March 10, 2011
VeriFone Systems Inc. fired a blast at rival mobile-payments provider Square Inc. on Wednesday and sustained some powder burns in the process, but the leading U.S. point-of-sale terminal maker nonetheless may have brought some legitimate concerns about Square’s security into the open, according to at least one analyst.
By Thursday, the jousting between the competing companies had left Square in a defensive crouch over its product and VeriFone pulling down a demo it had posted to show an alleged security hole in Square’s reader technology.
The fireworks started when VeriFone, provider of the PAYware Mobile payment system that competes with Square, issued what it called “An Open Letter to the Industry and Consumers” online and via e-mail. The letter from chief executive Douglas G. Bergeron, never one to refrain from blunt attacks on competitors, said “any reasonably skilled programmer” could skim, or steal, card data from Square’s cube-shaped fob that plugs into smart phones and enables small merchants with Square accounts to accept general-purpose cards.
“How do we know? We did it,” Bergeron wrote. “Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
The letter, at the Web address www.sq-skim.com, includes a link to a “VeriFone Consumer Alert” video featuring Bergeron explaining his findings. He called on Square to “recall these card-skimming devices from the market.” Bergeron said VeriFone was making its skimming application available to the major card networks and to Square’s processor, JPMorgan Chase & Co., to analyze.
But things didn’t go quite according to plan. For a while, viewers could download a demo skimming application from the sq-skim site, but VeriFone pulled it Wednesday afternoon, posting this explanation:
“It became evident that some observers were coming to the conclusion that VeriFone had made available an actual skimming app, which was not the case. The app we made publicly available was a demonstration app that showed an ability to read data from a Square device, but did not actually display or capture sensitive card data. However, in order to curtail further confusion, we have removed the demo app. The video is self-explanatory.”
A spokesperson for San Jose, Calif.-based VeriFone tells Digital Transactions News that VeriFone created two applications: the demo and a live one that can indeed skim Square’s hardware. “We would never release that publicly,” he says of the latter. Asked if VeriFone’s attack had backfired, the spokesperson says, “the blogs have been a-blazing,” but he adds, “I am not going to get into a debate on tactics. The issue is card security.”
One blogger was Celent LLC senior analyst Jacob Jegher, whose post about the dispute is headlined, “VeriFone Delivers Low Blow to Square.” Jegher said Square’s “or any other reader for that matter can be comprised,” and he added that, “Square’s lack of encryption needs to be addressed immediately.” But he questioned VeriFone’s tactics, saying that if its offerings are more secure, “there are more appropriate ways to communicate this.”
San Francisco-based Square issued a statement from chief executive Jack Dorsey that said VeriFone’s “is not a fair or accurate claim and it overlooks all of the protections already built into your credit card. Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to ‘skim’ or copy numbers from a credit card.” The statement further said that Chase “continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or e-mail receipt delivered from our secure squareup.com server after every transaction.”
But VeriFone, despite its clear lack of neutrality, has cast light on what IDC Financial Insights analyst Aaron McPherson calls a mindset by some in computing and related industries that they can easily get into the payments industry, which he says is highly complex. “Not impressed by the outrage from the ‘digerati’ over @VeriFone calling out @square on security - they already proved they don’t get it,” he wrote on Twitter.
“If you do a search for Square on Twitter, what you’ll see is that most of the people coming to Square’s defense do not have a background in payments,” McPherson tells Digital Transactions News. “I think what VeriFone is pointing out is that a company that is trying to be an insurgent, there’s a certain arrogance that payments isn’t that hard.”
Dorsey co-founded Twitter and is a genuine Internet superstar. His move to Square in the past year has caused many Silicon Valley bloggers and computer-industry journalists to pay more attention to electronic payments. Dorsey recently reported that Square is processing more than $1 million in payments daily. But McPherson says Square has never publicly explained very well how its unconventional payment-processing system works, and he, like Jegher, criticized Square’s reader for lack of encryption.
“I don’t think VeriFone cares if a bunch of tech bloggers are mad at them,” he says. “I think in the end the distribution muscle of VeriFone and Intuit is just going to crush these guys.” Intuit Inc., which like VeriFone has been in the payments business for years, offers yet another mobile-payment service called GoPayment.
Spokespersons for Chase did not respond to Digital Transactions News’ requests for comment.
SPECIAL FEATURERead Digital Transactions Online