Verifone Builds Square Fraud App in 1 hour

I took a look at my blog stats today… and they went through the roof.

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

YouTube Video just pulled.. . you can still view at http://www.sq-skim.com/

Chase Paymenttech is Square’s acquirer, and I spoke to them specifically about the Square risks last year. This is an industry issue.. as stolen cards and fraud generate both issuer losses (card present transaction) and a tremendous hassle for customers. I don’t understand why Chase supported this thing… Was told last week that Square’s fraud is off the charts. As I said back in 16 month ago in January 2010

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

Update Thurs Mar 10

Networks are dependent upon everyone following the same rules. Rules are what make networks work, and are essential in “trusting” the transactions coming in. PCI rules were agreed to by all.. Square’s reader does not comply, nor does its iPhone app.  That said we have a very mixed bag of incentives within the current card networks. Banks and the networks want Square to succeed, as it will drive more transaction volume AND drive card use further down market with small merchants… see Visa’s blog

http://blog.visa.com/2011/02/14/emerging-payment-types-new-opportunities/

Bank margin is driven by the ability to manage risk. This is the nature of banking. Within credit card, Big banks like Chase have tremendous experience in fraud and risk.. they the seek both higher margin and volume.  Chase is comfortable with the risk it is enabling with square as both issuer and acquirer. However, their acquisition relationship with Square (through PaymentTech) enables fraud to enter the network, and other banks may have not updated their authorization rules to accomodate. For Example, Bank of America certainly wants increase transaction volume .. but is it willing to pay the price of  BOTH fraud loss AND of encouraging a change in customer behavior (give their cards to anyone with an iPhone and card reader)?

From my background at 41st Parameter, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. This will be an active discussion for them today. Bank decisions are caught up in the business dilemea of how to respond to Durbin, as well as their own mobile strategies and EMV perspective. Fraud usually develops once critical mass is reached, as fraudsters don’t want to waste their own resources developing a compromise unless there is volume.  My view is that Square’s reader and iPhone application are clearly not compliant with PCI rules and that Visa and Mastercard must shut them down. They have no choice.

Perhaps a story is in order to talk about potential impact. Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars.. and claim that we are responsible for their fraud (they have a decent case).  Verifone’s 1 hour fraud app (www.sq-skim.com) is not a technology issue as much as a behavior one. A good crook would probably spend a few days developing an iPhone app that asked for your PIN…. and took a picture of the back of your card w/ CVV, I noticed in Square’s response that they also ask customers for phone number and e-mail address (normally). This data is beyond the wildest dreams of fraud organizations.  I can just imagine a fraud ring setting up hot dog or ice cream stands that only take cards.. .and sell the ice cream for $.50… they would never even use square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.

As a side note Square is not winning against Verifone. Square has only 5k-10k active merchants (see blog) and $200k in revenue per MONTH… so lets stop this thing before it gets viral.

Square Up update

11 Dec 2010 (updated)

Previous post http://finventures.wordpress.com/2010/03/02/squareup-take-4/

Today’s Telegraph (UK)

Dorsey is a marketing machine! It’s just amazing how much buzz he has been able to create (yes I am envious). The Square application is stellar from a customer experience perspective. Although appshopper shows them in the top 20 free finance apps (~1M downloads), I estimate they are sitting on only 5k-15k active customers (this is the nature of a “free” app).  It also seems that they are in a holding pattern until they resolve fraud and risk issues (I covered this in last blog). From their FAQ

Until recently, Square was facing a big hardware shortage, but that’s now coming to a resolution. The problem has transitioned to something we’ve been working on simultaneously, a credit processing and risk issue: we need to strengthen our underwriting infrastructure so that we can handle the huge demand for readers and still manage the risk of chargebacks and fraud. This is the last thing preventing us from shipping readers as fast as we’d like, and we have almost the entire team working on it. We look forward to sending you a Square!

My guess on the hold up? iPhone cannot be made PCI compliant without first encrypting the card BEFORE it gets into the iPhone (see the Verifone solution). As you can see from the Visa PCI DSS list, Square is certified in 3 areas:

  •  IPSP (E-commerce)
  • Payment Gateway
  • Process Magnetic-Stripe Transactions

 This means that Square’s data center is approved to handle card data in these areas (ex. not leaving card numbers sitting around unencrypted). This does NOT mean that the Square Application or Doggle have been certified. In fact, a search in the PCI org’s list of approved applications has no mention of Square. Where Verifone’s Payware is shown approved (below).

This is certainly a driver for PayPal’s recent partnership with Verifone to enable PayPal to act as merchant acquirer (see Verifone Press Release)

My (somewhat educated) guess is that Square must redesign the “Square” for encryption AND its Application AND get it certified by the issuers. This is a 12-18 mo process … as I said last year.  Of course I could be wrong on this.. perhaps they are indeed near certification. Assuming they do get the US mag stripe issues resolves it will not translate into any global adoption. I laughed quite a bit after reading the UK Telegraph article.. particularly given the EMV (Chip and PIN) requirements in EVERY country outside of the US.  So a new “redesigned” Square for magstripe won’t work in europe.. that is yet another design challenge with its own certification process. Who said payments was easy?

The card networks and issuers want Square to be successful, as increased card acceptance means increased payment volume. But there is a reason that acquirers and merchant agreements exist. Fraud usually is 18mo-2 years behind a new payment method as its not worth the fraudsters time (and resource) to invent a compromise. Square will face unique risks not seen before by any acquirer. For example:  merchants accounts denied by other acquirers, physical card fraud rings, skimmers looking to take the cards and auth codes for use off line, virtual card fraud rings looking to “pump” card data through 100s of easy to set up Square accounts.

