fee fie foe fud
March 9, 2011 2:05 PM   Subscribe

Early version of Internet card skimmer.
posted by Blazecock Pileon at 2:10 PM on March 9, 2011 [2 favorites]

The merchant equipment lockdown is dumb and annoying and an artificial barrier to entry into the market. Card readers are cheap to manufacture. Criminals figured it out a long time ago.
posted by polyhedron at 2:11 PM on March 9, 2011 [4 favorites]

FUD. Another meteor about to crash land.
posted by Scoo at 2:15 PM on March 9, 2011 [2 favorites]

I went on something of an anti-square tirade on Twitter last year, and became one of the (very very few) people that Verifone 'followed' afterwards.

Admittedly, this seemed a bit creepy, and tilted my opinion in favor of Square.

And, yeah. Square is nice, but won't be nearly as revolutionary as everyone claims it will be -- the hardware is too flimsy and gimmicky for regular use. At best, it's going to bring affordable credit card processing to occasional and low-volume vendors. Not quite the revolution that most were claiming it would be.

This is by no means a bad thing, and square have a lot of very smart people working for them. However, I probably wouldn't be investing much of my own money into the company, as there seem to be some very hard and firm limits to the amount that they'll be able to grow before they start manufacturing their own self-contained CC terminals (at which point, it's hard to see how they'd be much different from the "big guys," other than that their terminals will be nicer and paperless.

Actually, come to think of it, an acquisition by Verifone or one of their competitors is almost a certain endgame for Square. (And I wonder if Verifone made a bid to buy the company and failed, prompting this recent tirade.......)
posted by schmod at 2:16 PM on March 9, 2011

Breaking news: Large corporation lies about new technology that obsoletes their predatory business model. More at 11.
posted by Zozo at 2:19 PM on March 9, 2011 [5 favorites]

So, on one hand, slick corporate PR. On the other, angry ironic overlay. They cancel each other out. Between the two: this video gives me no real understanding of what's actually going on here.
posted by bicyclefish at 2:19 PM on March 9, 2011

The issue I have with Square is that even if the waiter is not skimming, who knows whether software is running on the iPhone that is?

At least with a dedicated credit card machine that shit is locked down tight.
posted by PenDevil at 2:22 PM on March 9, 2011

From what I gather, the Square hardware is essentially a cassette tape head that generates a tone when a card is swiped. This tone is sent to the device via the analog audio input. Square's app then decodes the tone and processes the payment. This gets around the need for a digital connection to the device, which would run afoul of Apple licensing fees and create the need for various phone connectors (miniUSB, microUSB, etc) rather than a single 3.5mm jack.


At least with a dedicated credit card machine that shit is locked down tight.

Haha, good one!
posted by mullingitover at 2:25 PM on March 9, 2011 [3 favorites]

Or he could just copy down the customer's card number, which seems like a much easier and more obvious way to steal the card.
posted by schmod at 2:29 PM on March 9, 2011

At least with a dedicated credit card machine that shit is locked down tight.

O RLY?

Legitimate versions of retailers' EFTPOS PIN pads were stolen, in some case through armed robberies, and replaced with compromised machines.

Well shit I'm sure glad that shit is locked down tight.

You're giving your card to the merchant. The merchant can do whatever the hell they want with it while they have those details and when it comes down to it the trust with the current system is 100% with the merchant not the hardware.
posted by Talez at 2:30 PM on March 9, 2011 [3 favorites]

Yeah, a photocopy of a card is all you need to charge to it. The security of credit cards is basically all in the company's hands, and as long as you keep an eye on charges and report any fraud it shouldn't be too big a concern (certainly easier to deal with than if someone gets your debit card + pin or checkbook).
posted by wildcrdj at 2:34 PM on March 9, 2011

It's a good thing those card readers aren't a cheap commodity item that's widely available. Giving them out for free is going to enable all those millions of criminals who don't have ten bucks.
posted by inedible at 2:34 PM on March 9, 2011

Hm, so this little flat square thing is all you need to tape up next to the slot on the ATM or security door card reader, or use as the button on your hip pocket or handbag? How close does it have to be to the target?

Heck, build one into your business card along with a bit of memory and RFID antenna, eh? Then hand your business cards out ...

Ya know, I wonder why we aren't seeing payment scanners that handle the new type paper folding money. Unique serial number on each one, tracks who sells and who buys, reports each transaction direct to the One Big Databank for sales tax purposes -- who needs plastic and private payment handling firms at all?
posted by hank at 2:36 PM on March 9, 2011

You're giving your card to the merchant.

Following some cases of restaurant credit card fraud it's now pretty much given that a waiter will bring a portable credit card machine to your table. I haven't let my card leave my line of sight in a restaurant in about 5 years.
posted by PenDevil at 2:36 PM on March 9, 2011

I haven't let my card leave my line of sight in a restaurant in about 5 years.

*checks profile*
Is that a South African thing? Because I have literally never seen a portable CC scanner in any restaurant in the States.
posted by Nonsteroidal Anti-Inflammatory Drug at 2:45 PM on March 9, 2011 [1 favorite]

They're common (mandated?) in some EU countries. I've seen a few out in CA in the US, but apart from that, they're extremely uncommon.
posted by schmod at 2:48 PM on March 9, 2011

Is that a South African thing? Because I have literally never seen a portable CC scanner in any restaurant in the States.

Dunno if it's law here but every restaurant that accepts credit cards (that I have been to since as long as I've had a credit card) will have a portable terminal.
posted by PenDevil at 2:50 PM on March 9, 2011

And, yeah. Square is nice, but won't be nearly as revolutionary as everyone claims it will be -- the hardware is too flimsy and gimmicky for regular use. At best, it's going to bring affordable credit card processing to occasional and low-volume vendors. Not quite the revolution that most were claiming it would be.

That's the beauty of Square's approach. The hardware costs pennies to manufacture. They could send you a box of a hundred for what you'd pay to Veriphone for a "normal" merchant terminal.

If you're a business customer you could literally buy a giant box of Square readers and iPads for the same amount of money you'd spend on a handful of "normal" terminals and the associated enormous fees.
posted by odinsdream at 2:52 PM on March 9, 2011

At least with a dedicated credit card machine that shit is locked down tight.

When you say this I know you've had no experience with traditional merchant terminals. They're very slow-moving technology. I helped set up a wireless network for a sports complex. We used the very latest in security technology for the access points.

Then the credit card merchants arrived (in their BMW, FWIW), with their box of terminals.

They couldn't do WPA2, they couldn't do AES, they could barely do WEP. Barely because the SSID had to be under a certain number of characters, and all caps, and even then, sometimes they'd fail to associate at all and just randomly connect to one of the nearby unencrypted networks across the road in an apartment complex.

This was an enormous foodservice account for the CC merchant, using the latest technology available, with the latest firmware as of last year.
posted by odinsdream at 2:55 PM on March 9, 2011 [11 favorites]

> the hardware is too flimsy and gimmicky for regular use. At best, it's going to bring affordable credit card processing to occasional and low-volume vendors. Not quite the revolution that most were claiming it would be.

That is the revolution.

Instead of buying or leasing a handheld card terminal and a separate mobile data plan, or wiring it into a phone or computer that has access to the Internet, you can now use a smartphone and a little headphone jack dongle.

If you've ever been to a crafts fair, flea market, antiques show, roadside produce stand, or concession stand at an athletic event, you'll quickly realize that there are tens of thousands of people who could junk most of the payment processing hardware they had to buy and tote around and keep locked down, and keep the business running with whatever iPhone they're already using anyway. It'd save 'em hundreds of dollars, which is not trivial at all when they might only take home a thousand after selling leather mugs for three days at a ren fest.
posted by ardgedee at 2:55 PM on March 9, 2011 [5 favorites]

Yeah, I was a little incredulous until I saw your profile, PenD. We definitely don't have those in the states I've been to. But what was said above repeated -- just check your darn statement every month. Also, just got my square reader today, and am having a little too much fun scanning my card over and over.. "Oh, neat!".

And for the record, I'm one of those low volume people that isn't going to make Square much money. That said, a 2.75% processing fee for any CC for low volume merchant is JAWESOME.. I'm used to seeing 5-6% unless you can break a certain $$ threshold and that's only MasterCard -- Visa wants an extra few cents for itself.
posted by cavalier at 2:56 PM on March 9, 2011

I've got the Square thing. It seems to work well enough, although I've only used it half a dozen times.
posted by electroboy at 2:58 PM on March 9, 2011

If you're a business customer you could literally buy a giant box of Square readers and iPads

I thought I'd try it for my business, but I was given a limit of a few hundred dollars that I could charge per transaction. Coffee shops can deal with that, but until the limit goes to a few thousand, Square won't work for any service businesses.
posted by letitrain at 2:59 PM on March 9, 2011

You're giving your card to the merchant. The merchant can do whatever the hell they want with it while they have those details and when it comes down to it the trust with the current system is 100% with the merchant not the hardware.

I'd also like to add a little bit more about why Square is in fact more secure, due to the way their software by default works.

With a traditional merchant account when your card gets scanned the merchant has access to all the data on the card. Depending on their point-of-sale system, they can potentially pull up the history of all the transactions and print off a list of names, numbers, and expiration dates.

Square's system intentionally hides all the information possible from the Square user. If you accept a card with Square, you cannot pull up any information later about that card, not even the buyer's name.
posted by odinsdream at 3:01 PM on March 9, 2011 [2 favorites]

Hm, so this little flat square thing is all you need to tape up next to the slot on the ATM or security door card reader, or use as the button on your hip pocket or handbag? How close does it have to be to the target?

Heck, build one into your business card along with a bit of memory and RFID antenna, eh? Then hand your business cards out ...

Ya know, I wonder why we aren't seeing payment scanners that handle the new type paper folding money. Unique serial number on each one, tracks who sells and who buys, reports each transaction direct to the One Big Databank for sales tax purposes -- who needs plastic and private payment handling firms at all?

I believe you're confused. This is not a reader that works by sensing the presence of a card. It's a swipe reader just like any other - it's just physically small. It doesn't read card numbers through the air - you have to pull the card through it like any other card reader.

The last paragraph of your comment reads a little like a conspiracy theory. I'm not sure what you're talking about.
posted by odinsdream at 3:05 PM on March 9, 2011 [1 favorite]

Square's system intentionally hides all the information possible from the Square user. If you accept a card with Square, you cannot pull up any information later about that card, not even the buyer's name.

I'm hoping that this changes soon. The nonprofit I work at is using Square for payment at our off-site fundraisers, and not being able to pull up customer names (which we need to track for tax purposes) is making the transactions take far longer than they need to- we're just typing the customer's name by hand into the app anyway.

I sent them a support email asking them to add that bit of info since it's written on the front of the card anyway. They'll "...definitely talk to our engineers about the possibility of the idea becoming a reality at Square."

And letitrain, they've gotten rid of those limits, but they'll hold funds over a certain threshold for about a week or so, IIRC.
posted by Uncle Ira at 3:14 PM on March 9, 2011 [1 favorite]

Good to know, Uncle Ira. I'll give them another shot.
posted by letitrain at 3:18 PM on March 9, 2011

Goddam, it is going to cost a lot of money to reprint all the dictionaries to put a picture of that guy next to the FUD definition.
posted by Threeway Handshake at 3:22 PM on March 9, 2011 [3 favorites]

Mr Veriphone may have a legitimate point about Square's security, hidden underneath his obvious and overflowing self-interest, but much of Square's security problem has to do with its newness and relative rarity.

