Accept Credit Cards with Square? You are NOT PCI Compliant!
POSTED BY: Rhett Baylies
Square cannot claim to be PCI compliant.
Square the innovative product brainchild of Twitter Co-Founder Jack Dorsey is no longer can claim to be PCI Compliant.
Square has maintained on their website SquareUp.com that their device and service fall within PCI compliance guidelines and is a safe way to process credit card payments. The PCI DSS best practices guidelines established by the PCI Securities Council who had to revise their standards to accommodate this with this rapidly changing new technology. The PCI Compliance standards or best practices are intended to protect consumers from credit card fraud and identity theft.
What is Square?
Square is a credit card reader that plugs into the headphone jack on your smart phone and turns your phone into a credit card terminal without the need for a traditional merchant services account. It is intended to allow individuals and businesses to accept credit cards with minimal effort and expense. To make a sale the merchant or individual simply swipes the credit card through the card reader and the information is sent to a simple mobile application downloaded from the Android or I Tunes Marketplace at which time it is encrypted and sent for authorization.
Why Does Square claim to be PCI Compliant?
PCI DSS guidelines can only cover current technology so when Square came to the marketplace mobile payment technology of this sort did not exist. Since Square’s introduction the mobile payment marketplace is experiencing unprecedented grow and development which has made it nearly impossible for new products and payment methods to be fully assessed by the DSS council. Square was considered to be compliant under the previous version of the PCI DSS guidelines, however, since mobile payment technology did not exist when those policies were created Square did technically fall within the standards.
Under the latest version of the PCI Compliance Guidelines, however, all devices are now mandated to be “end to end” encrypted meaning when a credit card is swiped it must be encrypted before it is transmitted in any way. No sensitive information may be stored for any amount of time during the transaction. These requirements were previously only a required for PIN Pad terminals.
How do the New PCI Compliance Regulations Effect Square?
Since credit card information is not encrypted while the credit card is swiped through the credit card reader this leaves a major security weak-point in the transaction because it is very easy to skim sensitive data directly from the card reader before it is sent to the mobile application. This makes the Square card reader easy to turn into a card skimming device with minimal technical knowledge. Square’s only option if they want to offer a PCI Compliant device is to rebuild their credit card reader to encrypt credit card information during the card swipe and prior to being sent to the mobile application to be considered within the PCI compliance standards to accept credit cards.
How Does this Effect Square Users?
Being non PCI compliant is more serious than many small business owners and individuals may realize. Users of a non PCI Compliant device could be open not only to lawsuits but can also be held personally liable for any and all costs associated with a data breaches that result in credit card fraud. In addition to that businesses could be putting their customers at risk. For more information on why PCI Compliance is important visit our post on 5 Reasons why you should care about PCI Compliance.
Square has been criticized by credit card terminal producer VeriFone when it was revealed that their credit card reader was not encrypted as being irresponsible. In response Square said that their processing practices were PCI compliant (at the time), however, that they were looking into creating an encrypted credit card reader. They did not indicate any deadline or prediction on when the encrypted card reader will be released. The new industry wide PCI regulations are sure force square to step up their game.
How do you protect yourself and your business if you currently use Square?
The mobile payment marketplace is growing at an exponential pace compared to other sectors of the payments industry which is great news if you are a square user and wish to have a more secure device. Square’s success in offering a simplified merchant services account to individuals and businesses as well was unprecedented. There are now many competing devices many of which are associated with traditional merchant services accounts. A majority of these services are offered with a mobile credit card reader that meets the new PCI standards.
The Merchant Doctor, however, has a program developed to compete directly with Square that allows individuals and businesses to accept credit cards.
The application process takes just 3 minutes and the card reader is offered for free with no contract, no minimums, and no fees. The mobile application is incredibly feature rich with more options and user friendly features than that offered by Square. The Merchant Doctor solution is end to end encrypted keeping your business and your customers safe and secure while expanding your sales and profits. For more on the features and benefits of the Merchant Doctor solution check out 13 Things That you will Love About Phone Swipe.
Here is a quick graphical comparison of the services offered by Square vs the Merchant Doctor’s mobile solution to accept credit cards:
If you have any questions or would like more information on what a mobile payment credit card processing solution could do for your business or on the Merchant Doctor’s mobile payment solution contact us we will be happy to advise. You can find our application to accept credit cards on your IPhone, Ipad, or Android device here.