Payments vendor VeriFone has accused upstart Square of posing a serious security threat to users, claiming its rival's hardware can be easily turned into a skimming device by crooks and used to steal card details.
The brainchild of Twitter founder Jack Dorsey, Square provides merchants with a piece of plastic that fits in to the headphone jack of Android-based handsets, iPhones and iPads, and acts as a card swipe for processing payments.
Only last week Dorsey took to Twitter to boast Square is now processing $1 million per day, while it is also reportedly signing up to 100,000 merchants for the service each month.
However, in an open letter, Verifone CEO Douglas Bergeron accuses Square of "serious security flaws" that put "consumers in dire risk". Bergeron claims that a programmer can easily write an application in under an hour to steal card details using the Square readers.
"How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this," says the letter.
This is possible because the hardware is poorly constructed and cannot encrypt card data, opening up an opportunity for crooks posing as merchants.
As well as the open letter, Verifone has posted a video running through its claims and sent a copy of the skimming app to Visa, MasterCard, Discover, American Express, and Square card processor JP Morgan Chase.
"We call on Square to do the responsible thing and recall these card skimming devices from the market," concludes the letter.
Dorsey insists Verifone's allegation is "not a fair or accurate claim and it overlooks all of the protections already built into your credit card" and that "our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader".
"Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to "skim" or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to-no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card," he argues.
Meanwhile, Intuit has told Finextra that its Square-like GoPayment system offers strong encryption - whether merchants use its iPhone sleeve hardware or the dongle that plugs into smatphone headphone jacks.
Says the vendor: "Security is key for Intuit offerings and GoPayment is no exception. Data is encrypted on the GoPayment app and also via all supported credit card readers. GoPayment protects data during transmission using the same technology as the financial services industry standard set forth by the Payment Card Industry (PCI) using an https connection over SSL at 128-bit encryption. At the same time, GoPayment never stores credit card information on your phone and a unique user ID and password is required to use GoPayment."
Finextra verdict The digital Twitterati are up in arms over VeriFone's attack. Most seem to think that VeriFone is running scared of a disruptive competitor to its own PayWare Mobile product and that in publishing its letter the company has scored a massive PR own goal. Over here at Finextra Towers we're not so sure. In the open marketplace it's not Silicon Valley opinion that counts but popular consumer sentiment. The banks and card schemes have done a good job of warning the public about the security threat to card-based products. Let's put it this way: If you were approached by a market stall trader brandishing a mobile phone with a Square reader would you be happy to hand over your card? Our advice: Use cash - it's safer.