Get all the best news and insights in payments everyday in your inbox.
/commentary
An Open Letter to the Payments Industry: Square vs. VeriFone
by Annmarie D. (Mimi) Hart
Recently, Verifone’s Doug Bergeron called on Square, a start up company that provides a free credit card reader to small businesses and individuals, to recall its products because they are insecure and pose a great threat to the payment industry.
Bergeron argued that encrypting readers were more secure. On that point, he is right. However, both the Square product and Verifone’s lack another essential ingredient in the battle against fraud, and that is an authentication feature.
The Square product has no encryption. It transmits the magnetic stripe data image to the phone, through the audio jack, where the Square application decodes the image and translates it into actual cardholder data. The application then sends the data over the Internet for processing.
Unlike Square, the comparable Verifone product has encryption in the “sleeve like” device that attaches to the phone. The cardholder data is encrypted in this device before it enters the phone.
It’s true the Square product is far less secure. Since there is no encryption, a hacker who has received a free Square card reader can look at the stripe’s image and translate it to real card data. This is what Verifone said it had done in less than an hour. We can confirm what Verifone had to say on this subject. In fact, a college student developed a similar program and delivered it to MagTek. It is so easy to do, undoubtedly many other intelligent students and enterprising hackers have discovered this flaw and are exploiting it today. There are probably hundreds of rogue applications out there that are very capable card skimmers.
Personal card information can be captured by Square readers and transmitted within minutes to card cloning centers, whereas the Verifone product impedes this type of fraud. However, both products will read a cloned card and send the data off for authorization. This is a far larger fraud problem, which encryption cannot solve.
We, as consumers do not get a great deal of added protection because Verifone uses encryption. The fact is cards can be cloned in too many other places. There are false front ATMs, tampered gas pumps, rogue POS terminals, large databases, and pocket skimmers. When cloned cards are used to commit fraud, we all suffer.
Although most card issuers will stand behind the legitimate cardholder and offer $0 liability for transactions that originate from counterfeit or cloned cards, there are other consequences, which cause consumers untold aggravation, including affidavits, police reports, credit report monitoring, endless phone calls, bounced checks, and lost wages. No one can adequately console or compensate the consumer for this kind of anxiety and hassle.
Cardholder data on the magstripe is not encrypted. It’s virtually identical to the data printed or embossed on the card. It can be easily copied from one card to another. Skimming and data breaches simply cannot be prevented. There is a better solution: cloned cards can be recognized and rejected. The problem with both Verifone and Square readers is that neither can determine if a card is counterfeit, because they both lack an authentication mechanism. Verifone believes itself noble for providing encryption in its readers, but ironically, it will encrypt and protect both genuine and counterfeit cards equally well.
True consumer protection demands that the payment community authenticate the payment card and the data on it. With the means to determine that a card is genuine and the account data has not been altered, fraud can be stopped in its tracks, saving billions of dollars annually. If fraudsters cannot use the pirated data, the fun and profit are removed from the equation along with the incentive to steal it. Dynamic authentication does just that. It makes stolen data useless to criminals. Encryption, while useful cannot carry the day.
Ellen Richey, the Chief Enterprise Risk Officer at Visa, Inc. has called for dynamic authentication and a multi-layered approach to payment security. In a recent statement she said, “Instead, the solution is to adopt dynamic data authentication technologies: technologies that rely on dynamic data elements which – even if stolen – cannot be used in the next transaction and therefore cannot be used to commit fraud. By introducing dynamic data elements and using technology to authenticate those data elements in real time, we can create point-of-sale environments that contain no information valued by criminals and therefore are no longer the targets of criminal attacks.”
This type of security is available today, to protect magstripe transactions, without radical changes to our payment system, and without a move to an “EMV Chip and PIN”system. The ordinary magnetic stripe cards in your wallet today carry dynamic card data, which can be read, authenticated and used to stop fraud in real time. The only change required is a minor modification to the small read module inside the Verifone and Square readers. The industry can take advantage of dynamic authentication now without changing anything about the card itself, how it’s manufactured or the cost to manufacture it.
Price Waterhouse Coopers in its Emerging Technology Research report to the Payment Card Industry Security Standards Council noted that authentication by “dynamic payment card data has the potential to eventually eliminate the need for PCI-DSS.” PCI-DSS is a security standard, widely thought to be ineffective, capricious, expensive, and despised by merchants. The council’s mission is to ensure compliance to its standard, rather than combat fraud. We, as an industry must align and strive to combat fraud.
Fraud is the problem, not skimming and data breaches. As an industry, we have the power to stop the fraud and make stolen cardholder data useless by means of dynamic authentication. Encryption is good, but by itself, not enough to protect cardholders.
Doug Bergeron is an industry leader. He knows it will take an industry wide cooperative effort to implement a standardized authentication system, which has the power to eliminate magstripe card fraud and assure continued confidence in the payment system. I call upon him and the entire payment community, including Square, to join MagTek in the campaign to wipe out counterfeit card fraud. We need to acknowledge the root cause of fraud and build a system, which can truly protect cardholders and put criminals out of business. Encryption plus authentication is the answer.
Annmarie D. (Mimi) Hart
President & CEO
MagTek, Inc.
1710 Apollo Court
Seal Beach, CA 90740
Mimi.Hart@MagTek.com
Post your comment
Comments
I think even though Square in its current form will be a short-living phenomenon it will create long lasting consequences.
In my view what might be a bit creepy about Square and similar "alternative" solutions is that they are breaking the stereotype of what a legitimate payment terminal is and how a merchant should get it. Every day more and more variations appear on the market and both cardholders and merchants might soon get confused and then finally become easier targets for criminals.
