Square Inc. is posing the latest threat to the payment industry status quo, as point-of-sale transactions begin to move from cash registers to mobile phones.
However, it’s not as though the little Square card reader that plugs into mobile devices is all alone.
ISOs and other companies have started offering mobile POS applications and card-swiping hardware accessories in the last year and a half, too, and some of them arrived before Square. Names like PayAnywhere, RoamPay, GoPayments and PayWare, among others, are among the newest additions to ISO arsenals, most of them compatible with mobile phones the merchants already own.
However, a few twists differentiate Square. The company has come in with a card reader for smartphones that does not require a complex merchant contractual agreement or monthly processing fees. Square simply charges a 2.75% processing fee per transaction.
ISOs find it particularly unsettling that Square does not rely on them to reach merchants. “They completely bypass the ISOs,” said Peggy Bekavac Olson, principal with consulting firm Strategic Marketing. “Recently, they have been building a sales force among college students. That is how they are getting to the merchants in some cases.”
Square’s unorthodox model and sales approach seem to work. The company reported at the end of last year that daily transaction volume had reached $11 million, almost three times the daily take Square reported just six months earlier. The company also said around the same time that 1 million merchants where processing payments using Square.
However, some aspects of Square’s strategy remain a mystery, and the company did not respond to interview requests.
Questions abound about Square’s transaction security. Competitors claim Square does not use an encrypted card reader, and published reports say the same thing. One example is a recent analysis by product review Website TopTenReviews.
Meanwhile, George Peabody, director of Emerging Technologies and Fraud, Risk and Analytics Services for Mercator Advisory Group, says, “Square said it would replace its readers with an encrypting version last summer, but we are unclear as to whether that has actually taken place.”
Aside from the card reader hardware, transmissions of credit card data from the mobile phone are encrypted, and according to published reports credit card information is not stored on the phone itself or on remote servers.
Square’s potential lack of security has drawn heated criticism. For example, Jeff Alderman, director of marketing at PayAnywhere, which is backed by ISO North American Bancard, did not mention Square by name, but says: “Security is the reason we have been able to woo customers away from the white dongle. [The Square reader is white and can be described as a dongle.] People switch to us because their reader doesn’t work for them, or because it’s flimsy or because it’s not secure. Our reader is encrypted, but there are others out there that are not encrypted.”
Adelman said the fact that some mobile phone card swipers are not secure has confused the market and could slow adoption.
The security issue has festered for the better part of a year and half partly because of uncertainty regarding the standards that would cover mobile POS, sources say. The PCI Security Standards Council has a certification program, which early on was certifying mobile POS.
However, as the number of mobile POS options increased, the council admitted that certification was not designed as a mobile-specific standard. That led the group to call a moratorium in late 2010 on the approval of new mobile phone-based POS offerings to provide time to study security issues.
In June, the council set up three categories of mobile POS. The third category includes readers operating on any handheld device that is not made solely for payment acceptance.
Before considering Category 3 for validation, the council intends to develop advice, guidance and standards, Bob Russo, the council’s general manager says. “This is a key focus area for the council in 2012,” he adds.
“We understand merchants and others are eager to adopt and move quickly with the possibilities mobile devices provide,” Russo says. “However, it is our duty to look at these through the light of the PCI standards and payment card security.”
A council task force is working on a best-practices document on securing mobile applications. In the coming year, the council plans to publish more guidance for merchants on how the group’s PIN transaction security and point-to-point encryption requirements.
At the same time, opinion differs ever more broadly on the importance of encryption to the merchants most likely to use mobile phone-based POS applications. Technology companies and processors have indicated in the past year that security ranks among the top concerns about mobile payments.
However, the prevailing perception is that the retailers most likely to use Square and similar readers, the so-called micromerchants or seasonal merchants, may not conduct large enough or frequent enough transactions to make security their No. 1 concern.
“The target merchants for these [products] are just thrilled to be able to take mobile payments and to have a simple [process] for it,” says Mercator’s Peabody. “Their concern is payment acceptance. PCI [conformance] is way down the list.”
Stephanie Clements, president of Veritas Merchant Services LLC, a Louisville, Ky.-based ISO that offers RoamPay, agrees.
“Small merchants have not worried as much about security, and trust that if we are offering the program, then it is secure,” Clements says.