March 09, 2011

VeriFone vs. Square: Much Exaggeration -- and Some Truth

Greetings. I woke up this morning to a pile of emails informing me of -- and asking me about -- the new "war" that has erupted between long-time credit card processor VeriFone, and very new, smartphone-dongle-based Square.

VeriFone really went nuclear today, with accusations and a video claiming that Square's free credit card reading device is a risky "credit card skimmer" that presents a clear and present danger to consumers.

In the video, VeriFone's CEO not only waves the consumer alarm flag, but announces that he's informed the major credit card companies of this risk, and he provides a quickie app to "demonstrate" the problem as well.

Most of the reactions from the tech community have been predictably harsh. Among these, suggestions that VeriFone is grossly exaggerating any potential problem, ignoring the many other ways that credit card information can be illicitly gathered (including the existence on the market of USB-based credit card readers and the like), is scared of competition from Square -- and so on.

All of these assertions would appear to be substantially correct.

However, there is an underlying truth to the key technical aspect of VeriFone's complaint, that should not be ignored.

All else being equal, it is far better for a credit card data capture system to encrypt the associated data from end-to-end, so that it is never "in the clear" in a user-accessible manner -- in contrast to the Square implementation, where the data can apparently be easily extracted in its unencrypted form.

That there are many other ways to illicitly capture this data, with or without card reading devices, is not the point. Credit card fraud is bad enough without adding another exploitable vector into the mix, especially one that hopes to have a recognizably high profile and be widely and specifically trusted, by merchants and customers alike.

Proper design in this day and age dictates that credit card reading dongle devices should only work with associated secure applications, and that all data read from cards should be encrypted within the dongle and be kept encrypted for the entire transit to the card processing agent.

Doing this properly would obviously require more work, and would presumably be more expensive than a simple little unencrypted scanner. But it's the right thing to do.

VeriFone is seemingly trying to take advantage of this situation for their own competitive benefit, and much of their rhetoric on this score is clearly hyperbolic.

But regardless of other potential credit card exploits that occur, and other insecure card reading devices that exist, it appears that Square voluntarily missed the chance to take the high road and set an example of best practices, since they chose to build their system without strong end-to-end encryption principles in mind.

This was a significant opportunity lost, and did not ultimately best serve the legitimate interests and concerns of credit card users, merchants, or processors.

--Lauren--

Posted by Lauren at March 9, 2011 10:42 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein