Blog Post

Square’s Dorsey: Verifone Security Claims Not Accurate

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

UPDATED: Square founder and CEO Jack Dorsey responded to VeriFone’s much publicized and questionable attack on its security with an understated letter that defends his mobile payment’s protections, saying VeriFone’s (s pay) claims are neither fair or accurate. Without even mentioning VeriFone by name, Dorsey pointed out the present danger of credit card fraud, but highlighted the existing security measures built into Square and credit cards.

Compared to VeriFone’s robust attempt to highlight Square’s potential to act as a credit card skimmer, which included not just a video but also the release of an application meant to demonstrate the danger, Dorsey’s response was particularly restrained. Dorsey just pointed out that anyone who uses a credit card needs to be on the look-out for skimming, which has been a threat long before Square and its mobile payment dongle arrived on the scene. And he didn’t highlight the obvious, which is that VeriFone has a vested interest in this case because it competes directly with Square with its PayWARE product.

Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to “skim” or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.

Dorsey said credit card companies, like Square partner JP Morgan, review transactions for fraudulent activity and alert users in those cases, often reversing charges when that happens. Square has also added more security by giving people the option to receive a text message or e-mail when they perform a Square transaction.

Judging by a lot of the chatter on Twitter, many sided with Square on this one, so it didn’t have to go all out in defending its honor. Most saw VeriFone’s attack as more an admission of fear rather than a public service. In fact, as Darrell reported yesterday, Verifone may be in hot water for releasing an application designed to facilitate an illegal act. In the larger scheme of things, this probably did VeriFone more harm than Square. The company looked worried about the competitive threat posed by Square, and it’s actions also could sow some general doubt about the safety of mobile card readers, which could dampen the entire industry.

Mike Puchol, a wireless expert and GigaOM commenter, had a good run down of the situation. He said skimmers have been available before Square and that criminals are unlikely to use a legitimate payment device to skim credit card information because it would require them to set up real functionality to masquerade as a legitimate vendor. And he said card holders are not going to give their card to just anyone, but to people they are actually doing business with.

VeriFone’s actions highlight the growing competition in the mobile payment market, and show just how far companies will go to compete in this burgeoning area. As we’ve reported before, the entire mobile payment opportunity is huge and could be worth an estimated $633 billion by 2014. With that much money at stake, it’s likely VeriFone’s attack isn’t the last one we’ll see.

UPDATE: Verifone responded to my request for more comment on the whole situation and responded witha statement:

“Square disregards the core issue of encryption and acknowledges their devices have no layer of security to protect mag-stripe data on consumer credit cards. They are deflecting responsibility and are solely relying on card issuers to protect consumers,” said Paul Rasori, Senior Vice President, Global Marketing, VeriFone.

8 Responses to “Square’s Dorsey: Verifone Security Claims Not Accurate”

  1. Randy Rourke

    First off I find the latest Verifone remark to be somewhat disingenuous. While it is true that the Verifone dongle encrypts at the hardware level and the Square does not. The Square software does encrypt the data, so the “no layer of security” remark is to me at least over the top. I also seriously doubt that the typical “skimmer” is really capable of creating the application that Verifone claims is so easy to make.

    As an accountant, I can assure you that the cost of card processing for a small business is considerable. When factoring monthly fees, yearly fees, tiered percent charges, can easily reach 6.5% or more of the gross revenue processed. While Square fees are no bargain, they do nonetheless represent a potential savings for a number of small businesses. Square also opens the door for personalized usage. I can have lunch with some friends, pick up the entire tab and latter swipe their cards for their shares on my phone back at the office, easy breezy and a lot less bill splitting at the table.

    As a consumer, I might be a little weary of letting my card be swiped by someone with a device attached to an iphone, regardless of the make of dongle and type of encryption. (The same hold true for letting them type my data into a phone, and there are numerous apps for that) Yet how many small businesses such as the local dry cleaners, use PC’s as POS terminals and we think nothing of it. How are keyboard readers encrypting your data? Does does someone have windows notepad capturing it too? Why does Verifone not mention this as well, if they really have the consumer in mind?