If Square becomes ubiquitous, then we'll know almost immediately that we may have been skimmed because we won't get the electronic receipt from Square, and we'll say "hey, I should have gotten that receipt by now. I wonder what gives." Square might not solve the problem of skimming entirely, but if they catch on, awareness of how Square works can limit the damage to minutes or hours rather than days or weeks.
posted by adamrice at 3:25 PM on March 9, 2011

Does anyone here that uses Square know the speed of a typical transaction?
posted by ofthestrait at 3:29 PM on March 9, 2011

I can tell you that, on the back end, the transaction itself takes between fractions of a second and up to 6 seconds. How long the reply takes to get from the verifying third party to the mobile device would vary.
posted by crataegus at 3:41 PM on March 9, 2011

Does anyone here that uses Square know the speed of a typical transaction?

The e-mail receipt is generated seconds after the seller clicks the button on their device to process the payment.

Refunds are just as quickly processed. This has nothing to do with how quickly your bank processes the transaction. I wouldn't be surprised at all to learn that certain banks "prioritize" transaction processing from the big terminal players, like Veriphone. As more companies compete on Square's level I'm sure this will start to come to light.
posted by odinsdream at 3:42 PM on March 9, 2011 [1 favorite]

Look, anti-competitiveness aside, Verifone has a perfectly legitimate point. I'll spare everyone the gory PCI details, but the short version is this-- if you accept credit cards, you must be 100% compliant with the PCI regulations. There's no gray area there-- if you aren't compliant, Visa/Mastercard/Amex/Discover/JCB/etc can basically do whatever they want to you, including increased transaction costs, fines, or even going so far as to stop you from taking credit cards (and yes, that penalty does happen).

Square's business model is to go after "Level 4" merchants; these are the really, really small fish. The "Level 1" merchants are the merchants that take in millions of transactions. Apple, McDonald's, Amazon, Target, Wal-Mart, etc. "Level 2" are the smaller stores that still do a lot of transactions; your sporting goods stores, smaller restaurant chains, and the like. "Level 3" are smaller still, and level 4 is the one-off mom and pop stores.

If you're a level 1 merchant, you have to go through a huge amount of hoops to certify that you're compliant with PCI. If you're a level 4 merchant, you basically just need to sign a paper every year or so that says "yes, I'm compliant with all the PCI regulations". It's a wink-and-nod hands-off approach to PCI compliance, and one that the credit card companies will be stopping shortly.

In other words, you lie through your teeth when you're a Square customer, because in truth you aren't compliant and you can't possibly be compliant.

Wait-whatwhatwhat, you say? How can I not be compliant if I'm using Square's hardware and software? Simple-- there's a section of PCI that requires that credit card data must be encrypted throughout the lifetime of the transaction. Verifone's point is that the Square dongle transmits the card data in the clear to whatever app is running on the iPhone (and potentially background apps, I'm not sure).

"Well big deal, my iPhone camera can capture card details also". That isn't the point. Any merchant serious about PCI compliance (which is to say, any merchant level 2 or higher) cannot, and will not, use the Square solution because of this problem. Companies are trying to reduce their PCI scope, not increase it. This is why companies like Braintree are doing so well; one of the bullet points on their homepage is "reduce your PCI scope by up to 90%" and that's a huge selling point. Square is going to have to become PCI compliant at some point, they have no choice in the matter, and PCI compliance means having a hardware-encrypted dongle.

Are Verifone being chumps about this? Probably. Are they right? Definitely.
posted by mark242 at 3:53 PM on March 9, 2011 [3 favorites]

Square isn't the only company doing mobile credit card stuff, the company I work for is offering something called GoPayment.

I wouldn't be surprised at all to learn that certain banks "prioritize" transaction processing from the big terminal players, like Veriphone.

Verifone is a hardware manufacturer. The bank isn't prioritizing anything. Plus, unless you are seriously big time, you wouldn't have a bank as your credit card processor anyway. You'd be using someone like Cardservice, Authorize.net, or Intuit.
posted by sideshow at 3:53 PM on March 9, 2011

All I'm thinking of is that drug dealers will soon take credit cards.
posted by Damienmce at 3:57 PM on March 9, 2011 [1 favorite]

mark242, Square is PCI Tier 1 compliant. We made sure of that before we started using the service.
posted by Uncle Ira at 4:05 PM on March 9, 2011 [1 favorite]

If Square has been certified as compliant at level 1, then their QSA is going to very quickly find themselves out of business. The Square app may well be compliant, but that doesn't change the fact that the hardware dongle is not (according to Verifone). If I am able, as a malicious employee of a company using a Square device, if I am able to surreptitiously install an app on an iPhone that scans the hardware dongle, then I don't see how the Square solution can possibly be compliant.
posted by mark242 at 4:17 PM on March 9, 2011

Er...mark242...um...no.

I can use a host of other readers via USB with the same problem (being getting card data on the other end) and they are compliant with PCI DSS. Hey, some vendors even give you an easy to use API to do it, too!

That's all this is...an unpublished API. Period.

No card data is exposed in transit from reader to app and - if you Do The Right Thing - it's not stored or transmitted away from the device, either.

FUD is FUD, competitor-provided or not.
posted by hrbrmstr at 4:41 PM on March 9, 2011 [1 favorite]

For mark242's second post...the bad app is what would not be compliant, same as a waiter/waitress who copies down card info before or after using the POS device.
posted by hrbrmstr at 4:42 PM on March 9, 2011

So, on one hand, slick corporate PR. On the other, angry ironic overlay.

I wouldn't call it that slick, looked more desperate.

The issue I have with Square is that even if the waiter is not skimming, who knows whether software is running on the iPhone that is?

It's no different then manually entering your credit card information onto a website. Or using any other card scanner.

If Square has been certified as compliant at level 1, then their QSA is going to very quickly find themselves out of business. The Square app may well be compliant, but that doesn't change the fact that the hardware dongle is not (according to Verifone)

The dongle is entirely analog. There always has to be some analog connection in order for the system to work.
posted by delmoi at 4:50 PM on March 9, 2011 [1 favorite]

I can use a host of other readers via USB with the same problem (being getting card data on the other end) and they are compliant with PCI DSS.

You're missing the point. Those readers may be compliant, but the moment your application touches that unencrypted credit card data, it is in scope for PCI compliance.

Does your point of sale have an open USB port? And does your application use unencrypted credit card data in memory? CONGRATULATIONS - you aren't PCI compliant!

That's all I'm saying; because of the viral nature of PCI, the moment you have an application reading unencrypted credit card information, everything on the iPhone must be PCI compliant. As it's impossible to do that... you see where I'm going.

There always has to be some analog connection in order for the system to work.

Again, it isn't the analog connection, but the broad scope of PCI and what it requires. Square's app would be perfectly fine if it were impossible to run any other code on the iPhone.

The new technology coming out is around tokenization, which is to say that the moment your credit card is swiped, it's encrypted by a hardware-level key that you, as a merchant, have no knowledge of. That encrypted swipe is passed back to your processor, who returns you a token. You save that token however you want, and you say "please charge $20 to this token" and your processor does their thing. Presto - your application is no longer in scope for PCI compliance.
posted by mark242 at 5:16 PM on March 9, 2011

It's no different then manually entering your credit card information onto a website. Or using any other card scanner.

Exactly! The sketchyness goes back to the merchant. I thought it was pretty cool that a person having a garage sale in my town's subreddit offered credit card payment with Square. But it comes down to whether I trust the merchant. They could have the fanciest Verifone terminal or a Square, or an old fashioned imprint machine. They could be 6X quad certified warlock PCI compliant and it doesn't matter. I'm more worried about the people in the transaction than the gizmo.

Verifone comes across in their video as desperate. The biggest fear is how the fuck will Verifone maintain its margins with these things out there.
posted by birdherder at 5:23 PM on March 9, 2011

But it comes down to whether I trust the merchant.

This is the disconnect that consumers have-- PCI has very little to do with merchant trust. If I, as a merchant, have a webpage that allows you to pay by credit card, only it isn't using SSL, do you? No? Why not? Because you've heard about man-in-the-middle attacks, whereby your credit card is going over the entire Internet unencrypted, and holy shit, anyone could read it, not just the person I'm trying to pay for my purchase.

