Payment Security: Square vs. Verifone vs. Magtek vs. …

If you have been following news in the payments industry over the last week, you have (undoubtedly) heard of the announcements surrounding card acceptance from a mobile device.

In particular, there has been substantive industry buzz around the launch of the acceptance methodology offered by Square. There is already a wealth of content created that discusses the offering and its business model in great detail…so I will forego that commentary.

What is most intriguing is the discussion/turmoil regarding the security of the Square solution…

You can track a fair amount of the commentary on pymnts.com, but there are two items, in specific that I encourage you to peruse.

The first iPhone Payments Smackdown: Square vs. Verifone will provide you with the commentary and a glimpse into the discussion, but I encourage you to watch the video interview with Mimi Hart, Preisdent & CEO at Magtek* discussing the offering with Jonathan Summey of the Pymnts team. Near the end of the interview, there is a quote that I find extraordinarily compelling.**

Jonathan Summey –
“For a final question…If you’re at your local coffee shop, or you’re maybe buying a hot dog on the corner, and someone presented you with this as a payment device, would be eager to use it? Or, maybe, be a little skeptical? What would your initial feelings be?

Mimi Hart –
“Well, I’m an educated consumer so I’m not really probably the right person to ask the question [of]. But, at the end of the day, for me, to invest…to put my credentials and card data into a device like this that I know doesn’t really have good security at the reader level for the convenience of paying for a 4 dollar cup of coffee and having also been through the process of of what you have to do when somebody has compromised your credit card and you have to write endless letters and have endless telephone calls to get it all squared away, i’m not sure as a consumer if I’d risk it.

“Credentials.”

Credentials is defined as “evidence or testimonials concerning one’s right to credit, confidence, or authority”

I freely acknowledge that I have spent substantial time as of late discussing concepts of Federated Security and Federated Identity (including things such as transaction originator authentication & authorization)…but this couldn’t have been a more timely statement.

How many of us truly treat our signature and card as credentials? I live/breathe/eat/sleep payments and technology…and yet, in my day-to-day life, I tend to treat my credit card as nothing more than a piece of plastic. However, the card (and, in some acceptance modalities the signature) are processed by a merchant and, when an authorization is returned, evidence my “right” to credit for that merchants goods or services.

It is an important concept. And it is one that is easily ignored.

This is the context that is important when considering the ongoing debate regarding the security of solutions offered by Square and others. In Jack Dorsey’s words (from his discussion with Mike Arrington regarding the Verifone offering):

“From the outside it looks like we haven’t done the work to actually verify everything, but we are heavily regulated just like Verifone, and we’re doing the compliance and managing the fraud and the risk and all those aspects that comes along with this business.”

There is also, in my opinion, one other small piece of the discussion that is being overlooked. I understand those who say that they fear compromise of a phone as an acceptance device, and yet the problem of loss of card data is not limited to such a platform….

According to comScore (via CNN Money) there are 7.8M iPhone users in the US. AT&T in contrast, indicates 8.3M activations through June of 2009. Let’s use a number between the two for some comparative analysis…8M iPhones in the US.

The numbers that I use below are solely illustrative, but indicate my thought process. They are by no means an accurate comparison as there is no concrete numbers to utilize. But, even with being generous, they tell an interesting story…

So, if usage of the Square capability was to grow to 5% of iPhone owners in the first year, they would have 400k users of the solution in the United States. Now if those merchants ran, on average, 250 transactions monthly (and we assume a 30.42 day month) then square would be handling approximately 3.3M transactions daily.

According to a SANS Institute whitepaper entitled Skimming and its Side Efects there are 365K ATMs in the United States that generate more than 41M transactions daily. Half of these ATMs are bank-owned, the other half are merchant owned.

Is one inherently more attractive as a target for breach than another solely due to the hardware on which it resides? No. Ease of hardware breach is a contributing factor…but usage of, and volume of, transactions is equally important.

The reaction to the Square announcement is understandable. Questions regarding the security of the solution are justified and seem as if they are, at present, being answered by the Square team. As I’ve discussed elsewhere, PCI Compliance (even as a Level 1 Service Provider) is only one component of the security equation…so it is refreshing to hear that the Square team is addressing “fraud and risk”*** that comes along with enabling card acceptance. I do find it intriguing that Square has opted to add the capability of a photo being displayed for the merchant on the phone. But that is, perhaps, better left to a discussion of the meaning of authentication at a later date.

Is Square secure? Would you trust it with your credentials?
Is your grocer secure? Can you verify that?
Is your ATM secure? Can you ensure that?

Risk is inherent in the world of payment processing…the goal is to minimize that risk (as a consumer, as a developer, as a payment processor, etc.)

Finally, the decision of presenting a card as tender, at least to me, is not binary. The decision is not driven solely by the acceptance device (although that is an element of the equation), the decision is driven by a combination of factors such as familiarity with the acceptance device, familiarity with the merchant (either personally or professionally), and above all else…convenience. I pay with my card because I prefer it to carrying cash.

Consumer preference will, ultimately, determine the breadth of adoption of offerings such as Square.

What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below…

* Whom I respect greatly.
** NOTE: I have transcribed this manually from the interview, please forgive any errors…
*** Yes, I recognize that (in context) that statement is specifically focused on the reference to Square allowing a wide range of customers to process…but, my impression (and nothing more) is that the statement was intentionally delivered in a broad fashion.

December 14, 2009

Leave a Reply

Your email address will not be published. Required fields are marked *