The Square is PCI Compliant with a question mark

Based on my last post, I did some more research and had some great dialog with a support guy at Square. They were responsive, cooperative, and yes – PCI compliant. If you missed my previous post on the Square, you can read it here.

Square’s response to my questions arrived in my mailbox early Monday morning. I submitted on Saturday as a routine request and didn’t expect an answer before that. The gentleman that replied was responsive to my questions about the mobile device’s PCI compliance and some very productive email dialog followed.

In response to my original question, Square responded…

Thanks for writing in. We have manufactured two different card readers at Square. With the newest design, we now perform data encryption within the card reader itself, whereas we previously encrypted credit card data within the mobile device. The older models are no longer produced.

Rest assured, all credit card data is encrypted and submitted to our servers securely, regardless of the Square card reader you use, and we comply with all applicable PCI standards.

As you are aware, Square meets Level 1 PCI Data Security Standards. You can find Square listed as a secure service provider here: http://www.visa.com/splisting/searchGrsp.do

We are currently a member of the the PCI Security Standards Council’s Mobile Task Force, which is helping to define industry standards for mobile payments.

I hope this answers any security concerns you may have, but please let me know if you have any other questions.

Hubert
Square Support ‹
squareup.com/help

I checked the link provided and, yes, Square is listed as PCI-DSS compliant by Visa as verified by Coalfire Systems, Inc. who is also the assessor for the likes of Amazon, Heartland, NCR and others.

Naturally, my follow-up question was how the older and newer devices could be distinguished and, if a merchant discovered that he had an older model, would Square provide a new one and at what cost? Not only did I get a detailed description, Hubert actually photographed the two devices and annotated it for me.

Thanks for your reply, I’m glad to help. The older and newer readers are noticeably different, as the newer readers are a bit deeper (thicker back) and have a seam that runs around the border of the thickest part.

The older readers are thinner and do not have this visible seam.

Merchants are able to place an order for a new, complimentary Mobile Card Reader from their Square Dashboard at any time by following these instructions:

1. Log in to your Square Dashboard at https://squareup.com/login.
2. Click the silhouette at the top-right of the page.
3. Click “Get a Card Reader” from the drop-down menu.
4. Update your shipping address and click “Ship Reader” to ship yourself a new card reader.

Square’s Mobile Card Readers are also available at participating retail stores, though you may find an old reader at retail stores, on occasion. To find a location near you, visit https://squareup.com/retail. While readers cost $10 at retail stores, you’ll find a $10 redemption code within the packaging, which you can enter at squareup.com/redeem. Note that you can redeem only one redemption code per Square account.

Hubert
Square Support ‹
squareup.com/help

SquareCompare.jpg

Summary

So yes, the Square appears to be compliant with Visa. I can’t find any compliance listings on MasterCard’s web site at all and the Square is not listed on the PCI Council website as far as I can tell.

If you are using the Square, take a look at the comparison above and if you have the old one, take the steps described to get your new PCI compliant device and do it NOW.

What I still don’t know is whether or not our QSA will give us a high five on this when I tell them we’re going to start using it. I’ll let you know. If any of you are using the Square and are certified compliant (or NOT) I’d really like you to comment. Hopefully, Square will chime in with anything I’ve missed.

Posted in Payment Processors, PCI Compliance | Tagged , , | 11 Comments

Is the Square PCI Compliant?

In our own business we’ve been taking a serious look at the Square as an alternative to our current payment card processing solution. There’s no question that hands down, the Square (www.squareup.com) is a convenient mobile solution. It’s just as clear that for the Card Present merchant it’s the most cost effective solution around. For the Card Not Present merchant, not as much but still a very reasonable rate.

Square-Card-Reader_800.jpg

We are a PCI compliant entity with a conventional POS and an additional wireless POS for an occasional need. As merchants, you’re certainly aware of the costs involved in payment card acceptance and processing and, when a mobile solution is added to the mix, it gets even more expensive. The Square is certainly attractive.

On the other hand, changing payment processors can get ugly. The last thing you want to do is go with a solution like Square and throw your current processor out with the bath water, only to discover that you are no longer PCI compliant. That could get ugly.

I did some research, starting at Square’s website.
According to the page presented from the “Security” tab on the menu, thing look fine. They have advanced auditing systems, do lots of backups and all the other back office stuff you’d expect. They even claim to do some fraud screening, although understandably, they don’t go into any detail so we don’t know how effective it might be. They also mention compliance- but not PCI. They adhere to “industry standards” for their network, website and client applications. At the bottom of the page they have a link to “Learn more about Square’s security standards and PCI compliance.” Here’s where it gets to the nitty gritty.

