Why Square Has the Credit Card Industry on the Run

29 Comments

VeriFone’s new “open letter” scare campaign proves that Square is going to for to the credit card industry what Apple (s aapl) has done for mobile computing — make cutting edge technology simple and accessible. Square allows iPhone owners to accept credit cards without monthly fees and contracts, and threatens the the entire credit card processing industry. I’m part of that threat as a small business owner and Square user, and apparently someone to be feared.

When I started my computer repair business eight years ago, I learned about the complex world of “merchant processing.” Unlike the simplicity of cash or checks, credit cards pass through a variety of gateways and processors that sit between the customer’s bank and the merchant’s bank, and carry a complex set of fees and procedures that limit a merchant’s ability to accept credit cards.

When I researched processing for my business, salespeople wouldn’t quote exact fees. They wanted to see my last statement first, but they always promised they’ll somehow save me money. They also required a credit check when applying. It felt like a used car salesperson looking at my bank statement before telling me how much the car costs. I had little choice but to just accept it as industry norm and sign the multi-year contract with a stiff early termination fee. Fees varied on each transaction depending on various unpredictable factors. This is why many businesses have minimums for transactions or give a cash discount.

This is still generally how the industry works. I even tried Intuit’s iPhone solution and found out that while I didn’t have a contract, my fees varied wildly from what was quoted and from what others were charged. Then I found Square, and I’ve been delighted every since. Simple statements and the exact same fee regardless of credit card type or issuer. No monthly fees either. I fell in love with my iPhone all over again, and customers loved how quickly and easily we as a business accepted credit cards.

Like VeriFone states, “anyone” can get a Square reader — as if this were a bad thing! VeriFone’s concern isn’t about protecting customers, but rather about protecting VeriFone’s business model. Square’s system is actually more secure since the GPS location of the transaction is captured by Square. VeriFone’s wild claim that providing free hardware somehow increases risk to consumers is incredulous. VeriFone believes that somehow consumers would be tricked by a rogue application using Square’s free reader as a skimmer? There’s already a skimmer built into the iPhone: the camera!

Verifone hasn’t explained how Square’s free reader is more dangerous than situations in which you hand your credit card to a complete stranger and they leave your view, such as in restaurants. In fact, if you believe VeriFone’s fear-mongering, I implore you to follow your server (whom probably didn’t have a credit check done on them) to the pay station at your favorite restaurant and demand that you personally inspect the credit card terminal and verify that in fact a skimmer is not attached, and rogue applications aren’t installed. Let us know in the comments how that works out for you.

In reality, VeriFone’s “open letter” is a de facto endorsement of the democratization of credit card processing being led by Square. It proves that with Square’s business model, the multilevel and multi-fee structure of the majority of current credit card transactions is the real thing that’s being threatened, not the security of the consumer.

29 Comments

candice

i have a question. i have a small business and only once or twice a month am doing credit card transactions. for the last several years i have used a terminal, but recently switched to square. it seems pretty legit, and have used and am happy with it, so i called to cancel my business with my termal so that i wouldn’t have to pay the annual PCI fees and have the convience of taking my square with me. immediatly after cancelling – the company is calling me telling me that i will be paying PCI compliance fees no matter what. is that true? i can’t find anything telling me that is so…

Phillip Parker

Square really is great, but I wouldn’t say that it’s the right solution for every business owner. High volume merchants are going to pay about 1% more per transaction than if they were under a traditional merchant account, considering that they managed to get a good rate in the first place. Square is great for new business start-ups, people that need occasional mobile processing, and businesses that do less that $8-$10K per month in sales.

I definitely agree that they have done the right thing by simplifying credit card processing, and I would like to see more providers move in that direction.

Great post!

Ryan

Dave, the real problem with Square is going to be malware on the phone. While the data may be encrypted going from the phone to the gateway, I haven’t heard whether it is encrypted going from the reader to the Square app on the phone. It would be trivial for hidden malware on an Android phone (as an example) to read the card swipe. As a consumer, hearing about these kinds of examples would stop me from handing my credit card over to some vendor plugged into a mobile phone. A few bad examples in the press of this happening will kill the whole category.

Dave Greenbaum

That is a very legitimate argument. The “original” argument is that Square’s lack of encryption could allow a rogue app to be created and thus a criminal steal credit card info. That argument was not compelling to me because you should know whom you are handing your card to and a criminal could easily copy the info manually from your card if they wanted.

