Video Blog

21

Accept Credit Cards with Square? You are NOT PCI Compliant!

POSTED BY: Rhett Baylies
Square is not within the new PCI compliance guidelines.  Find out more here.

Please upgrade your Flash Player CLICK HERE
Or if you are using a Apple Device...CLICK HERE

Square cannot claim to be PCI compliant.

Square the innovative product brainchild of Twitter Co-Founder Jack Dorsey is no longer can claim to be PCI Compliant.

Square has maintained on their website SquareUp.com that their device and service fall within PCI compliance guidelines and is a safe way to process credit card payments. The PCI DSS best practices guidelines established by the PCI Securities Council who had to revise their standards to accommodate this with this rapidly changing new technology. The PCI Compliance standards or best practices are intended to protect consumers from credit card fraud and identity theft.

What is Square?

Square is a credit card reader that plugs into the headphone jack on your smart phone and turns your phone into a credit card terminal without the need for a traditional merchant services account. It is intended to allow individuals and businesses to accept credit cards with minimal effort and expense. To make a sale the merchant or individual simply swipes the credit card through the card reader and the information is sent to a simple mobile application downloaded from the Android or I Tunes Marketplace at which time it is encrypted and sent for authorization.

Why Does Square claim to be PCI Compliant?

PCI DSS guidelines can only cover current technology so when Square came to the marketplace mobile payment technology of this sort did not exist.  Since Square’s introduction the mobile payment marketplace is experiencing unprecedented grow and development which has made it nearly impossible for new products and payment methods to be fully assessed by the DSS council. Square was considered to be compliant under the previous version of the PCI DSS guidelines, however, since mobile payment technology did not exist when those policies were created Square did technically fall within the standards.

Under the latest version of the PCI Compliance Guidelines, however, all devices are now mandated to be “end to end” encrypted meaning when a credit card is swiped it must be encrypted before it is transmitted in any way.  No sensitive information may be stored for any amount of time during the transaction. These requirements were previously only a required for PIN Pad terminals.

How do the New PCI Compliance Regulations Effect Square?

Since credit card information is not encrypted while the credit card is swiped through the credit card reader this leaves a major security weak-point in the transaction because it is very easy to skim sensitive data directly from the card reader before it is sent to the mobile application. This makes the Square card reader easy to turn into a card skimming device with minimal technical knowledge. Square’s only option if they want to offer a PCI Compliant device is to rebuild their credit card reader to encrypt credit card information during the card swipe and prior to being sent to the mobile application to be considered within the PCI compliance standards to accept credit cards.

How Does this Effect Square Users?

Being non PCI compliant is more serious than many small business owners and individuals may realize. Users of a non PCI Compliant device could be open not only to lawsuits but can also be held personally liable for any and all costs associated with a data breaches that result in credit card fraud.  In addition to that businesses could be putting their customers at risk.  For more information on why PCI Compliance is important visit our post on 5 Reasons why you should care about PCI Compliance.

Square has been criticized by credit card terminal producer VeriFone when it was revealed that their credit card reader was not encrypted as being irresponsible. In response Square said that their processing practices were PCI compliant (at the time), however, that they were looking into creating an encrypted credit card reader.  They did not indicate any deadline or prediction on when the encrypted card reader will be released.  The new industry wide PCI regulations are sure force square to step up their game.

How do you protect yourself and your business if you currently use Square?

The mobile payment marketplace is growing at an exponential pace compared to other sectors of the payments industry which is great news if you are a square user and wish to have a more secure device. Square’s success in offering a simplified merchant services account to individuals and businesses as well was unprecedented. There are now many competing devices many of which are associated with traditional merchant services accounts.  A majority of these services are offered with a mobile credit card reader that meets the new PCI standards.

The Merchant Doctor, however, has a program developed to compete directly with Square that allows individuals and businesses to accept credit cards.

The application process takes just 3 minutes and the card reader is offered for free with no contract, no minimums, and no fees. The mobile application is incredibly feature rich with more options and user friendly features than that offered by Square.  The Merchant Doctor solution is end to end encrypted keeping your business and your customers safe and secure while expanding your sales and profits. For more on the features and benefits of the Merchant Doctor solution check out 13 Things That you will Love About Phone Swipe.

Here is a quick graphical comparison of the services offered by Square vs the Merchant Doctor’s mobile solution to accept credit cards:

If you have any questions or would like more information on what a mobile payment credit card processing solution could do for your business or on the Merchant Doctor’s mobile payment solution contact us we will be happy to advise. You can find our application to accept credit cards on your IPhone, Ipad, or Android device here.

Remember to join us on FaceBook and Twitter!

About the Author: Rhett Baylies

After over 17 years in the service industry not only as an employee but business owner and corporate manager Rhett decided to start his career in the Payment industry with the vision of providing good honest service at a fair price. Rhett now applies his years of service focused business to his daily routine and looks forward to revolutionizing the way you look at your processing statement for many years to come.

