In the sleepy Columbus, Ohio suburb of Canal Winchester there is a shop that makes cupcakes. These are not ordinary cupcakes; these are fantastic cupcakes. In fact the name of this establishment—Fantasy Cupcake—is no boast and can readily back up the hype (trust me, I ate one and it was killer). A relatively new business owned and operated by Leah Dotson, Fantasy Cupcake chose Square as its processor when it came time to set up a transaction mechanism for accepting credit cards.
And then a funny thing happened. Coincidentally or not, several banks and processors approached Leah about setting up merchant services with them instead of relying on Square.
Most of the visiting merchant services reps looked at the Square rate plan Leah had worked out and admitted she had a good deal and that indeed, Square would be her best bet.
But there were two that didn’t go so smoothly.
A Key Bank rep came in with an offer and a flyer—“We’ll give you 300 bucks if we can’t beat your current merchant rate plus give you $100 to switch to our service.” Leah told the rep her Square rate (2.75% + no additional fees) and she said the Key bank rep “kind of panicked”, and laughably left as soon as she could (leaving a flyer behind but keeping the 300 smackeroos). Hilarious.
The First Data Rep? Well, here’s where it gets weird. That representative (actually rep-ing for Huntington Bank) gave her a bunch of information (or mis-information, actually) about Square, and suggested that she switch over to the First Data/Huntington services for her own protection. While Leah characterized her as professional, she admitted that the barrage of negative info about Square did freak her out little. Actually, it freaked her out a lot…enough to call her brother-in-law who helped her get set up with Square in the first place (and who also happens to be a payments expert). That’s how I got wind of it.
So what was this mis-information? The First Data rep indicated to Leah that:
- Square was unencrypted
- Square was storing credit card info resident in the native iPad app she uses
- Square was not PCI compliant
- The merchant could be caught in legal action for using it
This First Data Rep then tried to sell their merchant services program to her even though it was not quite as friendly for small purchases, which is the majority of Leah’s business.
The breakdown compared something like this:
In the end, a First Data merchant agreement would have amounted to almost $800 per year in additional fees for Leah vs. Square’s simple 2.75% rate structure and no additional fees. Forget the POS hardware purchases and statement fees and just think about that $.15 transaction fee. That’s 1.2% plus $.15 on every single transaction vs. Square’s flat rate of 2.7%. When you think about the fact that the majority of Leah’s sales are under $3.00, it really adds up. That’s roughly $.21 in fees for that $3.00 order vs. $.08 using Square.
So what about all the encryption and PCI compliance claims about Square. If that were true, it would be enough to make anyone have second thoughts.
I reached out to First Data for comment, but they would not comment about Square nor whether their representative indicated this to Leah.
So I reached out to Square. Their spokesperson didn’t give me much detail, but indicated that no card numbers, magnetic stripe data nor security code data is ever stored on any devices authorized to use Square’s service. She also said that Square’s service is 100% PCI compliant and that all data passing thru is encrypted, surpassing requirements. She then sent me a link to their security page.
But what about the actual reader—the Square, so to speak. Is it encrypted? Well, it technically isn’t. I heard as much from App Ninja’s CEO John Waldron when I interviewed him a few months ago. I confirmed this with George Peabody, Director, Emerging Technologies Advisory Service at Mercator Advisory Group. George told me that the Square reader actually makes a pretty effective card skimmer and there are rogue apps out there that can use it in that way. To be fair, card skimmers are readily available if you go looking for one though and there are even more complex and stealthy methods to retrieve card information than a mis-used Square (remember this histrionic story from a while back)?
WHAT DOES IT ALL MEAN
So Square is, in fact, an encrypted software solution that meets rules for PCI compliance and it doesn’t store any data on the devices that use it. It’s a safe solution for accepting Credit Cards, and therefore the First Data/Huntington rep that spoke to Leah Dotson is wrong. However, depending on how one defines encryption, the claim that Square does not use hardware encryption is actually true for now. In practical terms though, it would be difficult to intercept that card data swiped on a Square reader before that data reached Square’s software. The more likely way to facilitate this kind of skim, would be for a shifty merchant to use a rogue app on their jail-broken or otherwise unauthorized mobile device in place of Square’s software to collect card data. But a person that would hijack a Square reader to skim cards could easily rig another solution to do the same thing. So the real question a consumer should ask isn’t “is this merchant using Square”, but rather “Wait, who is this merchant in the first place? Are they established, legitimate and can I find them again?”
But back to our little drama. It’s certainly not shocking that one company would try to use mis-information to compete for business — that is par for the course in the contemporary business world. What is a little shocking to me is what this action could represent. Whether corporately sanctioned or not, do actions like this signal that big banks/processors are just a little bit afraid of Square? Perhaps Square, which seemed fringe to the big banks a year ago, actually represents a bit more of a threat than previously thought? Maybe the threat of losing that $800 a year in fees alone, is enough to make some processors and banks actually sweat a little?
It sounds like your classic David vs. Goliath story, right? The “big guy” processors like First Data and even regional players like banks are starting to freak a little and this institutional fear is spreading to all areas of their merchant services sales initiatives—a logical conclusion right?
First of all, let’s keep the volume in perspective. Square is doing $4 million dollars in transactions a day. It sounds like a lot but remember that processors like Chase Paymentech (one of First Data’s biggest international competitors) did something like $137 billion in transaction volume in Q2 2011. That’s about $1.5 billion a day and easily dwarfs Square’s volume. First Data’s volume is likely similar.
A difference in volume like that means that, institutionally, Square is likely not on First Data’s radar at all. They are a gnat flying around one of First Data’s many Hydra heads. No, this story is likely less David vs. Goliath than it is David vs. David.
You probably know that the payments space is incredibly complex. At least in the U.S.A. there are so many players and so many relationships with regard to merchant accounts, that the macro view of it is daunting, to say the least. However, what you may or may not know is that major processors like First Data and Paymentech typically do not set up merchant accounts for smaller, Mom-and-Pop type stores even though those transactions ride on their rails. It’s possible to do business directly with one of these big players, but it is expensive, so you pretty much have to be a big business yourself to engage with them. For small retailers, merchant accounts are typically set up by Independent Sales Organizations (ISOs) that are affiliated with the major processors and that specialize in selling and setting up payments and merchant accounts for smaller players. These could be banks, but they could also be small specialized businesses. The view of this ISO infrastructure is vast and I don’t pretend to be an expert on it. To quickly sum how these ISOs relate to the large payments processors, I reached out to George Peabody again for an explanation.
“It’s really a sales channel…a sales channel for the massive processing capacity that the First Datas and the Paymentechs of the world possess…you’ve got to have feet on the street to sell it. There’re something like 8 million traditionally defined merchants in the US, and the vast majority of them want to be able to take credit cards because taking cards has a big impact on how much money they make. So it’s a chain of resold processing capacity. Some of the [ISO] resellers are banks. There are big ISOs and little ISOs and there are even independent sales people working for ISOs and actually selling to Mom and Pop shops”
So here is my theory to explain why this First Data representative (likely working as or with an ISO) would be falsely telling Leah Dotson that if she uses Square to process her card transactions she could get sued. Square is competing, not with the big players in the payments processing realm, but instead with these smaller ISOs and independent reps that are looking for their $800 a year in additional transaction-related fees. Square is disrupting this sales model and is causing the ISOs to take notice and become much more competitive. I bounced this idea off George Peabody and he concurred. “This is classic internet disintermediation” and indeed both the small and larger ISOs are likely starting to feel the heat and at least take notice of Square and their disruptive service.
So Square is the winner here right? They hold the high ground by operating services with much lower overhead and no “on-the-ground” sales force?
Maybe, but one thing is for sure, they are still going to have to do a heck of a lot more volume than a mere $4 Million dollars a day to get any kind of foothold. Credit margins are thin and it is definitely a volume game. The standard infrastructure for payments is still embedded.
I also think they will ultimately have to address the “hardware encryption” question.
Whew. I’ve worked up quite an appetite, pondering all this drama. A cupcake could definitely ease my pain. Maybe I should make the drive to Canal Winchester for a safe snack. I’ll make sure to bring my credit card.