The credit card readers sent by mobile POS company Square to its merchants are still unencrypted despite last spring's assurances from the company that the dongles would be encrypted by the summer. The dongles are the small devices that turn a merchant's smartphone into a mobile point of sale terminal.
The unsecured dongle debate
Square's promise came at the end of the back-and-forth battle between it and VeriFone over security concerns regarding the readers. The two companies traded open letters (and a video from VeriFone) with both sides claiming the security high ground.
At the time, VeriFone CEO Doug Bergeron said Square's unencrypted reader, which reads credit card data into the Square application without hiding the information, makes credit card skimming easier and called on Square to recall its product.
As a part of its efforts, VeriFone went so far as to create a fake "Square-like" application to show how a criminal could easily steal credit card data using the device. (It later took down the site with the application.)
VeriFone contended that sending out thousands of unencrypted credit card readers to anyone who signed up online (Square was reporting 100,000 new accounts a month at the time) was a bad idea and called on Square to recall their readers until they could encrypt them.
Square quickly responded by saying its systems were secure and its readers provided no more of a threat than any other transaction involving a consumer handing a credit card over to a stranger.
Square agrees to encrypt
Then in April, approximately a month after the VeriFone/Square dust-up, Visa released a set of mobile acceptance best practices. Among those best practices, Visa called on point of sale vendors to "(e)ncrypt all account data including at the card-reader level," meaning Square's unencrypted readers did not meet Visa's best practices. The call for card-reader level encryption seemingly vindicated VeriFone's concerns.
On the same day Visa released its best practices, Square announced it had received a strategic investment from Visa. Though the amount was not divulged, reports at the time put the amount in the low seven figures.
Square COO Keith Rabois blogged on Visa's Global Security Summit site, an event that was taking place at the time, that Square would comply with all of Visa's best practices.
"The adoption of best practices will help increase trust in innovative payment solutions," Rabois wrote in the post. "Of course, Square complies with all current industry standards, and we are committed to meeting or exceeding industry guidelines as they evolve."
Visa's Chief Enterprise Security Risk Officer Ellen Richey also posted that day on the Security Summit blog restating Square's assurance it would comply with Visa's best practices.
"We are pleased that Square, the Jack Dorsey start-up that enables small businesses to accept card payments through mobile devices, has expressed its support of Visa’s best practices and its intent to adopt them," Richey wrote in her post.
Richey went on to say, "(a)t the Visa Security Summit that we are hosting in Washington, DC today, Square executive Sam Quigley said in response to a question about their future plans that Square would have 'encryption at the read head this summer.'"
Now summer has come and gone, and Square has yet to introduce new encrypted readers.
When asked about providing encrypted readers, a spokeswoman for Square responded by email saying the company is not aware of any security issues for merchants that have used the Square device.
The spokeswoman added,
"(W)e are always working on ways to improve both our hardware and software and continually release updates for our users to ensure the best experience using our products. Any future hardware updates (such as an excrypted [sic] reader) would be available both from our website as well as retail locations where Square is sold. All software updates are available direct to download."
Square says it already provides sophisticated security measures to protect its merchants. The measures include tracking a mobile device's location and usage patterns to detect potential fraud. In his post in April, Rabois said of Square's security, "We have also pioneered the use of mobile device authentication, location information, biometrics, and visualization to fight fraud and protect consumers." (Square provides a list of some of its merchant security policies on its site.)
Square's response, however, does not address the original issue brought up by VeriFone and covered in Visa's mobile acceptance best practices, that unencrypted readers pose a potential threat to consumers not through legitimate merchants, but through fraudsters misusing them to swipe and steal card data.
The spokeswoman did not reply to questions about when Square will release encrypted readers to new and existing Square merchants.