Square Security Defended By CEO Jack Dorsey

Dorsey: A Pen Can Skim Your Credit Card Number Just as Easily

Get the WebProNews Newsletter:

[ Business]

Yesterday, Verifone posted an open letter, attacking competing credit card reader company Square, showing how criminals could use it to steal credit card info.

“The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes,” wrote VeriFone CEO Douglas Bergeron. “There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.”

He also posted a video that was removed from YouTube.

We initially noted that Square had not responded, but that has changed. Co-founder Jack Dorsey posted his own letter of response, which says:

Jack Dorsey, CEO of SquareToday one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.

Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to ‘skim’ or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.

The bank that issues your credit card recognizes this and does not hold you responsible for fraudulent charges. When they are alerted to odd activity, they simply give you a call and will reverse the transaction. With Square, your credit card is designed to be used without worry, in more places than ever before.

Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction.

At Square we work tirelessly to remove all complexity from accepting credit cards. That includes removing every concern around security. We thank you for your increasing support to make Square the leading way to pay with a credit card, safely.

Bergeron had said in his letter that he was handing over a copy of a skimming application that he created to demonstrate the threat to Visa, MasterCard, Discover, American Express, and JP Morgan Chase.

Even before we saw a response from Square, there were a lot of people saying basically the same thing Dorsey said. Whether or not Dorsey has now set some minds at ease, VeriFone’s letter probably managed to generate enough buzz around the issue to leave questions about Square’s security in the mind of the average headline browser – whether justified or not.

Square Security Defended By CEO Jack Dorsey
Top Rated White Papers and Resources
  • Marce Long

    I was one of the few to see the video on youtube before they deleted it off of the site. I am surprised it was so easy to HACK Square and to find out that they are not doing anything to replace the insecure device they are using!

  • Marce Long

    What about the fact that iPhone & iPad’s are inherently not PCI compliant? There is no way to guard against the man-in-the-middle attack.

    Another compliance issue they will have relates to one of Square’s main “benefits.” They claim they can allow you to charge customers fast because Square doesn’t require customers to get a merchant ID.

    However, one of the main parts of being PCI compliant is maintaining a strong process for distributing & confirming merchant ID’s. PCI compliance isn’t just about having decent data control & security– it is also about following the rules of the member banks/processors that you use to process the credit card swipes.

    If Square doesn’t follow this PCI guideline, how can it ever be considered PCI compliant?

    I don’t get it.

    At some point that will cause the card processors to deactivate them and all the sub-accounts.

    For example, if you search for Square or any of the company’s obvious derivations, its name doesn’t show up on the PA-DSS compliance lists from PCI or the Visa CISP at all. It is my understanding that PCI compliant apps & companies appear there. But not Square.

    Whoever the ISO is that is letting Square do their beta is going to get shut down hard once Square starts pushing serious traffic. The sponsor banks are going to yank that ISO’s processing permissions and that is going to dump Square on its ass.

    The bottom line is that certain regulations are in place because of known and understood risk mitigation– specifically around getting merchant accounts for each person who runs a swipe system. Banks don’t want to lump all the risk under one merchant account and they will not let this kind of risk build up to unacceptable levels. Once Square hits that magic threshold, watch what happens.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom