Square To Beef Up Card Reader Security This Summer (And VeriFone Wasn't So Wrong, After All)

Yesterday was a big day for hot mobile payments startup Square. The company announced that it received a strategic investment from Visa, giving the company a big stamp approval. And it also announced something that got far less attention: Square will be releasing a new card reader (the thing you plug into your phone) this summer, and it will use encryption at the read head. The news was announced with little fanfare by Square Security Lead Sam Quigley during a panel at the Visa Security Summit. But it’s important for a couple of reasons.

First is the fact that just last month, rival (and much larger) payments company VeriFone lobbed a heated accusation at the startup: it said that Square should recall all of its readers because they didn’t encrypt credit card data, making it easy for thieves to skim the information. Square CEO Jack Dorsey battled back, stating that VeriFone’s accusation that their reader was insecure was “not a fair or accurate claim and [that] it overlooks all of the protections already built into your credit card.” Dorsey also outlined all the ways that credit card fraud could still be committed, regardless of encryption, and explained that users aren’t responsible for fraudulent charges regardless.

But now we have Square doing almost exactly what VeriFone was crying foul on. So what gives?

In a blog post that appears on the Visa Security Summit website, Square COO Keith Rabois writes that the company will be adopting Visa’s new set of mobile application best practices — which were also released yesterday. From Rabois’s post:

“The adoption of best practices will help increase trust in innovative payment solutions. Of course, Square complies with all current industry standards, and we are committed to meeting or exceeding industry guidelines as they evolve.”

Square’s endorsement of the Visa guidelines the same day as the funding news is obviously no coincidence. And among these best practices is a requirement that these applications “encrypt all account data including at the card-reader level and in transmission between the acceptance device and the processor…”. Which explains, at least in part, why Square will be shipping a new reader.

But what does that mean for the hundreds of thousands of existing Square card readers? When I spoke with him earlier today, Rabois said that Square is still more secure than the vast majority of card readers in the field, alluding to the additional features Square offers, like the ability to receive text and email notifications after each transaction. In other words, he’s still refuting VeriFone’s claims that Square needs to recall the existing reader. He also says that the new encrypted read head is just one of the new features that will be included in the new Square device this summer (which is actually the third iteration of the card reader).

When I asked if this meant Square users would have to replace their existing readers, Rabois declined to get into specific details (it sounds like the plan is still being worked out). However, even if Square does wind up having to distribute a new batch of readers, the relatively inexpensive per-unit cost probably won’t have a major impact on them — though it could still be an inconvenience for users.

In a statement CEO Jack Dorsey added,

“Security and consumer trust are fundamental to our success. Square is committed to offering merchants a way to accept electronic payments that are secure, reliable and in compliance with the security standards for the global payments industry.”