to come," he said. "Therefore, those providing payment services with mag stripe have a serious responsibility to make their services as secure as they possibly can."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next