A New Way to Square up the Tab
Christopher Byrd, CISSP, QSA, GCIH, GAWN, GPEN is manager, information security & privacy in the Brown Smith Wallace Risk Advisory Services group. Lisbeth Tanz interviewed Byrd about Square, the credit card processing tool and application for iPhone, Android phone or iPad, and the security of payment card data. The article below was originally published by St. Louis Commerce Magazine for the January/February 2012 issue.
By Lisbeth Tanz
Huey Lewis sang “It’s hip to be square” but these days it’s hip to use Square if you’re a small business owner or nonprofit. Square is the new upstart in the challenging world of credit card acceptance services. For small-business owners, it’s a fast way to accept credit cards even just periodically.
What makes Square different is its accessibility and ease of use. Gone are the days of service contracts and renting a bulky device with a phone line to transfer payment information. Square requires only an iPhone, Android phone or iPad; the credit card processing application and the tiny 1-inch square swipe device (also known as a “credit card sled”) that plugs into the headphone jack of the phone or iPad.
Payments can be taken anywhere a digital signal is accessible—a development that is even revolutionizing payments at garage sales.
“We’ve seen a wide range of users in various industries adopting Square,” Lindsay Wiese, Square spokesperson, says. New users include freelance photographers, hair salons, restaurants, cafes and even the Dave Matthews band—anyone who needs portability with their sales processing.
Square is the idea of Jack Dorsey, co-founder of Twitter, and Jim McKelvey, co-owner of Third Degree Glass Factory in St. Louis. McKelvey’s inspiration came after losing a sale because he couldn’t accept credit cards.
As he discussed his problem with Dorsey later that day, he realized that his iPhone held the key to processing credit cards. All he needed was a swipe device. The idea for Square was born. One week later, a small team began creating the nascent payment system. By May 2010, the idea was a reality.
Square has changed the landscape of credit card processing with no monthly fees or merchant account requirement. Instead, Square takes a small percentage from each transaction (2.75 percent per transaction), similar to the online payment gateway PayPal.
“For a small-business owner, it’s important that every expense is kept to a minimum,” Wiese says. “Square takes away the complexities of payments and offers a flat, transparent rate that is lower than competitors. Plus, the card reader and app are free.”
It’s the ease of use and mobility that often attracts new Square users. Incorporating Square into their business has enabled the Jefferson National Parks Association, the federal agency that operates the Gateway Arch, to reflect customer expectations in its retail venues. Before April, remote retail sites within the Parks Association only accepted cash or used the old manual credit card device that imprints the card information on a carbon copy sales slip.
“We felt we weren’t serving our customer base,” Jeremy Lydon, retail site manager at the Jefferson National Expansion Memorial, says. “We also knew we were losing customers because they had the expectation they could pay with a credit card.”
Lydon believes Square also helps improve the agency’s public image.
“It gives us the feeling of being on the cutting edge and being up-to-date,” he says. “Square allows us to provide a seamless experience, allowing our guests to focus on enjoyment versus inconvenience.”
Lydon also likes that Square’s reporting is easy to use and its data manipulation is simple. He noted only one downside.
“We can’t get a data signal under the Gateway Arch, so we can’t use Square there. But that’s not their fault.”
Not everyone is enamored with Square. Competitor Verifone has complained that Square puts users at risk for fraud because of security issues at the card swipe level. Two U.K. researchers demonstrated how the Square device can be used to capture or “skim” the magnetic strip information from a credit card in two ways, according to a recent story at CNET.com.
The first converts the data into an audio file, which is then transferred to the Square app, allowing purchases to be made or money transferred to a bank account. The second uses the Square device and a special translation file written by the research team to convert strip data into readable text on the phone. It’s this second misuse that has security experts worried.
Only some of the credit card sleds encrypt data from the reader, which may cause problems for merchants trying to meet compliance with the Payment Card Industry Data Security Standard, according to Christopher Byrd, manager of security and privacy advisory services at Brown Smith Wallace LLC in St. Louis. To be in compliance, payment card data must be protected at all levels, including when the credit card is swiped. Square data is not encrypted until the information reaches the app in the phone or computer.
“If the data isn’t encrypted at the swipe level, you have to ask how are the credit card numbers protected?” Byrd says.
Square, based in San Francisco, is aware of the issue, Wiese says.
“We are always updating and improving both our hardware and software and continually rolling out new product updates,” she says.
What can consumers do?
“Consumers should keep receipts, regularly monitor their credit card and bank statements and contact the issuer about any unauthorized transactions on a timely basis,” Byrd says.
He also suggests shopping only with merchants that they know and trust, and where possible, keep their payment card in sight and watch how it is being used.
CHRISTOPHER BYRD is manager, information security and privacy services in the Brown Smith Wallace Risk Advisory Services group. Reach him at (314) 983-1374.
Copyright© 2012 Used by permission of St. Louis Commerce Magazine.