Merchants need to be aware of a new mobile payment solution – Square from Square Inc. A colleague pointed me to the Square site with the question, “Is this PCI compliant?”
Square appears to be a hardware/software solution for iPhones, iPads and Android devices. It has a cute, square magnetic stripe reader for swiping cards, but also appears to provide the capability to manually enter cardholder data through these devices’ virtual keyboards. This all appears to be similar to the iPhone that used to appear in the first Apple iPhone commercials that, for reasons that will become obvious, magically disappeared from their commercials very quickly and quietly. It is also why Apple no longer uses iPhones or iPod Touches in their stores to process payments.
In referencing the PCI SSC’s PTS certification database, I could not find Square’s certification for the PTS standard. Although, given the pictures on Square’s Web site, I really did not expect to find it certified to the PTS standard as there is no way it could meet the PTS standard. Has Square submitted their solution for PTS certification? It may have, but since the PCI SSC PTS certification database only lists those devices that have completed the certification process, there is no way for anyone to know if it has submitted Square until it is certified. However, since the use of PTS certified devices is a requirement of all of the card brands, until Square is PTS certified, use of a Square device for processing of credit cards violates a merchant’s merchant agreement. Game over.
While not complying with the PTS standard is a deal breaker in my opinion that is not the only PCI compliance issue. In referencing the PCI SSC’s PA-DSS certification database, I could also not find the Square software application listed. That situation was also not unexpected as the PCI SSC announced in a press release on June 24, 2011 that it was suspending the PA-DSS certification review of all mobile payment applications indefinitely. As a result, there is no way Square’s software will be PA-DSS certified for the foreseeable future whether they submitted it for PA-DSS certification or not. Not that the PA-DSS certification is a deal breaker for merchants to use the Square software, but it means that merchants using the Square software to process payments will have to have the Square software assessed to ensure it meets all of the PCI DSS requirements regarding payment applications.
And knowing what I know about all of these devices, I can guarantee that the Square software will not be PCI DSS compliant because all of these devices will store the cardholder data unencrypted for an untold amount of time until it is written over. Even if Square’s software encrypts the data, the underlying OS will also collect the data in cleartext. Forensic examinations of these devices have shown time and again that regardless of what the software vendor did, the data still existed in memory unencrypted. And that unencrypted data in memory can exist in these devices for days, weeks to even months depending on transaction volume and other applications loaded on the device. It is this surreptitious OS data collection activity, the security issues with other applications as well as other security concerns that caused the PCI SSC to suspend their PA-DSS certification activities of these applications.
There is only one solution that uses an iPhone or iPod Touch that is PTS and PA-DSS certified at this time and it is from Verifone. The reason that Verifone’s PAYware solution is certified is that: (1) Verifone submitted it for the PCI certifications prior to the June 24 suspension and, the bigger reason in my book; (2) it relies on a digital back separate from the iPhone/iPod that performs the card swipe and all of the card data processing/transmission in a secure manner. The iPhone or iPod Touch are used only as a display and cellular/Wi-Fi conduit for network connectivity.
The only other mobile payment solutions I am aware that are PTS compliant are purpose built credit card terminal using Wi-Fi or cellular communications. These are considered terminals by the PCI SSC, so their underlying software is not required to be PA-DSS certified at this time, but they are required to be PTS certified. In addition, these terminals have been in use in Europe for quite some time, so they are a proven secure solution.
The bottom line is that it is the merchant’s responsibility to ask vendors the right questions and weed out non-PCI compliant solutions. The card brands and the PCI SSC are not in the business of regulating vendors, they leave that to the marketplace.
If you are looking for a PCI compliant mobile payment solution, talk to Verifone, Equinox, Ingenico or other recognized card terminal manufacturers as those are going to be your only PCI certified mobile payment processing options at this time.
UPDATE: I have had a number of people contact me about the certification status of the Square solution based on the fact that Square Inc. is listed on Visa USA’s Web site as a PCI DSS compliant service provider. Remember, this listing only means that the card processing services provided by Square Inc. to their customers (i.e., all of the back office processing they do to process card transactions) are PCI DSS compliant, not that the devices that actually conduct the card swipe are certified PCI compliant. A certified card terminal would be PCI PTS certified and the software running on the terminal would be PA-DSS certified. The Square Inc. device that connects to iPhones and Android devices does not have that PCI PTS or PA-DSS certifications, therefore it should not be used for conducting credit card transactions.
UPDATE: Here is another solution that avoids the iPad altogether, Hubworks Interactive. I spoke with them and their QSA and this product avoids the iPad by conducting the transaction in the digital framework surrounding the iPad. The iPad is strictly used as a display and a Wi-Fi conduit. The digital framework encrypts the cardholder data before it is ever seen by the iPad just as Mark Bower suggested would work.
UPDATE: July 25, 2012 – In the July issue of Transaction Trends, page 6, there is an announcement from Square that they are offering a new loyalty program for merchants using Square Register and Pay. Let us hope it is securely implemented as I am sure Square is using a customer’s PAN for tracking based on how they describe the program.
UPDATE: August 30, 2012 – The Square Web site is now implying that the transmission of card data is secured through “industry-standard encryption,” whatever that means. There have been rumors that Square has implemented point-to-point encryption (P2PE) in their card readers but was not advertising that fact. That is why I went to this page to see what, if anything, had changed. However, based on the statements on this page, it appears that P2PE has not been implemented as you would think they would be touting that fact.
UPDATE: October 15, 2012 – A good friend of mine just started working at Square, so hopefully we can get to the bottom of how Square works and what risk there is to merchants using their solution. Stay tuned.