29 Comments

Summary:

As an experienced user of various credit card processing services, I know why VeriFone is concerned enough about Square to employ the kind of scare tactics found in yesterday’s “open letter” — Square is poised to revolutionize the credit card payment industry in a big way.

The Square dongle lets you accept credit card payments on your iPhone with the companion application.

VeriFone’s new “open letter” scare campaign proves that Square is going to for to the credit card industry what Apple has done for mobile computing — make cutting edge technology simple and accessible. Square allows iPhone owners to accept credit cards without monthly fees and contracts, and threatens the the entire credit card processing industry. I’m part of that threat as a small business owner and Square user, and apparently someone to be feared.

When I started my computer repair business eight years ago, I learned about the complex world of “merchant processing.” Unlike the simplicity of cash or checks, credit cards pass through a variety of gateways and processors that sit between the customer’s bank and the merchant’s bank, and carry a complex set of fees and procedures that limit a merchant’s ability to accept credit cards.

When I researched processing for my business, salespeople wouldn’t quote exact fees. They wanted to see my last statement first, but they always promised they’ll somehow save me money. They also required a credit check when applying. It felt like a used car salesperson looking at my bank statement before telling me how much the car costs. I had little choice but to just accept it as industry norm and sign the multi-year contract with a stiff early termination fee. Fees varied on each transaction depending on various unpredictable factors. This is why many businesses have minimums for transactions or give a cash discount.

This is still generally how the industry works. I even tried Intuit’s iPhone solution and found out that while I didn’t have a contract, my fees varied wildly from what was quoted and from what others were charged. Then I found Square, and I’ve been delighted every since. Simple statements and the exact same fee regardless of credit card type or issuer. No monthly fees either. I fell in love with my iPhone all over again, and customers loved how quickly and easily we as a business accepted credit cards.

Like VeriFone states, “anyone” can get a Square reader — as if this were a bad thing! VeriFone’s concern isn’t about protecting customers, but rather about protecting VeriFone’s business model. Square’s system is actually more secure since the GPS location of the transaction is captured by Square. VeriFone’s wild claim that providing free hardware somehow increases risk to consumers is incredulous. VeriFone believes that somehow consumers would be tricked by a rogue application using Square’s free reader as a skimmer? There’s already a skimmer built into the iPhone: the camera!

Verifone hasn’t explained how Square’s free reader is more dangerous than situations in which you hand your credit card to a complete stranger and they leave your view, such as in restaurants. In fact, if you believe VeriFone’s fear-mongering, I implore you to follow your server (whom probably didn’t have a credit check done on them) to the pay station at your favorite restaurant and demand that you personally inspect the credit card terminal and verify that in fact a skimmer is not attached, and rogue applications aren’t installed. Let us know in the comments how that works out for you.

In reality, VeriFone’s “open letter” is a de facto endorsement of the democratization of credit card processing being led by Square. It proves that with Square’s business model, the multilevel and multi-fee structure of the majority of current credit card transactions is the real thing that’s being threatened, not the security of the consumer.

  1. Andrew Macdonald Thursday, March 10, 2011

    I absolutely love how simple and easy Square ‘looks’, but it has one major flaw. It only works in the US. Not only that, but when America updates their Credit Card system to be more secure like most of Europe – I.E. going to ‘Chip and Pin’, leaving behind the magnetic strip – Square is completely useless, as it has no ability to process these new cards.

    Im guessing this is the exact reason Square hasn’t ventured outside of America yet, which is a real shame, as I have a need for a simple credit card processing facility, but due to a relatively poor credit history when I was much much younger, I can’t get accepted for a terminal. Apparently my flawless credit history for the last 8 years counts for zilch!

    I hope Square can innovate and come up with a solution to the Chip and Pin system, but until it does, Ill keep on checking out their website in the hope that one day I can get a ‘Square’ of my own.

    Share
    1. The “chip and pin” technology is based on this open standard:
      http://en.wikipedia.org/wiki/EMV#EMV_commands

      For Square to be able to read these cards, they’d simply need to replace their magnetic card reading head with a smartcard reader. True, this would make the device larger, but it would not make the task impossible.

      Square would then need to modify its software to be able to accept a PIN number entry by the customer at the time of purchase, similar to a customer paying via “debit” payment method.

      BTW, the first link in the article is broken.

      Share
  2. Javier Gracia Thursday, March 10, 2011

    Sadly the author is too enamored to question the security missing in Square. Question should be why is Square the only company without encryption in their reader? Intuit, Roam, Magtek and Verifone all have it for a reason. They understand the risks. Form should follow function and the fact that Dorsey and Rabois are obsessed with their email template designs simply shows they still don’t get payments.

