Are the security concerns over Square's mobile payment device valid?

Some experts say that additional scrutiny is warranted

By Steven Bryan

Consumers continue to demonstrate their love for mobile banking and shopping, transferring funds and buying goods with smart phones or other hand-held devices. Square, a new player in the mobile payment industry, has caused a stir with a new mobile device that allows anyone, not just merchants, to accept credit card payments on an iPhone, Android or iPad.

After plugging in this device and downloading the accompanying application, Square's validated clients can accept credit card payments from anyone -- even friends who just want to pay back a debt using plastic. Square requires that all clients have a United States-based bank account, valid street address and social security number. Credit card payments are then credited to the client's bank account, minus any processing fees charged by Square.

For Square and its clients, this payment method seems like a potential cash cow, allowing flea market vendors and bake sale organizers to accept plastic instead of cash. Stadium vendors and flight attendants already carry mobile card readers, and Square is tapping into this lucrative market. The company appears to make the whole process incredibly easy to use and maintain, even offering options to track cash payments as well.

But VeriFone, an established voice in the mobile payment industry, has raised concerns about Square's security methods -- specifically, their lack of confidential cardholder data encryption. In an open letter to businesses, VeriFone said that a skilled programmer could easily write a data-capturing application for the Square device. The company even tested the theory using their own in-house application -- drawing fire from critics who accused Verifone of hypocrisy. Verifone released the results of the experiment through a YouTube video on its website.

VeriFone's experiment on the Square device highlighted the ongoing problem of "skimming," a process where thieves capture credit card information for their own use or resale. Skimming victims may see unrecognized gift card purchases on their statements or receive calls from their bank's fraud security center. Issuing banks typically issue refunds to skimming victims, asking them to sign affidavits confirming that they were not responsible for a purchase or withdrawal.

Square fired back at VeriFone's letter and video, arguing that any credit card reader or process is vulnerable to abuse and fraud. Merchants who take phone orders, for instance, may write down the essential customer information on a pad of paper, which can be misused later. Credit card readers at gas stations also have been an attractive target for skimming experts.

So is VeriFone's argument against Square fair -- or is it just sour grapes about a competitor? VeriFone raises some valid points, say experts, especially about encrypted client data. The PCI Security Standards Council (PCI SSC), which keeps banks and vendors informed about the latest credit card security standards, consistently reinforces the need for encrypting data. If Square's mobile application is not encrypting this data at the point of sale, that seems like a point of failure; but their official website does carry a ‘PCI compliant' shield.

Square's plug-in module and downloadable application also allow clients to bypass the need for a merchant account; but some experts say this raises security questions as well. Online vendors apply for merchant accounts, as do brick-and-mortar operations, which require an application process and approval. The merchant account application process is like applying for a line of credit, setting limits on the average transaction. If a purchase or debit is disputed, the bank processes a chargeback to the merchant account. But if funds aren't available to cover the amount, the bank is responsible for the balance.

Like an issuing bank, Square seems to be assuming the risk for chargebacks; but it isn't clear if the account holder will incur overdraft fees if they don't have enough funds in the bank account linked to Square. This new player in mobile payment systems has come up with an innovative process that could make anyone seem like a merchant; but observers say that VeriFone's concerns are valid enough to warrant additional investigation and scrutiny.

Article by Steven Bryan

See related: Square mobile payment tool now available for iPhone; How wireless merchant accounts work

Published: March 29, 2011