Opinions on Square and
In the "Square and PCI compliance" thread on GS Online's MLS Forum, GLEASON99 asked, "Can someone please explain to me how Square gets all around PCI [Payment Card Industry Data Security Standard] compliance issues that plague all the other processors in this industry? It seems to me that the card associations have different rules for Square. With the new Square Register, these guys are going to be more of a competitor."
Following are excerpts from the discussion that ensued:
What I believe will hurt Square is their way-below customer service. They don't take phone calls, you can only email customer service, and the minute they hold money and the merchant starts to call and can't get anyone, there goes the shootin' match. Also, I believe that it is just a matter of time before they are hit by one very large fraud incident. It's just way too easy to get a merchant account and run bogus cards through it.
- STEVE NORELL
What makes you think the Square system is not PCI compliant?
Their customers have access to card data and do not do any sort of assessment to their compliance. Additionally, the data is unencrypted between the reader itself and the phone. If angry birds can read the card as it's being swiped, I find it difficult to suggest that the device/software is compliant or secure in any way. The transaction may be secure once it is finally in the Square software on the phone, but it's not secure getting there, and there's a lot that can happen on a smart phone in that space between the reader and the software.
Maybe so. But PCI rules do not require a card swipe to be encrypted. They require card data to be encrypted if is stored, and also prohibit the storage of complete mag stripe data. Granted they are not on the Visa PABP list, but neither is MagTek's QwickPAY product. Maybe an "app" doesn't need to meet the same certification requirements as an "application." And as far as the SAQ [Self-Assessment Questionnaire], I don't know that they are or aren't asking their merchants to fill them out, but there are plenty of acquirers and ISOs with poor compliance stats in that area.Bottom line, with as big as Square is in terms of merchants, Visa would have shut them down if they felt there was a serious security risk there.
Mobile processing involves two features: 1. Mobile software application that is downloaded on the smart phone; 2. The card reader that sends the credit card information to the software application on the smart phone.
Every smart phone processing provider has a software application that is PCI [compliant] which is mandatory by the PCI Security Standards Council; however, the biggest problem, and one that has not been addressed by the council, is: What happens to the credit card data when the credit card is swiped through the card reader and sent to the software application on the smart phone?
If a smart phone processing device is using the 'audio jack' to connect the card reader, the card reader is sending an audio signal from the card reader to the software application on the smart phone. These audio signals are the same signals that a touch tone phone makes when you press a number on the key pad. Each number sends a different signal, thus the credit card numbers being sent to the application is a long stream of signals which are not encrypted, making it very easy for this data to be compromised.
A smart phone processing device utilizing the data jack on the Apple products (iPhone, iPad, iPod touch) utilizes 'end-to-end encryption,' which means that once the card is swiped through the card reader, the card data is encrypted when it sends the card information to the smart phone application thus making it very difficult for the credit card data to be compromised. Rumors are that the PCI SSC will only allow end-to-end encryption for smart phone processing, making it the 'standard,' thus making the audio jack card reader obsolete.
Call us, write us
Would you like us to cover a particular topic? Do you have a question you'd like us to answer? Is there someone you consider an industry leader? Did you like or dislike a recent article in The Green Sheet? What do you think of our latest GSQ? Email your comments and feedback to email@example.com or call us at 800-757-4441.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next