Square's Jack Dorsey: VeriFone's Security Hole Allegation "Is Not A Fair Or Accurate Claim"

As we heard this morning, VeriFone CEO Doug Bergeron wrote an open letter to consumers and the industry, warning users of a “gaping security hole” in mobile payments startup (and competitor) Square’s hardware. Bergeron actually went so far as to ask Square to recall all of its card readers and even contacted all of the major credit card companies, including Visa, MasterCard, American Express, Discover and JP Morgan Chase to alert them about the potential issue. Tonight, Square’s CEO Jack Dorsey has responded to VeriFone’s claims with a letter of his own (we’ve embedded the note below).

Dorsey says that VeriFone’s accusation is not an accurate or fair claim, as any encrypted card reader, phone camera, pen and paper can be used to copy or catch numbers from a credit card. He adds that Square is “designed to be used without worry” for consumers.

As he writes, “Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security.” Dorsey also highlights some of the security measures the startup already implements, including the ability to request an SMS message or email receipt from Square after every transaction with your card.

Earlier, Bergeron claimed that anyone can “skim” or steal personal information off of a credit card’s magnetic strip using the Square card reader with a hacked app and to illustrate the vulnerability, VeriFone even wrote a test app that can “skim” to prove their assertions. VeriFone says the flaw is in Square’s hardware, which the company says lacks the ability to encrypt credit card data, making it easy to steal.

Many cried foul on VeriFone’s “open letter” for a a number of reasons. First, Square is a threat to VeriFone’s PayWare Mobile product, so its intentions aren’t so pure when exposing this potential issue.

Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.

There are a number of flaws in VeriFone’s accusations, and as you can see from the chatter on Twitter most people are siding with Square on this one.

What clearly was a targeted attack (and perhaps a little bit of a smear campaign) on a competitor turned into a negative PR situation for VeriFone. If anything, most people were left with the feeling that VeriFone is very afraid of Square (the startup is growing fast) and used an underhanded tactic to bring down a competitor.

As we wrote in our earlier coverage, the gloves are off and this little incident shows that mobile payments are a highly competitive, and somewhat ruthless, space. Welcome to the jungle.

You can read the entirety of Dorsey’s note below:

A letter on credit card security and Square

Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.

Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to “skim” or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.

The bank that issues your credit card recognizes this and does not hold you responsible for fraudulent charges. When they are alerted to odd activity, they simply give you a call and will reverse the transaction. With Square, your credit card is designed to be used without worry, in more places than ever before.

Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction.

At Square we work tirelessly to remove all complexity from accepting credit cards. That includes removing every concern around security. We thank you for your increasing support to make Square the leading way to pay with a credit card, safely.

Jack Dorsey
CEO, Square