In the startup world, with new money comes new obligations. The leaders at mobile payment startup Square, being well-establish entrepreneurs, know this well. Yet, they cannot be excited about requirements coming from Visa after the credit card giant made a strategic investment in the company earlier this week.
Visa released a new “best practices” for mobile payments April 27 and a stipulation of those practices are that credit card information be encrypted from the source of the transaction. Square does not currently encrypt credit card information coming from the dongle it uses to make transactions through smartphones. Yet, when billion-dollar behemoths that have just invested in your company strongly suggest that you do something, it is probably best that you do it. Hence, Square will issue new dongles later this year with the ability to encrypt data transmissions from the source.
Note: Updated with analysis from security expert Robert Vamosi of Mocana.
Square has all along said that the system they have created is secure enough without having to specifically encrypt data coming from the dongle. When mobile payment competitor Verifone blasted Square in early March for having “serious security concerns” because of lack of encryption, Square’s CEO Jack Dorsey fired back that the allegations were not “fair or accurate.”
Update:
We contacted Mocana security analyst Robert Vamosi, a former tech journalist who has worked with Forbes and PC World who was quoted in Verifone’s open letter for some insight.
“[Point-of-sale] terminals in retail settings don’t encrypt at the moment the card is swiped, but there is a move right now within the industry toward point-to-point encryption,” Vamosi said. “Encrypting the data from the moment it is read off the card until it reaches the card brand is the Holy Grail; no one’s doing it, but many companies are attempting it.”
Vamosi said the risk factors are of scammers getting between the reader (the “Square”) and the application that processes it. In that scenario, “skimming” from the transaction, as Verifone said is the potential problem, would be feasible.
“The risk is in malware sitting between the dongle and the application. If malware writers target Square’s input, then there’s risk,” Vamosi said. “If malware writers don’t target them, then this is academic. But the payment industry is moving toward encrypting as much of the payment process as possible, so ultimately one could argue that it is inevitable that Square encrypts data in their dongle.”
Vamosi uses the example of Albert Gonzalez, the mastermind behind the Heartland Payments System credit card breach of a few years ago as an example of the danger these types of malware could pose.
“Gonzalez and his crew were able to skim unencrypted credit card data from wireless POS terminals at TJX back in 2005,” Vamosi said. “So the risk from unencrypted card data in motion across the network has been known, but it wasn’t until the Heartland Payment Systems breach in 2009 that the payment industry got serious with encrypting as much card data as possible. It is not yet, however, a PCI requirement that card data in motion must be encrypted, only data at rest is explicitly covered by the latest PCI DSS.”
Basically, in the chain of transaction from swiping the card to the data being stored, encryption is a growing though not mandatory practice, especially at the point of sale, where Square lives. Visa is moving the practice of encryption forward by instituting its best practices.
End update.
Yet, here we are, note quite two months later, and Square is going to start encrypting its dongles.
“Visa announced mobile security best practices. Square is excited to collaborate with Visa in helping define and shape the security guidelines for the rapidly evolving mobile acceptance space,” wrote Square COO Jeff Rabois in a blog post. “The adoption of best practices will help increase trust in innovative payment solutions. Of course, Square complies with all current industry standards, and we are committed to meeting or exceeding industry guidelines as they evolve — all while keeping our card reader free.”
Nowhere in the post does Rabois mention the word “encryption.” The closest mention is saying that they will adhere to best practices. The two primary points of Visa’s mobile payment best practices was for encryption from the source and the ability to tokenize credit card numbers along the data chain.
Here is the pertinent bit from Visa’s release:
“Encrypt all account data including at the card-reader level and in transmission between the acceptance device and the processor – especially important given the use of wireless or public networks.”
It may be a moral setback for Square but, as they say, with great power comes great responsibility. If the company wants to keep reaching out to the big players in the payment industry they are going to have to play by their rules. Hence, if Visa wants encryption and has given Square a pile of money, encryption is what Visa will get.
