Square Rift with VeriFone Reflects Standards Issue

The ongoing fight between Square Inc. and its rival VeriFone Systems Inc. around payment security highlights the lack of common technical standards for mobile acceptance devices.

Although terminal makers like VeriFone and card processors such as Heartland Payment Systems Inc. have been pushing new encryption services to merchants, hardware manufacturers and other processors, there is no uniform characteristic upon which to evaluate such services.

Even the PCI Security Standards Council, a consortium formed by the four payment card networks that manages security requirements, is holding off on certifying mobile payment applications under existing requirements.

"No one really understands the mobile environment," said Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc. "There's so many different mobile devices. There's so many operating systems. For someone to be … certified on mobile means they have to come up with a standard that works on probably 20 mobile operating systems."

On Wednesday VeriFone attacked Square, arguing that the startup's mobile card reader is insecure because it lacks encryption and can thus be adapted into a card-skimming device. In letter posted on a website VeriFone created, Chief Executive Douglas G. Bergeron called on Square to recall its devices.

The website includes a video that demonstrates how VeriFone was able to use Square's device to store card numbers. It also includes a link to buy VeriFone's competing device.

Payments analysts agree security should be top of mind for companies like Square, but many suggested it is bad form to disparage a rival's product for lacking encryption software.

Litan said the amount of fraud that could occur as a result of merchants tampering with mobile card readers is small in comparison to the overall retail market.

"It's going to be years before we see these mobile devices having any critical mass using this type of technology," Litan said. "This is for mom-and-pop shops."

James Van Dyke, the president of Javelin Strategy and Research in Pleasanton, Calif., said that "rather than calling on Square to stop, like VeriFone did, I would instead say, 'Hey, Square … be as much of an innovator in security as you are in payments innovation.' "

VeriFone, of San Jose, Calif., is a leader in "point-to-point" encryption, Van Dyke said, but "the problem is that doesn't come about overnight."

It is unreasonable to demand encryption as a condition of being in business in mobile payments, Van Dyke added.

In January, the PCI Security Standards Council announced that in most cases it would not certify new mobile payments applications under its requirements "until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape," the organization said in a statement.

Bob Russo, the council's general manager, said in an e-mail provided by a spokesman that the "rapid development and deployment" of "new and innovative mobile payment technologies has brought a level of complexity to the industry never seen before and has introduced a new set of risks and threats that may affect the security of cardholder data."

As part of its decision, the council also delisted the handful of applications it certified, including VeriFone's PAYware Mobile application, which competes against Square's device.

Paul Rasori, the senior vice president of marketing for VeriFone, said in an interview Thursday that a lack of common standards, whether that be explicit to encryption services or for mobile software apps, does not preclude companies from including protections in its devices.

VeriFone's PAYware product encrypts cardholder data at the time a card is swiped with the mobile card reader to prevent that data from being intercepted by any rogue applications that may reside on a merchant's mobile phone.

"In the absence of a standard or mandate, common sense needs to prevail," Rasori said. "It's extremely logical that the more security layers that you can put in, the better off you're going to be. The industry itself is heading in the direction of end-to-end encryption. That's been something VeriFone has been evangelizing now for the better part of four years."

Products like PAYware and Square should include encryption because of the inherent risks associated with mobile devices, Rasori said, arguing that security threats are higher on mobile devices.

"Because we have such a global view and we see to what extent criminals go to hack systems, our reaction to what Square is doing is maybe enhanced because this is going to be so simple," Rasori said. "The amount of money that criminals spend to put a card skimmer into a gas pump or put a card skimmer into an ATM … we know from experience they are always looking for the lowest-hanging fruit. When we see a company claiming [to have] hundreds of thousands of [users of] uncontrolled card-reading devices … that is a perfect storm" for problems.

Square, of San Francisco, did not make an executive available for an interview on Thursday. In a letter posted on Square's website Wednesday night, CEO Jack Dorsey defended the company and called VeriFone's accusations inaccurate and unfair.

Dorsey said any technology, including "an encrypted card reader, phone camera or plain old pen and paper," can be used to steal information.

"If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card," Dorsey wrote.

Dorsey added that Square's processor, JPMorgan Chase & Co., "continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER