Recently in an open letter Verifone’s CEO brought up an issue with Square that I had not raised in my previous review of whether Square was a good option for small business owners.
Due to Square’s failure to encrypt the credit card data accepted through their dongle as it enters the mobile device, Verifone was able to write its own app that when installed would allow an individual to collect the credit card information. Once collected the individual would then be able to access this information whenever they wanted. As I believed Square’s security flaw was more of an issue for consumers than for small business owners I did not include the issue in my earlier review, though I did note the PCI issues that the device failed to address. I now regret that decision as the more I have thought about it, I realized it can in fact directly impact business owners.
I read Greg Kumparak’s post called “Don’t Believe The FUD: Square Is Only As Insecure As You Let It Be” and Greg feels that the issue is limited to the consumer needing to trust that the individual he/she is giving his/her card to is not skimming or otherwise intentionally misusing the information. This was my initial stance on the issue as well, and the reason it was not included in my review. However I’ve learned the error of my ways and now believe that the Square security flaw is a major hurdle for both consumers and merchants, one that brings with it new and greater security risks than those currently associated with a standard credit card machine or payment gateway.
While true that the ability for a user to install a skimming software or app on their mobile device is a danger, and nothing new or directly associated with Square, what Greg fails to note is that the security flaw with the Square dongle opens up other holes in the system. These new holes allow talented and devious software engineers the opportunity to skim credit card information en mass without any malicious intent by the merchant using the application.
Currently if a user is using a credit card machine or other non-Squareup card reader, the information is encrypted both entering the device and leaving the device. Square currently only, and with their current dongle can only, encrypt the data as it leaves the mobile device. The danger then occurs if the merchant using Square has another application running on their device, perhaps/likely unbeknown to them that is accessing this information as it enters the phone/tablet. While we would like to think this will not happen, any merchant who has other applications on the device using the Square app could very well be unwittingly skimming credit card information due to another application on their device. A software engineer could design a program that looks innocent and offers free lets say horoscopes, that when installed on the phone also lies in wait looking for credit card information coming through the Square dongle. It reads that info and every time the user checks their horoscope sends the credit card information to a central location.
This is a new issue for merchants as currently information being passed through most all other mobile payment gateways, or credit card readers/machines is encrypted both on its way into the machine as well as on the way out. This security system is set up directly to prevent any unauthorized program from accessing the information entered into the phone.
The danger for a small business owner who unwittingly skipped the credit card information from every customer they processed and then sent that information on to a third party is a serious concern for both consumers, merchants, and Square. It will be interesting to see what the response is from Square and the rest of the industry as this is certainly an issue than needs to be addressed.
Website Disclosure: In an effort to ensure that we can continue to develop and deliver this website free of charge to our visitors, this website engages in affiliate relationships with some of the processors listed, and also offers advertising on the site. To learn more about this please visit our disclosure page.