Square has a use, but the market is small. I expect many small merchants to give the service a try, but once they realize that it takes 30-60 days to settle and that they have a new burden (under reg z) for returns and consumer transaction dispute (ex reserves) they will decide that the headache is not worth it.  In other words they will face the same barriers that the large acquirers have in moving down market.  Dorsey was in a WSJ video yesterday outlining potential benefits for issuers using square. This is a soft repositioning of his company for a potential exit. He knows that the market is limited and is hoping for alliance plays with large issuers/acquirers. Banks are certainly in a better position to roll this out.. particularly because of their ability to manage card risk (but customer support is a “little” more robust as well). As I stated previously, smart money would wait for Dorsey to gain adoption and struggle through the issues before investing.

The problem that Dorsey is trying to solve is core to the acquiring business: how to grow card use among small merchants. Question remains on whether this is this a “technology problem”, or a business problem? For banks wanting to dip their toes in the technology: it is already available through teams like Verifone. For Small Merchants with a need for a convenient easy to use method for accepting cards:  go to www.paywaremobile.com and sign up with FirstData. For consumers: think twice about giving your card to the hot dog vendor..   banks own the risk (in the US), but there is still a big hastle in shutting down your account.

As I stated in my Jan 2010 blog, Square presents a risk to the payment system

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

[youtube=http://www.youtube.com/watch?v=svzZxB0o8J8]

Visa Acquires CyberSource for $2B

22 April 2010

CYBS/Visa Presentation

CYBS 2009 10K

126x earnings? $3M/employee  Why? Did  Carl Pascarella (former Visa CEO added to  CyberSource Board of Directors on March 5, 2009) intend to drive this when he joined the CYBS BOD?

Part of the job of any payment network is to ensure a balance between network efficacy, profitability, risk and “value” received by each participant. (http://en.wikipedia.org/wiki/Network_effect)

CyberSource bills itself as the “The World’s First eCommerce Payment Management Company” and initially focused on enabling “bricks and mortar” retailers expansion into the online channel. CYBS has evolved to provide global turn key services to any retailer selling goods online… from payment to distribution (ex. Digital software).

CYBS 1009 10K

Our customers range in size from small sole proprietorships to some of the world’s largest corporations and institutions. Our customer base includes leading companies such as Air France, Borders Group, British Airways, Christian Dior, Eastman Kodak, Home Depot, Louis Vuitton, Massachusetts Institute of Technology, Microsoft, Nike, Starbucks, and Yahoo!, among thousands of others. To properly serve this diverse set of needs, we divide our potential market into two customer profiles, enterprise and small business merchants, which require different solutions.

Enterprise merchants have high sales volumes and generally demand the greatest range of payment options and the most sophisticated risk and management tools. These customers often sell in multiple countries and require support for local currencies and local payment options. Enterprise merchants also frequently need to integrate payment processing with one or more internal business systems. We serve enterprise customers by providing solutions that address and simplify the breadth of these requirements.

Small business merchants generally seek simplicity and ease of use. We serve small business merchants by providing bundled services and integrations into popular online shopping cart software, while bringing to the small business market some of the advantages of our enterprise-level services, including important new payment options such as electronic checks, as well as high-reliability and quality customer support.

Retailers face huge hurdles in building teams capable of navigating the complex rules and regulations associated with processing payments from PCI, Sepa, CARD, Reg E, Reg Z, … etc.  The very existence of CYBS (and competitors below) show the market for value added services as a precondition to Visa’s goal of: EXPANDING THE NETWORK.

We face competition from merchant acquirers, independent sales organizations, and payment processors such as Chase Paymentech, First Data Corporation, and Royal Bank of Scotland. We also face competition from transaction service providers such as PayPal and Retail Decisions, as well as eCommerce providers such as Accertify, Inc., Digital River and GSI Commerce Inc. Furthermore, other companies, including financial services and credit companies may enter the market and provide competing services. Another source of competition comes from businesses that develop their own internal, custom-made systems. Such businesses typically make large initial investments to develop custom-made systems and therefore, may be less likely to adopt outside services or vendor-developed online commerce transaction processing software.

Cybersource will provide Visa with an enhanced portfolio of services which could address merchant needs, particularly in risk, compliance, payment/fraud operations. However the expansion of Visa into these services poses a substantial risk to its business model as it runs the risk of alienating acquiring banks and other processors. Currently, I would view that risk as small because of the tremendous issues associated with online (eCommerce/mCommerce) payment system integrity and fraud.

This is a bold move by Visa to drive network expansion, in mCommerce and eCommerce, and expanding value added services which cover ownership of payment risk and operations. The price does seem high if we view integration without synergies (CYBS will have to run at a 45% CAGR to be accretive in a 10 yr horizon). Therefore, Visa’s business case must be driven by new services which can be offered in the short term to all merchants and acquirers (ex Fraud data sharing, digital goods distribution, …).

Can Visa grow this business more effectively under the Visa brand? Absolutely, but expect other network participants (issuers, acquirers, processors) to pressure Visa into managing CYBS as a separate entity. It is important to note that there is no love loss between most merchants and Visa. To address this, Visa should lead with a road show on how it will deliver value. Example.. it will take on fraud loss responsibility, improve marketing and take on compliance risk.

Tangentially, I believe Visa will also likely add significant $$ to merchant marketing programs. Visa is investing heavily in a new mobile marketing/advertising engine... that will sit on the Visa switch. Their existing merchant agreements do not handle this kind of “marketing” services agreement so they needed a new contract vehicle. Given CYBS’s merchant footprint, they now have vehicle which can be leveraged to expand the advertising business in a turn key model which also tracks fraud and fulfillment.