The Spat between Verifone and Square.

Disclaimer:
We here at 37′ are using Square to take credit card payment. We have recommended Square to others over Intuit GoPayment. We have not considered using VeriFone in the past.

VeriFone fired the first salvo (www.sq-skim.com):

Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.

…….

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

…….

We call on Square to do the responsible thing and recall these card skimming devices from the market.

Douglas G. Bergeron
Chief Executive Officer

VeriFone is “concerned” that Square card reader does not encrypt the information it reads from credit card magnetic stripe. According to VeriFone, anyone can write some an app that utilize Square credit card reader and using it to capture all information from credit card magnetic stripe. In essence Verifone is calling out Square for providing a credit card reader that can be used for criminal purposes.

For some reasons, it reminds me of HDCP compliant scheme. For example, multimedia signals must be encrypted from the Blu-ray Disc to Blu-ray player to the HDMI cable to receiver to the display. Well at least that’s what Verifone wants us to believe.

Unlike Blu-ray Disc, a credit card is not encrypted. Not in the magnetic stripe, and not on the card itself. All the information about the credit card is visible on the card itself. Credit Card number, account holder name, expiration date and raise-printed on the card. The CSV code is printed on the signature field. Anyone can easily copy the informations.

Square responded:

Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.

Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to “skim” or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.

Some say that VeriFone sees Square as a threat; John Gruber nicely summarized:

VeriFone’s FUD attack on Square didn’t happen until after Square reduced its fees to well below VeriFone’s rates.

If somehow Square are “recalling” the current credit card readers and replacing them with the encrypted ones, would VeriFone be satisfied?

Is VeriFone, a $4.2b company threatend by Square, a company with $37.5 million in startup funding? (Dollar figure is from TUAW)

——-

VeriFone Payware Mobile is available for iOS devices.

Square is available for iOS and Android devices.