Square Up update

Square looks to be sitting on about 5k-15k customers and is in a holding pattern until they resolve fraud and risk issues

11 Dec 2010 (updated)

Previous post http://finventures.wordpress.com/2010/03/02/squareup-take-4/

Today’s Telegraph (UK)

Dorsey is a marketing machine! It’s just amazing how much buzz he has been able to create (yes I am envious). The Square application is stellar from a customer experience perspective. Although appshopper shows them in the top 20 free finance apps (~1M downloads), I estimate they are sitting on only 5k-15k active customers (this is the nature of a “free” app).  It also seems that they are in a holding pattern until they resolve fraud and risk issues (I covered this in last blog). From their FAQ

Until recently, Square was facing a big hardware shortage, but that’s now coming to a resolution. The problem has transitioned to something we’ve been working on simultaneously, a credit processing and risk issue: we need to strengthen our underwriting infrastructure so that we can handle the huge demand for readers and still manage the risk of chargebacks and fraud. This is the last thing preventing us from shipping readers as fast as we’d like, and we have almost the entire team working on it. We look forward to sending you a Square!

My guess on the hold up? iPhone cannot be made PCI compliant without first encrypting the card BEFORE it gets into the iPhone (see the Verifone solution). As you can see from the Visa PCI DSS list, Square is certified in 3 areas:

  •  IPSP (E-commerce)
  • Payment Gateway
  • Process Magnetic-Stripe Transactions

 This means that Square’s data center is approved to handle card data in these areas (ex. not leaving card numbers sitting around unencrypted). This does NOT mean that the Square Application or Doggle have been certified. In fact, a search in the PCI org’s list of approved applications has no mention of Square. Where Verifone’s Payware is shown approved (below).

This is certainly a driver for PayPal’s recent partnership with Verifone to enable PayPal to act as merchant acquirer (see Verifone Press Release)

My (somewhat educated) guess is that Square must redesign the “Square” for encryption AND its Application AND get it certified by the issuers. This is a 12-18 mo process … as I said last year.  Of course I could be wrong on this.. perhaps they are indeed near certification. Assuming they do get the US mag stripe issues resolves it will not translate into any global adoption. I laughed quite a bit after reading the UK Telegraph article.. particularly given the EMV (Chip and PIN) requirements in EVERY country outside of the US.  So a new “redesigned” Square for magstripe won’t work in europe.. that is yet another design challenge with its own certification process. Who said payments was easy?

The card networks and issuers want Square to be successful, as increased card acceptance means increased payment volume. But there is a reason that acquirers and merchant agreements exist. Fraud usually is 18mo-2 years behind a new payment method as its not worth the fraudsters time (and resource) to invent a compromise. Square will face unique risks not seen before by any acquirer. For example:  merchants accounts denied by other acquirers, physical card fraud rings, skimmers looking to take the cards and auth codes for use off line, virtual card fraud rings looking to “pump” card data through 100s of easy to set up Square accounts.

Square has a use, but the market is small. I expect many small merchants to give the service a try, but once they realize that it takes 30-60 days to settle and that they have a new burden (under reg z) for returns and consumer transaction dispute (ex reserves) they will decide that the headache is not worth it.  In other words they will face the same barriers that the large acquirers have in moving down market.  Dorsey was in a WSJ video yesterday outlining potential benefits for issuers using square. This is a soft repositioning of his company for a potential exit. He knows that the market is limited and is hoping for alliance plays with large issuers/acquirers. Banks are certainly in a better position to roll this out.. particularly because of their ability to manage card risk (but customer support is a “little” more robust as well). As I stated previously, smart money would wait for Dorsey to gain adoption and struggle through the issues before investing.

The problem that Dorsey is trying to solve is core to the acquiring business: how to grow card use among small merchants. Question remains on whether this is this a “technology problem”, or a business problem? For banks wanting to dip their toes in the technology: it is already available through teams like Verifone. For Small Merchants with a need for a convenient easy to use method for accepting cards:  go to www.paywaremobile.com and sign up with FirstData. For consumers: think twice about giving your card to the hot dog vendor..   banks own the risk (in the US), but there is still a big hastle in shutting down your account.

As I stated in my Jan 2010 blog, Square presents a risk to the payment system

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?