    Share
    1. Actually, when I got my coffee this morning my credit card wouldn’t scan and a human manually typed my credit card number instead of scanning. Obviously between her eyes and fingers there wasn’t an encryption scheme. Or was there. Something you know the rest of us don’t? If true, and there was an encryption scheme at work by my barrista, then indeed Square is the *only* company without encryption in their reader. Otherwise…well, you get the picture (pun intended)

      Share
    2. I’m sure the encryption is done in the application before the data is sent out to the gateway via TCP/IP for processing. The actual “Square” device converts the magnetic data to an audio signal, just like a credit card reader does internally when converting the magnetic data to an analog signal, which is then digitized.

      Share
  3. The square looks pretty solid to me. The only problem I would have with the square is explaining to people that it is not a skimmer! About a third of my customer base varies between the ages of 45-70, and are extremely skeptical about credit card processing and how it is conducted.

    I would have to speculate that my younger customer base has a better understanding of the current progression in technology, and therefore would be more accepting. Not to mention know what an IPhone is…

    Share
    1. I’d be kinda surprised people in the 45-70 year old range hadn’t heard what an iPhone is. Everyone should be concerned about the security of credit card transactions. If you don’t trust the person you are doing business with, then you probably shouldn’t give them your credit card. Similarly, if you trust the person, one can assume that trust extends to their use of your credit card.

      Since this story broke, I’ve looked at every credit card transaction I’ve done. Some were a nondescript black swipe box attached to the computer, one was indeed a verifone terminal, 3 transactions I couldn’t see because the credit card machine was out of customer view. I would have no way of knowing if they were a skimmer or not, especially the ones in which I didn’t actually see the terminal.

      Share
  4. >Square is going to for to the credit card industry

    Square is a gateway, not a processor. Therefore, the only “industry” they are truly affecting is the mobile device payments industry. I.E. VeriFone. Square still uses Chase ( a processor ) to process their transactions. And the rate is much higher than a standard swipe rate for non mobile devices.

    While mobile processing fees might be reduced across the board, this isn’t going to affect the majority of brick and mortars we visit on a daily basis that use the standard devices.

    Share
    1. For “brick and mortars” that do heavy credit card sales, Square isn’t for them. This is the reader “for the rest of us”–small businesses that want the occasional ability to do credit card transactions. A small biz doesn’t need to understand the difference between gateway and processor, just like a Mac user doesn’t need to understand what a .DLL or .INI file is.

      Share
      1. >A small biz doesn’t need to understand the difference between gateway and processor,

        No, but you do if you want to claim, “Square Has the Credit Card Industry on the Run”

        Quite clearly, Square has done nothing of the sort.

        Share
    2. One should realize that the higher fee’s (2.75%) and the long 30-60 cycle for a merchant to get their funds is a reflection of the risk that Chase (the acquirer) and Visa/MC (the processors) believe is inherently in the solution.

      Look, as I have written, i admire Square for opening new merchant markets – and it seems that VISA et all do as well. But as innovators they should be doing things better, not worse. And an unencrypted dongle is below the industry standard.

      Check here to see who’s apps and devices are PCI compliant – Note: Square is not.
      https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

      Share
      1. I’m not sure what 30-60 cycle you are referring to. I get my money usually the next day. Additionally the rate is the same with Discover, and Amex.

        PCI compliance is interesting. I was required to fill out a PCI Compliance survey. It was $40 and asked me a series of questions. It validated nothing.

        However, this strays from the original point that Square’s solution doesn’t pose any risk that isn’t already there.

        Share
      2. I wonder if Sony PSN and SOE are PCI compliant? I imagine they no longer are.

        Share
  5. Just heard today from the Buy Local’s chapter in the town I live in. Last week I proposed an education campaign to make sure people (students especially in this town) should keep cash on them and use cash when purchasing for under $5 from local stores. What really pushed me to take action was people paying for $1-$2 coffees in local coffeeshops. I want those profits to go to the local community and not to some huge national corporation. This is crucial for every community.

    Never heard of Square but I already like them. Thanks VeriFone for the free advertisement. After reading both original statements I also have to conclude that the sleazy bastards over at VeriFone should go to hell.

    And yes, most effective skimming devices include pens, cameras and human memory. Whoever wastes their time to develop more complex technologies to do this is a complete idiot (as demonstrated).

    Share
  6. Incredible not incredulous.

    Share
    1. Or perhaps better, “not credible” or “not the least bit credible”.

      Share
  7. Sort that first paragraph out will you? So many mistakes it put me off even reading the article.

    Share
  8. I knew of Square previously, but didn’t sign up until I read VeriFone’s FUD release.

    Now, I’m Squared up with an account, and am eagerly awaiting for my reader to arrive.

    Thanks, VeriFone!

    Share
  9. @Kristie Roeder I just found this. The credit card companies can’t compete with the square’s lack of fee’s and low 2.75% on transactions and no transaction fee if you swipe a card. Anyone who uses a credit card online is at risk of it being hacked, no matter what.

    Share
  10. Dave , your comments sound like a PR man for Square. People have real concerns about security and don’t need that kind of brush off.

    Share
    1. Credit card concerns I agree are real, but they aren’t about one type of reader. You should always be concerned about whom you hand your credit card to

      Share

Comments have been disabled for this post