On Friday March 9th VeriFone CEO Doug Bergeron released a letter to the payment processing industry and consumers everywhere describing a security glitch in the free card reader (dongle) distributed by industry p2p upstart Square. The company's free wheeling mobile, person to person (p2p) payment processing solutions for smartphones touted for small businesses and virtually anyone with a reason to accept payments for anything, is getting rave techie reviews.
Bergeron's letter points to troubling security flaws in the Square payment processing model and hardware:
- The lack of encryption of credit card data at the point of the card swipe (a PCI DSS standard that we credit card processing professionals and merchants everywhere are being held to by VISA and MasterCard). He went further and posted a YouTube video re the ease of writing an application for the phones that will steal/skim the card data (and did it in about an hour). It has since been removed.
- There are minimal restrictions (any?) to individuals attaining the Square reader device that attaches to your phone and the ability to process credit card payments through Square. Typical merchants who want to process credit cards via other methods or through other networks, such as VeriFone must undergo an underwriting process to qualify for the merchant account (the privilege of processing secure customer payments).
The Bergeron letter was greeted with strong cries of foul from an ethical standpoint because VeriFone has a product that competes with Jack Dorsey's Square in the mobile payment processing game, VeriFone's PAYware Mobile.
Hard to relate to wireless guru's RCR Unplugged reference to VeriFone as just an "established competitor" of Square. Uh, actually, founded in 1981, the worldwide company has earned a stalwart reputation in the manufacture of credit card processing terminals and software. VeriFone is a giant in the industry.
VeriFone could have handled the information with more public relations savvy true, but we struggle with what some could consider Dorseys flippant response to the inherent risks of credit card use being unavoidable. Step up to the plate! Payment professionals everywhere are appropriately fixated on PCI DSS and the protection of this private sensitive data, something our customers have a right to expect. We are being held financially responsible. We'd much rather see Dorsey have a "we are working on it" and "it's a top priority" sort of approach. Should Square be any different? any less accountable?
Consider in 2010 that consumer victims of credit card fraud sustained $5.5 billion in unreimbursable expenses (such as legal fees)! Industry professionals point to increasing sophisticated security for large retailers resulting in more attacks on the smaller, less sophisticated targets - Square and VeriFone's PAYware has a target market that fits this trend. It is "the smaller merchants, that haven't really paid attention to security, that are apt to be the next big targets for card data theives in particular", suggests First Data Corporation's John Barrett in the GSQ December 2010 edition - The State of Acquiring.
XBS Global continues to support meticulous and professional adherence to Payment Card Industry Data Security Standards for all those who want to participate and grow in the payment processing industry.