On this page we see that, “Square adheres strictly to industry standards to protect your business.” They tell us that they require encryption of stored data and and all the other other good stuff that most people understand. They also make the following statements…

  • Card-processing systems adhere to PCI Data Security Standard (PCI-DSS) Level 1.
  • Card processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1.

Good stuff, for sure.

I don’t claim to be a security expert so I did more research. Maybe I’m wrong, but it looks like something is missing. Namely, the card reader device itself is not compliant, but it needs to be for the solution to be within the requirements. In other words, while their systems and applications are compliant, their hardware is not. They appear to be carefully avoiding the claim that they offer a PCI compliant solution.

Back in March of 2011 I blogged about the current and future of these mobile solutions. Now is 2011′s future, so I went to the PCI Council website to see if anything has changed. Apparently not because I couldn’t find the Square listed anywhere.

Am I misinformed? Am I missing something? Maybe. So I wrote to the security email address they give.

According to https://squareup.com/security/levels, your card processing systems and card processing applications adhere to PCI Level 1. This is all well and good. My research tells me, however, that you are not encrypting at the reader and therefor your reader is not a PCI compliant solution.

Of bigger concern is the fact that you are not listed as a compliant solution on the PCI Council website – https://www.pcisecuritystandards.org/. Given the above, we could assume that at some point in time your acquirer will shut you down and no longer allow you to process payments from your merchant customers. Many of those customers abandoned their more compliant processors for your solution and could be left out in the cold.

In addition, a merchant using your solution, as good as it may be, cannot certify their compliance because Square appears to be a non-compliant hole in the fence. How does a merchant justify your solution to their acquiring bank’s QSA?

Your response?

We’ll see what they have to say and you’ll read it in a new post. Of course the skeptic in me will assume that if they do not respond, I’ve called it right.

If any experts are reading this and would care to weigh in, comments are open!

Follow up

I had some email dialog with Square, the results of which can be read in my next post.

Posted in merchant, Payment Processors, PCI Compliance, Security Standard | Tagged , , | 2 Comments

Testing Ten All-In-One POS Devices

Business Solutions and Genesis POS recently completed a test of ten all-in-one POS devices. No, they aren’t all the same. Some were more than twice as fast as others and CPU usage during testing varied greatly too.

Several other factors were considered in the testing as well and recommendations for various types of merchant operations were made based on the tests. I would have liked to have seen a comparison matrix of the ten units but, if you’re contemplating a new all-in-one, touch screen POS, the article published in Business Solutions is a good place to start.

http://www.bsminfo.com/doc.mvc/all-in-one-pos-terminal-product-reviews-0001

Posted in e-Commerce, merchant | Leave a comment

Some people shouldn’t give fraud prevention advice

Giving limited advise may be worse than giving no advice at all. Here’s an article that totally misses the important stuff that merchants need to know. My guess is that the writer did little, if any, research or used a pretty naive source.

The article listed just four fraud prevention tips that most on-line merchants knew about a decade ago. There was nothing on IP geo-location or PCI-DSS compliance! Let’s look at the four “Tips” the article mentions.

Look at the address

Well, of course. But they make a big deal of AVS which most of us know is not all that reliable. And there is no mention of IP-Geolocation – comparing the originating IP with the physical address.

Verify Suspicious Information

Also good advice but the author suggests that getting the customer’s phone number and calling them to verify information is the only way to go. Sure, like the bad guys give us the real card holder’s phone number!

Look at the Orders Themselves

This one is accurate but, in my mind. it’s so common-sense that the author wastes space that might have been better spent on a little detail on how to do the first two.

Work the Banks and Credit Card Companies

The author apparently has never actually tried to do this and seems to think that the issuers will tell merchants everything they need to know.

I was going to comment on the website but they require a login. I didn’t see a link to register but if there was one, they probably wanted more information that I would be willing to give.

If you’re interested in looking at the article, you can find it here.

Posted in credit card fraud, Fraud Prevention Strategies, Fraud screening | Tagged | Leave a comment

A quick fix for fraud?

Apparently a judge in Massachusetts found a loophole in one of the fraud laws and it needs to be plugged up quickly.

He totally dismissed payment card fraud charges because a debit card was used. The law only makes it illegal to use a credit card fraudulently.

The article suggests a quick fix by adding the words “debit card” into the law. I submit it isn’t enough. The law needs to read “payment card.” This needs to be looked at in every state before a lot of bad guys start getting away with some full-scale theft.

You can see the full article here.

Posted in credit card fraud, Debit cards, fraud trends, government accountability | Tagged , , | Leave a comment