Total Apps

Square readers still unencrypted

The credit card readers sent by mobile POS company Square to its merchants are still unencrypted despite last spring's assurances from the company that the dongles would be encrypted by the summer. The dongles are the small devices that turn a merchant's smartphone into a mobile point of sale terminal.

The unsecured dongle debate

Square's promise came at the end of the back-and-forth battle between it and VeriFone over security concerns regarding the readers. The two companies traded open letters (and a video from VeriFone) with both sides claiming the security high ground.

At the time, VeriFone CEO Doug Bergeron said Square's unencrypted reader, which reads credit card data into the Square application without hiding the information, makes credit card skimming easier and called on Square to recall its product.

As a part of its efforts, VeriFone went so far as to create a fake "Square-like" application to show how a criminal could easily steal credit card data using the device. (It later took down the site with the application.)

VeriFone contended that sending out thousands of unencrypted credit card readers to anyone who signed up online (Square was reporting 100,000 new accounts a month at the time) was a bad idea and called on Square to recall their readers until they could encrypt them.

Square quickly responded by saying its systems were secure and its readers provided no more of a threat than any other transaction involving a consumer handing a credit card over to a stranger.

Square agrees to encrypt

Then in April, approximately a month after the VeriFone/Square dust-up, Visa released a set of mobile acceptance best practices. Among those best practices, Visa called on point of sale vendors to "(e)ncrypt all account data including at the card-reader level," meaning Square's unencrypted readers did not meet Visa's best practices. The call for card-reader level encryption seemingly vindicated VeriFone's concerns.

On the same day Visa released its best practices, Square announced it had received a strategic investment from Visa. Though the amount was not divulged, reports at the time put the amount in the low seven figures.

Square COO Keith Rabois blogged on Visa's Global Security Summit site, an event that was taking place at the time, that Square would comply with all of Visa's best practices.

"The adoption of best practices will help increase trust in innovative payment solutions," Rabois wrote in the post. "Of course, Square complies with all current industry standards, and we are committed to meeting or exceeding industry guidelines as they evolve."

Visa's Chief Enterprise Security Risk Officer Ellen Richey also posted that day on the Security Summit blog restating Square's assurance it would comply with Visa's best practices.

"We are pleased that Square, the Jack Dorsey start-up that enables small businesses to accept card payments through mobile devices, has expressed its support of Visa’s best practices and its intent to adopt them," Richey wrote in her post.

Richey went on to say, "(a)t the Visa Security Summit that we are hosting in Washington, DC today, Square executive Sam Quigley said in response to a question about their future plans that Square would have 'encryption at the read head this summer.'"

Still waiting

Now summer has come and gone, and Square has yet to introduce new encrypted readers.

What's more, Square's readers are now available not only online through Square's site, but also through retailers like Apple and Radio Shack.

When asked about providing encrypted readers, a spokeswoman for Square responded by email saying the company is not aware of any security issues for merchants that have used the Square device.

The spokeswoman added,

"(W)e are always working on ways to improve both our hardware and software and continually release updates for our users to ensure the best experience using our products.  Any future hardware updates (such as an excrypted [sic] reader) would be available both from our website as well as retail locations where Square is sold. All software updates are available direct to download."

Square says it already provides sophisticated security measures to protect its merchants. The measures include tracking a mobile device's location and usage patterns to detect potential fraud. In his post in April, Rabois said of Square's security, "We have also pioneered the use of mobile device authentication, location information, biometrics, and visualization to fight fraud and protect consumers." (Square provides a list of some of its merchant security policies on its site.)

Square's response, however, does not address the original issue brought up by VeriFone and covered in Visa's mobile acceptance best practices, that unencrypted readers pose a potential threat to consumers not through legitimate merchants, but through fraudsters misusing them to swipe and steal card data.

The spokeswoman did not reply to questions about when Square will release encrypted readers to new and existing Square merchants.

Related Content

User Comments – Give us your opinion!
Products & Services

mMoney

http://global.networldalliance.com/new/images/products/7039.png

7039/mMoney

QwickPAY Mobile POS

http://global.networldalliance.com/new/images/products/4293.png

4293/QwickPAY-Mobile-POS

Qwick Codes Mobile Wallet

http://global.networldalliance.com/new/images/products/4294.png

4294/Qwick-Codes-Mobile-Wallet

White labeled mobile payment platform

http://global.networldalliance.com/new/images/products/6117.png

6117/White-labeled-mobile-payment-platform

Managed API Exposure

http://global.networldalliance.com/new/images/products/7051.png

7051/Managed-API-Exposure

WAP Billing and PayForIt

http://global.networldalliance.com/new/images/products/4527.png

4527/WAP-Billing-and-PayForIt

Cellum Parking

http://global.networldalliance.com/new/images/products/6749.png

6749/Cellum-Parking

IVR Billing

http://global.networldalliance.com/new/images/products/4531.png

4531/IVR-Billing

Cellum Web Checkout

http://global.networldalliance.com/new/images/products/6737.png

6737/Cellum-Web-Checkout

iDynamo Secure Card Reader Authenticator

http://global.networldalliance.com/new/images/products/4295.png

4295/iDynamo-Secure-Card-Reader-Authenticator

Magtek QwickPay
ATM & Mobile Innovation Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.