March 10, 2011

Yesterday, the CEOs of card reader rivals VeriFone and Square engaged in a duel of open letters, fighting over how secure Square's mobile card reader is. One could argue that both sides lost in this public relations fiasco.

VeriFone CEO Douglas Bergeron threw down the gauntlet in an open letter attacking Square, saying its small device, which plugs into iPhones and acts as a mobile card reader, can be easily turned into a skimming device. "In less than an hour, any reasonably skilled programmer can write an application that will 'skim' -- or steal -- a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader," Bergeron wrote. He said his company's programmers did just that and posted a video demo of their app in action for all to see.

This is a low road for a vendor to take -- to not only knock a competitor but to actually write malicious code to harm it and then publicly announce that fact. We were tempted to ignore this whole flap, and yet the allegations were serious enough to warrant a closer look. Do emerging payment devices like Square's present a major security threat to consumers and card issuers?

Bergeron's main contention is that Square's hardware doesn't encrypt consumers' data at the point of transaction, "creating a window for criminals to turn the device into a skimming machine in a matter of minutes."

Square CEO Jack Dorsey responded with his own open letter. "Today one of our competitors alleged that the Square card reader is insecure," he wrote. "This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card."

Dorsey countered that any technology -- an encrypted card reader, phone camera, or plain old pen and paper -- can be used to "skim" or copy numbers from a credit card. "If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card," he wrote.

He noted that banks monitor card transactions for signs of fraud and call cardholders when they're alerted to suspicious transactions. "Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader," he wrote. "And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure server after every transaction."

To my thinking, this is not a watertight response, because Dorsey did not explain why Square does not provide hardware encryption the way some of its competitors do. It suggests an over-dependence on banks' fraud monitoring software. It also doesn't seem to comply with the PCI Council's data security standards, which require cardholder data to be protected at all times. This is a conversation about mobile payment security that I think will continue for a long time.