ISOs and agents are continuing to offer processing services for mobile acceptance devices despite the risk some say might arise from a lack of technical standards.
The ongoing fight between Square Inc. and rival VeriFone Systems Inc. highlights those fears, some observers say.
Although terminal makers such as VeriFone and card processors such as Heartland Payment Systems Inc. have been pushing new encryption services to merchants, hardware manufacturers and other processors, there is no uniform characteristic upon which to evaluate such services.
Even the PCI Security Standards Council, a consortium formed by the four payment card networks that manages security requirements, is holding off on certifying mobile payment applications under existing requirements.
“No one really understands the mobile environment,” says Avivah Litan, a vice president and analyst at the research firm Gartner Inc. “There’s so many different mobile devices. There’s so many operating systems. For someone to be … certified on mobile means they have to come up with a standard that works on probably 20 mobile operating systems.”
VeriFone says the lack of common standards should not be an impediment to selling secure products to merchants and consumers.
The San Jose, Calif.-based terminal maker on March 9 attacked Square, arguing that the San Francisco-based startup’s mobile card reader is insecure because it lacks encryption and thus can be adapted into a card-skimming device. In a letter posted on a website VeriFone created, Chief Executive Douglas G. Bergeron called for Square to recall its devices (
Square did not make an executive available for an interview on March 10. In a letter posted on Square’s website Wednesday night, CEO Jack Dorsey defended the company and called VeriFone’s accusations inaccurate and unfair.
Any technology, including “an encrypted card reader, phone camera or plain old pen and paper,” can be used to steal information, Dorsey said. “If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card,” he wrote.
Square’s processor, JPMorgan Chase & Co., “continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader,” Dorsey added.
Payments analysts agree security should be top of mind for companies such as Square, but many question whether attacking a rival’s product for lacking encryption software is fair.
Litan says the amount of fraud that could occur as a result of merchants tampering with mobile card readers is small in comparison to the overall retail market.
“It’s going to be years before we see these mobile devices having any critical mass using this type of technology,” Litan says. “This is for mom-and-pop shops.”
James Van Dyke, president of Javelin Strategy and Research in Pleasanton, Calif., says that “rather than calling on Square to stop, like VeriFone did, I would instead say, ‘Hey, Square … be as much of an innovator in security as you are in payments innovation,’ ” Van Dyke says.
VeriFone is a leader in “point-to-point” encryption, Van Dyke says, but “the problem is that doesn’t come about overnight.”
It is unreasonable to demand encryption as a condition of being in business in mobile payments, Van Dyke added.
In January, the PCI Security Standards Council announced that in most cases it would not certify new mobile payments applications under its requirements “until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape,” the organization says in a statement.
Bob Russo, the general manager of the council, said in an e-mail provided by a spokesperson that the “rapid development and deployment” of “new and innovative mobile-payment technologies has brought a level of complexity to the industry never seen before and has introduced a new set of risks and threats that may affect the security of cardholder data.”
As part of its decision, the council also de-listed the handful of applications it certified, including VeriFone’s PAYware Mobile application, which competes against Square’s device.
Paul Rasori, VeriFone senior vice president of marketing, said in an interview March 10 that a lack of common standards, whether that be explicit to encryption services or for mobile software apps, does not preclude companies from including protections in its devices.
VeriFone’s PAYware product encrypts cardholder data at the time a card is swiped with the mobile card reader to prevent that data from being intercepted by any rogue applications that may reside on a merchant’s mobile phone.
“In the absence of a standard or mandate, common sense needs to prevail,” Rasori says. “It’s extremely logical that the more security layers that you can put in the better off you’re going to be. The industry itself is heading in the direction of end-to-end encryption. That’s been something VeriFone has been evangelizing now for the better part of four years.”
Products like PAYware and Square should include encryption because of the inherent risks associated with mobile devices, Rasori says, arguing that security threats are higher on mobile devices.
“Because we have such a global view and we see to what extent criminals go to hack systems, our reaction to what Square is doing is maybe enhanced because this is going to be so simple,” Rasori says. “The amount of money that criminals spend to put a card skimmer into a gas pump or put a card skimmer into at ATM or put key loggers in PCI [certified] point-of-sale devices … we know from experience they are always looking for the lowest hanging fruit. When we see a company claiming [to have] hundreds of thousands of [users of] uncontrolled card reading devices, … that is a perfect storm” for problems.”