However, malware is clearly more possible on the Android platform. Could a trojan horse be written that intercepts the Square info between the app and the reader. That’s a legitimate concern that I hadn’t thought of.

As a consumer and an IT person I don’t worry about this particular issue because I see so many risks on a daily basis. POS systems with out of date security software, employees that write down credit card numbers, etc.

If Verifone would have used your argument about malware intercepting the data rather than complaining “anyone” can get a reader and develop a rogue app, this story would have a much different outcome.

Thanks for your comment and giving me a new perspective on this

Wayne

I think this is more of a concern if your iPhone has been jailbroken. At that point it’s much more difficult to vouch that your iPhone does not have rogue software on it.

Nasreen Quibria

I would echo Bob Egan’s comments. Also, to clarify, the 30-60 day cycle is for deposits above $1,000 per week.

As I attempted to post before, the author provides a thoughtful piece. I believe the recent backlash on Square is eerily reminiscent of when contactless cards – RFID chip built in to plastic enabling account information to be transmitted wirelessly – were first introduced in the U.S. market. University of Massachusetts Amherst (UMass) Professor, Kevin Fu demonstrated its vulnerabilities, skimming card numbers, expiration dates and cardholders’ names in a lab experiment. It lead to media uproar, sparked concerns of ID theft, even Senator Schumer U.S. Senator Charles Schumer (D-NY) stepped in, announcing his intent to increase federal regulation of RFID-enabled credit cards. Where did it all lead? …To stronger privacy and security mechanisms built into the cards, as well as better education by the industry (contactless cards are actually more secure than mag stripe cards). I predict we will see the same trend with Square, which will evolve into a more secure payment instrument.

pk de cville

iPhone 5 is believed to include an NFC chip (credit card wave action).

I, for one, hope Apple buys or partners w/ a commercial bank to creatively attack the Visa/MasterCard/AmEx triopoly.

I think Apple would charge reasonable and fair interest rates and eliminate much of the dastardly business of penalty fees.

Andrew

So far, seems like Apple is content to charge 30% for app developers and content providers… so I’m not so sure about the elimination of much of dastardly business…

Ed

Dave , your comments sound like a PR man for Square. People have real concerns about security and don’t need that kind of brush off.

Dave Greenbaum

Credit card concerns I agree are real, but they aren’t about one type of reader. You should always be concerned about whom you hand your credit card to

Staci Klinger Smith

@Kristie Roeder I just found this. The credit card companies can’t compete with the square’s lack of fee’s and low 2.75% on transactions and no transaction fee if you swipe a card. Anyone who uses a credit card online is at risk of it being hacked, no matter what.

ram

I knew of Square previously, but didn’t sign up until I read VeriFone’s FUD release.

Now, I’m Squared up with an account, and am eagerly awaiting for my reader to arrive.

Thanks, VeriFone!

phraeza

Sort that first paragraph out will you? So many mistakes it put me off even reading the article.

David V.

Or perhaps better, “not credible” or “not the least bit credible”.

Levi

Just heard today from the Buy Local’s chapter in the town I live in. Last week I proposed an education campaign to make sure people (students especially in this town) should keep cash on them and use cash when purchasing for under $5 from local stores. What really pushed me to take action was people paying for $1-$2 coffees in local coffeeshops. I want those profits to go to the local community and not to some huge national corporation. This is crucial for every community.

Never heard of Square but I already like them. Thanks VeriFone for the free advertisement. After reading both original statements I also have to conclude that the sleazy bastards over at VeriFone should go to hell.

And yes, most effective skimming devices include pens, cameras and human memory. Whoever wastes their time to develop more complex technologies to do this is a complete idiot (as demonstrated).

JohnMichael

>Square is going to for to the credit card industry

Square is a gateway, not a processor. Therefore, the only “industry” they are truly affecting is the mobile device payments industry. I.E. VeriFone. Square still uses Chase ( a processor ) to process their transactions. And the rate is much higher than a standard swipe rate for non mobile devices.

While mobile processing fees might be reduced across the board, this isn’t going to affect the majority of brick and mortars we visit on a daily basis that use the standard devices.

Dave Greenbaum

For “brick and mortars” that do heavy credit card sales, Square isn’t for them. This is the reader “for the rest of us”–small businesses that want the occasional ability to do credit card transactions. A small biz doesn’t need to understand the difference between gateway and processor, just like a Mac user doesn’t need to understand what a .DLL or .INI file is.

John Michael

>A small biz doesn’t need to understand the difference between gateway and processor,

No, but you do if you want to claim, “Square Has the Credit Card Industry on the Run”

Quite clearly, Square has done nothing of the sort.

Bob Egan

One should realize that the higher fee’s (2.75%) and the long 30-60 cycle for a merchant to get their funds is a reflection of the risk that Chase (the acquirer) and Visa/MC (the processors) believe is inherently in the solution.

Look, as I have written, i admire Square for opening new merchant markets – and it seems that VISA et all do as well. But as innovators they should be doing things better, not worse. And an unencrypted dongle is below the industry standard.

Check here to see who’s apps and devices are PCI compliant – Note: Square is not.
https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

Dave Greenbaum

I’m not sure what 30-60 cycle you are referring to. I get my money usually the next day. Additionally the rate is the same with Discover, and Amex.

PCI compliance is interesting. I was required to fill out a PCI Compliance survey. It was $40 and asked me a series of questions. It validated nothing.

However, this strays from the original point that Square’s solution doesn’t pose any risk that isn’t already there.

Wayne

I wonder if Sony PSN and SOE are PCI compliant? I imagine they no longer are.

Ricky Price

The square looks pretty solid to me. The only problem I would have with the square is explaining to people that it is not a skimmer! About a third of my customer base varies between the ages of 45-70, and are extremely skeptical about credit card processing and how it is conducted.

I would have to speculate that my younger customer base has a better understanding of the current progression in technology, and therefore would be more accepting. Not to mention know what an IPhone is…

Dave Greenbaum

I’d be kinda surprised people in the 45-70 year old range hadn’t heard what an iPhone is. Everyone should be concerned about the security of credit card transactions. If you don’t trust the person you are doing business with, then you probably shouldn’t give them your credit card. Similarly, if you trust the person, one can assume that trust extends to their use of your credit card.

Since this story broke, I’ve looked at every credit card transaction I’ve done. Some were a nondescript black swipe box attached to the computer, one was indeed a verifone terminal, 3 transactions I couldn’t see because the credit card machine was out of customer view. I would have no way of knowing if they were a skimmer or not, especially the ones in which I didn’t actually see the terminal.

Javier Gracia

Sadly the author is too enamored to question the security missing in Square. Question should be why is Square the only company without encryption in their reader? Intuit, Roam, Magtek and Verifone all have it for a reason. They understand the risks. Form should follow function and the fact that Dorsey and Rabois are obsessed with their email template designs simply shows they still don’t get payments.

Dave Greenbaum

Actually, when I got my coffee this morning my credit card wouldn’t scan and a human manually typed my credit card number instead of scanning. Obviously between her eyes and fingers there wasn’t an encryption scheme. Or was there. Something you know the rest of us don’t? If true, and there was an encryption scheme at work by my barrista, then indeed Square is the *only* company without encryption in their reader. Otherwise…well, you get the picture (pun intended)

m2pc

I’m sure the encryption is done in the application before the data is sent out to the gateway via TCP/IP for processing. The actual “Square” device converts the magnetic data to an audio signal, just like a credit card reader does internally when converting the magnetic data to an analog signal, which is then digitized.

Andrew Macdonald

I absolutely love how simple and easy Square ‘looks’, but it has one major flaw. It only works in the US. Not only that, but when America updates their Credit Card system to be more secure like most of Europe – I.E. going to ‘Chip and Pin’, leaving behind the magnetic strip – Square is completely useless, as it has no ability to process these new cards.

Im guessing this is the exact reason Square hasn’t ventured outside of America yet, which is a real shame, as I have a need for a simple credit card processing facility, but due to a relatively poor credit history when I was much much younger, I can’t get accepted for a terminal. Apparently my flawless credit history for the last 8 years counts for zilch!

I hope Square can innovate and come up with a solution to the Chip and Pin system, but until it does, Ill keep on checking out their website in the hope that one day I can get a ‘Square’ of my own.

m2pc

The “chip and pin” technology is based on this open standard:
http://en.wikipedia.org/wiki/EMV#EMV_commands

For Square to be able to read these cards, they’d simply need to replace their magnetic card reading head with a smartcard reader. True, this would make the device larger, but it would not make the task impossible.

Square would then need to modify its software to be able to accept a PIN number entry by the customer at the time of purchase, similar to a customer paying via “debit” payment method.

BTW, the first link in the article is broken.

Comments are closed.