Square “Violations”

Issuer Top 4 reasons to decline Square

PABP/PCI compliance
Collection and use of ancillary customer information
Paper Signature requirement
Chase has all of the equity upside

16 March 2011 (Updated 17 Mar)

My top issue w/ mobile swipe is clearly customer behavior and potential data loss.  I’ve been asked to provide a basis to decline Square transactions (debit particularly) so, rather than sending out multiple e-mail responses, I thought I would share. Issuer Top 4 reasons to decline Square

  • PABP/PCI compliance
  • Collection and use of ancillary customer information
  • Paper Signature requirement
  • Chase has all of the equity upside

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data.

http://usa.visa.com/download/merchants/validated_payment_applications.pdf

 

Phase V of PABP went into effect on July 1, 2010. This phase required all Acquirers to ensure that their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP /PCI DSS is available at www.visa.com/pabp. Note Square is missing, how can Chase acquire for merchant/aggregator that is in clear violation?

UPDATE 17 Mar (Thanks Bob Egan) Evidently PCI has revoked certification of all mobile swipes until new rules have been created. See related post  http://storefrontbacktalk.com/securityfraud/pci-council-confirms-multiple-mobile-applications-delisted/2/

From the Visa Operating Reg, (pg 428)

While Square does not “require” mobile number or e-mail address, it is collecting it at time of transaction (plus your location). As this information is associated with the transaction, it must be managed within PCI. The business risk here is that Square will use address and location information for something else.. or Chase gets the e-mail address of all of your card customers. This is why the rules were created.. so this does not happen.

Last is Visa requirement for paper receipts. From Visa’s Transaction Acceptance Device Guide

Chase bears all of the burden here, I hope they have taken a holistic view of the fraud and data compromise risk.. not just approving their own cards… but for every card ever swiped by Square.  Advanced fraud schemes take 18mo-2 years to develop.. so it may take some time for risk to materialize.. and for them to pull back.  Chase.. these future losses will easily wipe out the 15% of Square equity that you hold.  Perhaps they are moving so aggressively here because one of their key partners (ie Apple) is falling down in NFC.  Which brings to mind the larger question: Is Chase Anti NFC? 

Remember just 4 weeks ago that all of the US banks were looking at a future where ISIS would control NFC on the handset. Perhaps this is Chase’s way of developing an alternate strategy to address NFC’s biggest weakness: infrastructure.  If this is true.. then Chase I apologize.. your strategic play here was indeed valid. As of this month, we are looking at a ISIS crash and burn and NFC control with RIM, Google and Nokia. My hope is that Chase will abandon Square once the threat, of MNO control over payments, has been eliminated. 

Recommendation for banks

  1. Educate your customers. DO NOT give your personal information out when you use your card
  2. Start to educate your customers on mobile payments in general.. how will it work?
  3. Encourage use of credit over debit.. greater consumer protection and better margin for you
  4. Set some common sense rules .. use your card with trusted vendors (Apple, Grocery, … )
  5. Educate your customer facing employees from branch to call center..
  6. Think about your small business value proposition, how can you help small businesses accept cards?
  7. Issuers, think about declining Square transactions.. particularly for debit

Mobile Swipe: Risk is Behavior … not Security

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.