PCI guidelines are what cover those types of scenarios. At no point in your transaction should your credit card number be out in the clear, even in the store. Take the scenario from above-- if my point of sale has an open USB port, and I manipulate credit card numbers in memory, why aren't I PCI compliant? Because someone malicious -- not the merchant -- could install a tool that could skim your card info.

TJ Maxx got hit by massive fines for not being PCI compliant after they had a huge security breach. Millions of credit cards lost. How'd they get breached? Their stores had open wireless networks, and they were dealing with unencrypted credit card data on their point of sale.

It didn't matter whether or not you trusted TJ Maxx. They didn't abide by PCI guidelines, and your card was stolen.
posted by mark242 at 5:34 PM on March 9, 2011

mark242, are you saying that Square is lying when they claim their "systems adhere to PCI Data Security Standard (PCI-DSS), Level 1"?
posted by Zozo at 5:44 PM on March 9, 2011

mark242, you should probably call the PCI people and tell them that their auditors made a big mistake in certifying them.
posted by Threeway Handshake at 6:00 PM on March 9, 2011

But guyz, he's got VeriFone info
posted by defenestration at 6:22 PM on March 9, 2011

PCI compliance is a make-work project: nothing more, nothing less.
posted by chunking express at 6:49 PM on March 9, 2011 [2 favorites]

I want secure near field tech in my mobile. Why do I have to carry this plastic stuff around anymore. I at least want those smart cards like they have in Europe. Seriously America magatripe is 1960s tech WTF!
posted by humanfont at 7:13 PM on March 9, 2011

Because you've heard about man-in-the-middle attacks, whereby your credit card is going over the entire Internet unencrypted, and holy shit, anyone could read it, not just the person I'm trying to pay for my purchase.

That's not how man in the middle works. Essentially, what it does is stand 'between' you and the recipient, and when you request a public key, it sends you it's key and you encrypt a copy for them. Then they decrypt the data, ask for the recipient's public key, and encrypt it for them.

But, if you already have the public key, then you're not susceptible. This gets into the whole certificate authority thing, but basically SSL is not vulnerable to MTM attack unless the attacker has a forged certificate authority signing key, which is really hard to get.
posted by delmoi at 7:16 PM on March 9, 2011

I suspect that this will quickly prove to be best free advertising that Square could have ever dreamed of getting.
posted by spilon at 8:06 PM on March 9, 2011 [1 favorite]

mark242, are you saying that Square is lying when they claim their "systems adhere to PCI Data Security Standard (PCI-DSS), Level 1"?

Not at all. I am saying that their QSA is probably very busy revising their assessment right now. This is part of the problem with PCI; the independent auditors are only able to determine compliance based upon interviews with the company. If an auditor doesn't know enough about the technology in question, it's possible to get certified without being technically in compliance. This isn't Square's fault that they were, apparently, inadvertently certified. I would guess Square is probably getting a new QSA to come in right now, either to re-certify them, or tell them that no, they really aren't compliant.

PCI compliance is a make-work project: nothing more, nothing less.

Tell that to the guys at Heartland Payments. I don't disagree with the extreme amount of tedium around becoming PCI compliant, as I've had to go through the joy of dealing with the security assessments and recommended list of changes, but at the same time it's good that there is at least some semblance of a standard for data security around credit cards.

I suspect that this will quickly prove to be best free advertising that Square could have ever dreamed of getting.

I hope so-- I think the Square idea is a great one; after a certain volume of transactions, to get better interchange rates, Square could be the one company who could pull off physical micropayments. I wouldn't be surprised to see them gobbled up by eBay in hopes of an integration with PayPal.
posted by mark242 at 9:35 PM on March 9, 2011

Mmm, gruber noticed the delicious hypocrisy.
posted by mullingitover at 10:13 PM on March 9, 2011

My coworker brought about 40 Squares to work today and handed them out like candy.

He's sick of people forgetting to bring cash when 17 of us descend on a local eatery at once.
posted by fairytale of los angeles at 10:22 PM on March 9, 2011 [2 favorites]

there's a section of PCI that requires that credit card data must be encrypted throughout the lifetime of the transaction

As I read it, it has to be encrypted any time it is moving between devices. The questions are is this considered a separate device or just a peripheral.

