Yesterday, Verifone posted an open letter, attacking competing credit card reader company Square, showing how criminals could use it to steal credit card info.
"The issue is that Square's hardware is poorly constructed and lacks all ability to encrypt consumers' data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes," wrote VeriFone CEO Douglas Bergeron. "There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you're a fraud victim."
He also posted a video that was removed from YouTube.
We initially noted that Square had not responded, but that has changed. Co-founder Jack Dorsey posted his own letter of response, which says:
Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to 'skim' or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.
The bank that issues your credit card recognizes this and does not hold you responsible for fraudulent charges. When they are alerted to odd activity, they simply give you a call and will reverse the transaction. With Square, your credit card is designed to be used without worry, in more places than ever before.
Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction.
At Square we work tirelessly to remove all complexity from accepting credit cards. That includes removing every concern around security. We thank you for your increasing support to make Square the leading way to pay with a credit card, safely.
Bergeron had said in his letter that he was handing over a copy of a skimming application that he created to demonstrate the threat to Visa, MasterCard, Discover, American Express, and JP Morgan Chase.
Even before we saw a response from Square, there were a lot of people saying basically the same thing Dorsey said. Whether or not Dorsey has now set some minds at ease, VeriFone's letter probably managed to generate enough buzz around the issue to leave questions about Square's security in the mind of the average headline browser - whether justified or not.