Yesterday credit card processor VeriFone launched an outright attack on mobile payment processor Square, saying that the company’s free mobile credit card readers (that can be used with Android and iOS devices) suffer from a fundamental security flaw that puts customer data at risk. VeriFone’s CEO Douglas Bergeron called for all Square card readers to be recalled, and said his company was turning over its findings to major card issuers like Visa, MasterCard, American Express, and Square’s partner bank JPMorgan Chase.
Now, Square CEO Jack Dorsey has responded with an open letter of his own, essentially saying that Square’s technology doesn’t suffer from any security flaw that’s not already in the credit cards themselves.
“Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to ‘skim’ or copy numbers from a credit card,” Dorsey writes. “If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.”
Dorsey emphasizes that their partner bank JPMorgan Chase “continually reviews, verifies, and stands behind every aspect of our service.”
Dorsey notes that banks are well aware of the risks involved in fraudulent use of credit card information, and do not hold customers responsible for bogus charges. (Although anyone who’s had to work with a bank after a credit card or identity is stolen might question how easy the process of clearing fraudulent transactions really is.) Dorsey goes on to note that one of Square’s aims is to remove the complexity from accepting credit card payments and remove all concerns about security. Dorsey notes Square users can request an instant text message or email receipt after every transaction.
The heart of VeriFone’s attack on Square is that Square’s card reader device does not encrypt credit card information while it’s being transferred to a host Android or iOS device. VeriFone argues it is trivial for knowledgeable programmers to make fake Square apps that do nothing but collect info from swiped cards, rather than process legitimate transactions.
The dispute highlights the increasingly competitive nature of the mobile payment processing industry, where devices like Square’s mobile card reader and near-field-communications (NFC) technology have the potential to disrupt traditional credit card processing businesses.