Given that Square claims it is level 1 complaint, they may well be encrypting the string before they send it to the phone, but so long as the only function it has is to read the stripe and send the data to a fixed input port, I don't see where the security hole is. If your using the device, then you already have every bit of information on the mag stripe *in your hand* plus access to the CVV code. You don't need to MITM here, you've already got that information. When it is sent up to Sqaure for processing, that better well be encrypted.


Of course, a tiny piece of silicon to run 3DES or AES128 is cheap. Now, when you can tell me how to safely exchange keys without using a fixed key, then it would be worth encrypting. Otherwise, it's using a fixed key, which will be broken eventually, or it's sending it when it powers up, which a MITM attack would see.

So, why? Make the reader dumb - it reads the magstripe and sends the bits to the phone, and it doesn't work without the phone. Heck, load the code to read the magstripe every time and have no fixed memory on the thing whatsoever except a boot loader in ROM. That way, it simply cannot store data.

Yes, you could, I'm sure, get it to work somewhere else.. Why? Magstripe readers are cheap.

There are a bunch of security concerns, but it's in the app and backend systems -- which is true of all cc processors.
posted by eriko at 4:18 AM on March 10, 2011 [1 favorite]

PCI compliance is a make-work project: nothing more, nothing less.

Why do you say that? The standards are fairly straightforward and match up to what I would consider the security you need for handling cards.
posted by smackfu at 5:50 AM on March 10, 2011

Again, it isn't the analog connection, but the broad scope of PCI and what it requires. Square's app would be perfectly fine if it were impossible to run any other code on the iPhone.

Let's go down this road. Verifone's Pinpads currently provide the swiped data internally in cleartext to be encrypted internally by the terminal itself. This is working under the theory that the information is encrypted at all since most of the terminals Verifone built before 2009 just pass on the customer's entire details in cleartext straight to the register.

So now that we've established that the terminal has the details in cleartext at some point through sheer self-evidence we can replace the terminal with compromised code which stores the data ready for pickup by a criminal element. Will the terminal refuse to run code? Probably not since attackers are stealing terminals, replacing whatever parts are necessary and then putting it back. An attacker having physical access to a piece of hardware means it's pretty much insecure by default.

So what now? You have millions of terminals which are perfectly happy to run any code you throw at them and we're back in the same boat that the evil Square apparently puts us in.

The new technology coming out is around tokenization, which is to say that the moment your credit card is swiped, it's encrypted by a hardware-level key that you, as a merchant, have no knowledge of. That encrypted swipe is passed back to your processor, who returns you a token. You save that token however you want, and you say "please charge $20 to this token" and your processor does their thing. Presto - your application is no longer in scope for PCI compliance.

Tokenization will only work if it's performed by a cryptoprocessor on the card itself a'la GSM SIM cards which never reveal the SIM card's key to the phone. As soon as you deliver any sort of plain text details to the terminal they're insecure since it's been proven that replacing terminal hardware is a valid strategy used by criminal elements.
posted by Talez at 6:57 AM on March 10, 2011

N.B. My point wasn't to say that either Square or Verifone are on the right or wrong side of PCI. My point is that the way the system works now is that PCI compliance as an argument is irrelevant and both sides are vulnerable to compromise in the exact same way. It's basically arguing that one side arranged their deck chairs on the Titanic incorrectly but their side is correct because the Titanic clearly has an arrangement on how the chairs should be arranged while the ship is sinking.
posted by Talez at 7:05 AM on March 10, 2011

PCI compliance is a make-work project: nothing more, nothing less.

This is just silly. The standards aren't obtuse. They're things like "Make sure your servers are locked in a cabinet, and only authorized people have access to them." or "Don't transmit or store unencrypted card information."

It's only "make-work" if you have literally no concept of how proper security works.
posted by odinsdream at 8:19 AM on March 10, 2011

Square has posted a response.
posted by Zozo at 9:40 AM on March 10, 2011