In March 2011, the CEO of VeriFone launched a bold assault -- some might call it a smear campaign -- against his company's competitor, Square. Both companies sell devices and services that allow individuals to take credit card payments from others through a smartphone. VeriFone's Douglas Bergeron claimed that the Square was not encrypting credit card information before transmitting it into a smartphone. In essence, claimed Bergeron, the Square device, which was being given away for free with the service, put credit card information into the hands of skimmers. All a hacker had to do was develop an application that would receive the unencrypted data, scan your card and then use the information to make fraudulent purchases.
Whether this attack was legitimate is a matter of debate. Square claimed to have met the Payment Card Industry Data Security Standard (PCI-DSS), which is a set of criteria designed to protect cardholder data. But some say these criteria aren't enough to protect consumers and that they need significant improvement.
In fact, when Jack Dorsey, the CEO of Square, responded, he didn't dispute the claim about encryption, but rather brought up points about how card information is already insecure. It doesn't take designing a special application, for instance, for a waiter to copy down card information when he walks away to run your card at a restaurant. Despite Dorsey's defense of Square, his company soon after announced plans to add an encryption feature to its reader. Dorsey did also bring up, however, that cards have additional protections built into them, and that financial organizations don't hold consumers responsible for fraudulent charges [source: Rao]. But, when the CEO of ROAMData chimed in, he pointed out that both consumers and merchants deal with hassles and extra costs thanks to rampant card fraud [source: Graylin]. And the CEO of MagTek even threw his two cents in, arguing that without an authentication mechanism, both Square and VeriFone's products lacked adequate security features [source: Hart].
Security is a legitimate concern for consumers and merchants. But the problem runs deeper than mobile readers. The founder of security consulting firm iSEC Partners, Alex Stamos, says the problem really comes down to outdated magstripe credit card technology [source: Moscaritolo].
- Bergeron, Douglas G. "An Open Letter to the Industry and Consumers." VeriFone. (Oct. 7, 2011) http://sq-skim.com/
- Graylin, Will Wang. "ROAM Data CEO Responds to VeriFone's Open Letter about Square." PYMNTS.com. April 4, 2011. (Oct. 7, 2011) http://pymnts.com/roam-data-ceo-responds-to-verifone-s-open-letter-about-square/
- Hart, Annmarie D. "An Open Letter to The Payment Industry." MagTek.com. (Oct. 7, 2011) http://www.magtek.com/V2/an-open-letter-to-the-payment-industry/
- Honig, Zach. "Square to Add Encryption to Mobile Card Reader, Skimmers Put on Notice." Engaget. April 29, 2011. (Oct. 7, 2011) http://www.engadget.com/2011/04/29/square-to-add-encryption-to-mobile-card-reader-skimmers-put-on/
- Moscaritolo, Angela. "VeriFone, Square at Odds Over Refuted Security Flaw." SC Magazine. March 10, 2011. (Oct. 7, 2011) http://www.scmagazineus.com/verifone-square-at-odds-over-refuted-security-flaw/article/198100/
- Rao, Leena. "Security Hole Allegation "Is Not a Fair or Accurate Claim." TechCrunch. March 9, 2011. (Oct. 7, 2011) http://techcrunch.com/2011/03/09/squares-jack-dorsey-verifones-security-hole-allegation-is-not-a-fair-or-accurate-claim/