VeriFone Systems Inc. is taking off its gloves in the battle for mobile payment acceptance, claiming rival Square Inc.'s device can be adapted to use for fraud.
Given that VeriFone sells a product that competes with Square's, which allows small merchants to accept card payments through an add-on for smartphones, analysts took notice of VeriFone's Wednesday launch of a website that claims Square's hardware can be transformed into a skimming device.
"If there were problems in emerging technology or security where there is vulnerability associated, it requires the collaboration of parties involved … as opposed to having them go out and combat against each other," Jacob Jegher, a senior analyst with the research firm Celent, said.
Jegher added that he has not evaluated Square's device to determine whether the issues VeriFone raised are true. Even if VeriFone's claims are true, he said, it does not necessarily make fraud easier for scammers.
"If there's someone out there that wanted to skim or gather credit card data … there's any number of ways to do that," such as using hardware built for that explicit purpose, Jegher said.
Square, which did not respond to requests for comment before deadline on Wednesday, has garnered significant attention in the last year for helping small merchants more easily accept credit card payments. The San Francisco startup, led by Twitter Inc. co-founder Jack Dorsey, has said over Twitter that its small, square-shaped card reader handles a million dollars a day in payments.
Paul Rasori, VeriFone's senior vice president of marketing, said in an interview Wednesday that the San Jose, Calif., maker of payment terminals and other point of sale technology is concerned about the growing use of Square's product and felt it was necessary to bring attention to what it sees as a serious security threat.
"VeriFone has made this an issue for over a year and a half," Rasori said. "There's been several back-and-forths in the press between VeriFone and Square as it relates to security. The industry just seems to be ignoring the problem."
In an infomercial-style video posted online, VeriFone Chief Executive Douglas G. Bergeron said Square is "freely distributing devices that anyone can use to steal your credit card information at any time, in any place and anywhere." VeriFone said it created a mock Square app in less than an hour that a rogue merchant could use to collect cardholder data.
VeriFone, which offers a demo of the app (which does not display full account numbers) on its site, said it is providing a copy of its app to Visa Inc., MasterCard Inc., American Express Co., Discover Financial Services and JPMorgan Chase & Co., Square's processor.
VeriFone says its mobile card reader, called PAYware Mobile, addresses the security concern by encrypting data when a card is swiped.
"If someone were to develop a rogue application, the data that would be passed to that application would be of completely no value to a criminal," Rasori said.
James Van Dyke and Phil Blank, analysts with Javelin Strategy and Research in Pleasanton, Calif., said VeriFone is justified in pointing out what it sees as potential security flaws. Blank added that potential issues aren't limited to Square, as several other companies sell mobile card readers.
Financial software maker Intuit Inc. has been selling its GoPayment mobile card acceptance service, which is compatible with multiple devices. The application encrypts data when information is entered via a card swipe or manually, Chris Battles, the head of product management for payment solutions, said. He had no comment on the issues VeriFone raised about Square.
Jegher said he takes issue with VeriFone's strategy but agreed that security should be noted. "VeriFone felt … they could dish out a blow there," Jegher said. "I don't personally believe it's the way to compete in the banking and payments space. But I do believe that the customer … should be made aware very rapidly of any security concerns that are the fault of the developers."