You would not know any more if that little box attached to a phone (or a tablet, or a PC) is doing what you hope it is doing with the card data.
Posted by Victor Bezkorovainyi, 01/04/2011 1:20pm (1 year ago)
As a payment software developer I have spent many hours and money getting our application certified and PCI complient and currently working on getting mobile Chip and Pin devices ready. I have to say the the square takes all that time, effort and money we have spent and makes it insignificant, if this product is approved and get's on the market then all bets are off for security in the mobile payment area in the USA. It clearly opens the door for a huge amount of frodulent activity while also not having to go through a background check or credit check, again it almost makes PayPal a useless piece of software.
Posted by Marc Cashman, 01/04/2011 1:18pm (1 year ago)
what magtek is offering in its solution is a very good solution but its a little late. If they were here 10 years back, the banks would have preferred this solution than to convert Chip Cards where the investments are very costly than what ...Magtek has to offer. The chip cards of today are able to offer just the card information as it allows multiple applications. Its up to the various institutions like Visa Int'l , Mastercard, Amex etc to work on this into their program. We can't be having chip based cards with mag stripe at the same time - its costing the franchisees lots of money.
Posted by David Neo, 31/03/2011 2:42pm (1 year ago)
Ellen Richey's quote in this column pointing to the importance and value of dynamic authentication technologies is timely. We at M2 received notification this week (3/29) from the USTPO of the issuance of our patent on card security technology that creates a single-use unique CVV2 for each online transaction. This technology, unique in the industry in its ease of use for the consumer, is an example of the direction Ms. Richey advocates.
Posted by Craig Taylor, 30/03/2011 9:46am (1 year ago)
Hello, Mimi.
Magnetic stripes are easy enough to copy without use of the Square device. Anyone with a neighborhood Radio Shack knows that.
Magnetic Stripe Dynamic Data Authentication sounds hopeful, if it works and can be easily adopted by the tens of millions of POS terminals in use.
During my time at Visa, we looked at many promising proposals for magnetic stripe data that could not be copied but found that none of them worked.
I am interested to hear more about dynamic data but I suspect that the method is not documented for all to read, the secrecy of the method being key to the success of the authentication process.
Posted by Scott Harrison, 28/03/2011 9:15pm (1 year ago)
Reading the comments made in favor of Chip and Pin, I should suggest gentlemen thinking that way to review their business case.
- EMV implementation is extremely expensive
- EMV has failed, worldwide (see Europe, and in particular UK case), to stop fraud with skimmed cards, just some minor mitigation when reahing 70%+ of deployment, because to be effective MUST be ubiquituos (has not happened in 20 years not will in the forseeable future)
-EMV yes is very good for loyalty sophisticated applications in the point of contact, but expensive in excess to just mitigate some fraud, while other solutions are yes cheap and effective. Hope soon brands will openly support it, recognizing their value to stop fraud.
Posted by Alberto Mussard, 28/03/2011 3:23pm (1 year ago)
The solution for fraud is clear = encryption + authentication, as very well depicted in the article above.
The challenge for the industry, is to do the work now, whith existing magnetic stripe cards, and stop thinking in new costly technologies that could be perhaps future enhancements.
Posted by Raimundo Bordagorry, 28/03/2011 3:10pm (1 year ago)
We are developers of an iPhone credit card application and card reader. When we determined to create our product we purposefully went about it to ENHANCE the fraud protection not simply get by with the current standards. In doing so, we met with MagTek and implanted their secure reader into out product.
Thank you Mimi for your article. We couldn't agree more.
For more information about Simply Swipe It visit www.simplyswipeit.com.
Posted by Charles Greer, 28/03/2011 1:06pm (1 year ago)
She couldn't pass on the "opportunity" to pitch her own product, could she? If only she had told the whole truth about it... The fact is that both VeriFone and Magtek have competing technologies for end-to-end encryption of magnetic stripe data as well as for what's known as "magnetic fingerprinting", which can help identify cloned cards, but the card networks have already tested it in several market trials and dismissed it for several reasons, here are the most relevant:
1) the fact that they're both proprietary and global payment systems should be based on open standards, like EMV, to assure interoperability and therefore acceptance evrywhere, not to mention that they can't really be considered dynamic authentication methods
2) the additional total cost of implementing this technology on POS and ATM readers and host systems doesn't present a real advantage as compared to implementing EMV chip cards, which allow for multiple applications and real dynamic authentication
3) soft enrollment of existing cards into these solutions actually allows for cloned cards to be accepted as originals since there's no authentication of the cardholder, unless they use their PIN at the issuer ATM, but not all issuers own ATM networks so only a hard enrollment done by the time the card is issued could avoid the problem of false enrollments, fixing these problems are costly in many ways for the issuers and the consumers and then again, replacing a card takes the business case for these solutions down the drain, it only costs 15% to 20% more to replace a magnetic stripe card with an EMV chip card, because the replacement cost is ore than just the card, the card itself is about a third of the total cost of replacement
4) the whole world is going to EMV chip cards, there's more than a billion of them already, so why change the infrastructure to keep magnetic stripe cards around?
EMV chip cards is the way to go, with or without PIN.
Posted by Marcelo Gomes, 28/03/2011 12:30pm (1 year ago)
I do not understand! Why, if the "Authentication" information is wide open on the mag strip, that it cannot be fully copied on a clone? What makes the original so identifiable as original and not a clone, or the clone not be identified as the original? Why is the move to chip and pin being so resisted?
Posted by John Brooker, 28/03/2011 10:38am (1 year ago)
1 2 next »
RSS feed for comments on this page | RSS feed for all comments