On Wednesday, March 9,VeriFone’s CEO Doug Bergeron lobbed a Molotov cocktail at its fastgrowing, and far smaller, competitor Square. The paymentsblogosphere has been a-twitter ever since.
In its open letter to the payments industry and Square, VeriFonedeclares that Square opens up new skimming risks and that Squareshould voluntarily withdraw its magstripe reader from the market.Square’s Jack Dorsey demurs.
Right About Security
Security is VeriFone’sjustification for this contretemps and technically Bergeron is 100%right. Square’s card readers are easily hacked and the fact isthat’s a truth that has been well known for months. MagTekpresident Mimi Hart has been demonstrating that hack since lastfall in her company’s effort to provide a secure alternative toSquare’s approach. Like the MagTek solution, VeriFone’s iPhonepayment device encrypts the magstripe card data at the read head.The keys to decrypt it are in the processor’s data center andnowhere else. So, blog posts and other commentary claiming thatthere’s no security difference between the Square reader and theVeriFone approach are just ignorant. Dorsey himself gets it wrongwhen he says, “Any technology-an encrypted card reader, phonecamera, or plain old pen and paper-can be used to “skim” or copynumbers from a credit card.” He’s right about the last two casesbut an encrypting card reader is, to any practical extent, unusablefor card skimming.
VeriFone’s sharing of its Square skimming software with the cardbrands and Square’s bank, JPMorgan Chase, doesn’t add materially tothe discussion and especially to the risk assessments made by thoseentities. They’ve known for months exactly how Square’s systemworks and have found no objections substantive enough for them toopt out of the increased transaction flow Square represents.
Square does not introduce a brand new vulnerability. Its cheapreaders expand the opportunity for skimming, making almost everymobile Apple device a potential card skimmer. Because of that fact,one could argue that Square lowers the bar to card skimming.Certainly, it doesn’t raise the bar a micron but the degree towhich it expands risk is considered by its upstream partners to bemanageable. After all, PayPal’s had a very similar model for onlinemerchants for years and, through a huge investment of capital andeffort, the firm has been successful in managing fraud in anenvironment where hackers steal card credentials right off theconsumer’s PC. The card brands and JPMorgan Chase are bettingSquare can get that fraud mitigation job done too, and are quitehappy to both gain the new transaction volume and give Squareenough rope to hang itself if it proves incompetent.
A Square Mousetrap
Square has built itsacquiring model on the Internet-spawned, network effect, i.e. freeto get in, pay as you go. Sign up, get a free magstripe cardreader, and just pay the processing fee. Square’s recent decisionto eliminate its swipe fee just ups the competitive pressure onIntuit, VeriFone, and others. Its vector into payment processing issimply one that’s culturally unavailable to traditional paymentsparticipants. There’s no doubt that an encrypting card reader fromSquare would have been far superior from a security point of view.There are plenty to choose from out there. But that would haveraised hardware costs, requiring the merchant to pay $25 or more,and thus raise a significant barrier to Square customeracquisition.
What’s at stake here, of course, is the business of the mobilemerchant and, increasingly, almost all small merchants as theybecome more mobile, even when they’re in their store. Square hasbeen winning that business (to the pain of VeriFone and plenty ofothers) reporting last week that it is now processing over $1million in volume per day. Miniscule in the grand scheme,significant in the gateway business.
In the longer term, we’re not going to care about the magstripe.Payments will be about smartcards and NFC-equipped smartphones anda better customer experience. It’s quite logical to suspect thatSquare will add more accounting and business services functions toits software. Couponing and loyalty program services for smallmerchants are an absolute no-brainer. Square’s long termcompetitive advantage is not a free magstripe card reader. It’s thesoftware and the footprint and where have we seen that formulabefore?
Not the Best Move
It should come as asurprise to no one, including Bergeron’s PR advisors, that pickingon the little guy is not a winning strategy if you’re after heartsand minds. Indeed, VeriFone’s tirade just adds buzz to the Squarestory, a tale with no need for added notoriety given itsTwitter-bred founder. VeriFone’s outburst will make more news forSquare and lend credibility to its side of the story. After all,the giant doesn’t pick on the little guy unless he’s doingsomething “right” which (in this case) means “really annoying” tothe giant, as in, winning the hearts and minds of smallmerchants.
It has to be frustrating to be putting the “right” secure productinto the market, one that took time and effort to create, only tohave it face unexpected competition, particularly for a hardwarevendor diversifying with all deliberate speed into transactionalrevenue. Over the last couple of years, VeriFone has done anexcellent job in positioning itself as a trusted provider tomerchants and financial institutions. Its pending Hypercomacquisition makes it a formidable competitor to Ingenico. The stockmarket has rewarded its strategic moves with a more than doubledstock price over the last nine months. An impressive performancefor a payments industry in stasis due to global recession,competition, and uncertainty.
VeriFone’s thoroughly planned tirade seems misguided, at best, bycomparison. It reminds me of the adage, “Don’t wrestle with pigs.You both get dirty and the pigs like it.” Good advice.
Unless the pig’s eating your lunch.
Links
VeriFone’s anti-Square site and skimmer app
http://www.sq-skim.com/
Square’s Response
https://squareup.com/letters/security
TechCrunch Blog
http://techcrunch.com/2011/03/09/squares-jack-dorsey-verifones-security-hole-allegation-is-not-a-fair-or-accurate-claim/