    • If a merchant is paying 6.5% or more for their card processing, they are getting RIPPED OFF. Most merchant’s I know pay between 1.8% to 2.5% for their processing fees (this includes all monthly, annual, per transaction, and processing fees).
      As a consumer I want to know that the merchant is doing all that they can to protect my card data, and that is why I would never allow my card to be swiped on Square’s dongle, until they encrypt end to end. Data Security is no joke. Square is acting irresponsible by not encrypting card data information end to end. Card Data Breaches are most commonly caused by hackers who have been able to install malware on a system that stores or processes unencrypted card data (just like Square). The industry has been under intense scrutiny for not having high enough security standards, and Square’s irresponsible action and blatant disregard of the consumer’s privacy fly in the face of all the security standards and protocols that cost banks, processors, merchant’s, and consumers millions of dollars a year. Credit and debit card issuers spent an estimated $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches.
      And who will be profiting the most from all of this? Organized Crime and Terrorist who fund their operations on stolen card information.

  2. Stephen

    This article fails to address a more serious issue. It’s not just the data on the front of the card that is compromised (such as what a waiter might copy down), it is the track data on the mag stripe. With this information copied and unencrypted, you can create an exact copy of someone’s credit or debit card (the equipment to do this is actually shockingly simple to obtain), know exactly what the cardholder’s PIN is, and clean out their bank account at an ATM within hours or days. This goes above and beyond someone simply buying stuff with your card number online. Such a transaction would be difficult if not impossible to dispute, as there would be no distinction between your card and the fake one that was used, as far as electronic security verification was concerned. Furthermore, if by some miracle a bank did somehow take your word for it that those ATM withdrawals were not yours and reversed the transactions in your favor, they would still be out a lot of money. The truth is, this is going to be extremely problematic for consumers and financial institutions if Square doesn’t issue a full recall. The damage control costs could be astronomical, making the infamous Heartland breech look like a kwik e mart robbery. VeriFone’s claims were not only accurate, they actually were too lenient on Square in that they didn’t address the more serious security issue involved here- the difference between visible card data and magnetic strip track data. Square allows for it all to be easily captured under the guise of legitimacy, apparently with an app that was created in less than an hour.

    • I am not an expert on credit card magstripes, but, if your PIN number is encoded on your magnetic stripe, how can your bank reset it without issuing you a new card? Answer: The PIN is not in the magstripe.

      The data that is on the magstripe is not encrypted. If it was, everything that accepts credit cards would need a decryption mechanism — which means hackers would just buy a terminal and tear it apart until they found the decryption key.

      All you have to do is search the Internet and you can find a bazillion credit card readers available for you to buy. There are even directions on building your own.

      The magstripe is not some magical secret data vault — it’s clear text of your account number, your name, the expiration date, and the CVV code along with various checksums and data bits (That’s how the terminal tells if you are using a debit card or a credit card. Credit cards won’t prompt you for a PIN at the grocery. Debit cards do. That’s a function of a data bit in the magstripe).

      The threat from Square is that they give away the hardware and software that VeriFone has built their business on and sustains themselves just on processing fees. VeriFone is just attacking a competitor who is intruding on their business model. It’s not the first time the dominate force in a market has used FUD to scare people from their competitors. It won’t be the last.

  3. @tkanet

    Payment is a very serious business, where not everyone is welcome, simply because handling others’ funds and transactions is a huge responsibility, that not every web startup is prepared to handle. That’s a fact.
    But all these threats about security, skimmers, regulations …has been the only way most industry players have found to lock the market and avoid competition. That is also another fact.
    Not sure what will be the final outcome of this story …and how final users will take it but innovating (at least in the future) is the safest way to maintain market share and avoid being disrupted ! Some, probably many, will face the sad days of disruption …that is a guaranteed fact.