Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Payments

10:50 AM
Penny Crosman
Connect Directly
RSS
E-Mail
50%
50%

VeriFone and Square Squabble Over Mobile Payment Security

VeriFone says Square's card reader can be easily turned into a skimming device; Square counters that its transactions are protected by banks' monitoring and fraud prevention technology. How much security is enough?

Yesterday, the CEOs of card reader rivals VeriFone and Square engaged in a duel of open letters, fighting over how secure Square's mobile card reader is. One could argue that both sides lost in this public relations fiasco.

VeriFone CEO Douglas Bergeron threw down the gauntlet in an open letter attacking Square, saying its small device, which plugs into iPhones and acts as a mobile card reader, can be easily turned into a skimming device. "In less than an hour, any reasonably skilled programmer can write an application that will 'skim' -- or steal -- a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader," Bergeron wrote. He said his company's programmers did just that and posted a video demo of their app in action for all to see.

This is a low road for a vendor to take -- to not only knock a competitor but to actually write malicious code to harm it and then publicly announce that fact. We were tempted to ignore this whole flap, and yet the allegations were serious enough to warrant a closer look. Do emerging payment devices like Square's present a major security threat to consumers and card issuers?

Bergeron's main contention is that Square's hardware doesn't encrypt consumers' data at the point of transaction, "creating a window for criminals to turn the device into a skimming machine in a matter of minutes."

Square CEO Jack Dorsey responded with his own open letter. "Today one of our competitors alleged that the Square card reader is insecure," he wrote. "This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card."

Dorsey countered that any technology -- an encrypted card reader, phone camera, or plain old pen and paper -- can be used to "skim" or copy numbers from a credit card. "If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card," he wrote.

He noted that banks monitor card transactions for signs of fraud and call cardholders when they're alerted to suspicious transactions. "Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader," he wrote. "And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction."

To my thinking, this is not a watertight response, because Dorsey did not explain why Square does not provide hardware encryption the way some of its competitors do. It suggests an over-dependence on banks' fraud monitoring software. It also doesn't seem to comply with the PCI Council's data security standards, which require cardholder data to be protected at all times. This is a conversation about mobile payment security that I think will continue for a long time.

Register for Bank Systems & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.
FULL SCHEDULE | ARCHIVED SHOWS