Rhett Baylies's avatar
Daniel Bowlin
Daniel Bowlin | November 27 2011

I am working on a presentation for small businesses in my area that will help educate them on options for their current POS systems. When we first began this presentation, we came across a concern with retailers over the compliance of Square, and Intuit’s GoPayment. From what I have gathered from this website, it seems as though you all offer a product that meets the additional needs that Square does not. Given the current state of Square’s lack of compliance, how can you help me to sell this technology to small business owners in my area, and help convince them that they will be protected with your product, thus relieving them of the stress of not being PCI compliant.

Thank you,

Daniel Bowlin

If a phone call would help me to understand this information better, please send me a number that will allow for me to talk with an informed rep regarding the previous questions.

Also, any other links that can be provided will be much appreciated.

Rhett Baylies
Rhett Baylies | November 28 2011

Hi Daniel-

Great questions.  Yes the Phone Swipe is fully “end to end” encrypted and does meet all the PCI DSS equipment requirements.  Let me start by saying that the PCI Compliance validation requirements depend on the account type the business owner decides on. 

With the “Pay as You Go” option there are NO PCI fees or validation needed.

If the merchant would benefit from a “High Volume” standard merchant account(generally if they process more than $3500/month) then the usual PCI compliance validation requirements do apply.

To ease the burden and confusion of maintaining PCI compliance, The Merchant Doctor and NAB has continued our partnership with ControlScan, a leading provider of compliance and security services, and to expand our comprehensive Compliance Program, including access to our website:

www.myPCI.com

In addition to the full-featured program, The Merchant Doctor and NAB are continuing our Breach Protection Program to assist our merchants and help allay their fears of a breach.  For those merchants who successfully complete their applicable PCI compliance requirements, the Breach Protection Program will cover up to $25,000 in merchant fines, assessments and related expenses attributable to a qualified PCI data breach (some restrictions may apply). While this program is clearly not an insurance program, it shares one important objective – to help protect against the unexpected. 

I hope this helps to address your concerns.  If you would like to discuss your PCI questions further or to discuss the affiliate and agent options we offer feel free to contact me directly at 775-745-1087

Ray Do
Ray Do | April 17 2012

I understand that Phone Swipe also assesses a transaction fee per transaction.  IS this true?  If so, what are these fees and why aren’t they included in the comparison above?  Are there any other fees, costs, assessments, etc. associated, at any time and/or under any circumstances, with the use of Phone Swipe?

Lastly, while perusing Phone Swipe’s companion MyBizPerks site, I notice that nowhere does it list the pricing of either their Bronze, Silver or Gold level of services.  Why? What are these prices?

Thanks.

STAY BLESSED!

... Ray

Rhett Baylies
Rhett Baylies | April 18 2012

Hi Ray- Thank you for your questions we appreciate it.  This particular blog was solely intended to address the fact that Square is not a PCI compliant device and that is much safer to use a more safety conscious product, like the phone swipe.  When it comes to rates and fees PhoneSwipe is essentially the same as Square since the per swiped transaction fees have been dropped.  The rates are as follows:
Swiped Transactions 2.69%
Manually entered trans 3.49% and $0.19/transaction
NO monthly
NO Minimums
NO annual
NO Contract
the card reader is FREE.

MyBizPerks is a site designed for holders of traditional merchant accounts, however, our No Contract PhoneSwipe account holders are provided a Bronze account which allows them to log in and utilize the reporting tools for FREE.

I hope that answers your questions.  Feel free to write me directly at .(JavaScript must be enabled to view this email address) if you have further questions and thanks again.

Bruce Alborn
Bruce Alborn | April 27 2012

What about annual or monthly pci dss fees?
What about quarterly avs scanning fees?
How are you assured the merchant is pci dss compliant?

Rhett Baylies
Rhett Baylies | April 27 2012

Hi Bruce - Thank you for your questions we appreciate it. 
1.  The annual PCI with our preferred provider ControlScan is $79 for standard merchants, however, with our No Contract No Fees PhoneSwipe accounts the PCI Compliance Fee and survey are FREE.
2.  Quarterly scanning is included in the annual PCI fee and is only necessary if processing over IP.
3.  Unfortunately at this time there is no way for a consumer to see if a merchant has taken the necessary steps to protect their customers.  This has been a subject of discussion and in the future I believe that a PCI certification display will be created.  That being said at this time it is 100% certain that any Square user is not and cannot be PCI compliant.

Thanks again Bruce feel free to contact me directly at .(JavaScript must be enabled to view this email address) if you have further questions!

Rhett Baylies
Rhett Baylies | May 04 2012

NEW PRICING ALERT!!! In the above graphic please note that the PhoneSwipe has gotten even better with new lower rates! They are as simple as it gets:

Swiped Transactions are 2.69% with NO transaction fee

Manually Entered Trans. 3.49% and $0.19/transaction

NO contract

NO Minimums

NO Fees

Free Card Reader

Remember if you process more than $5000/month you may benefit from our High Volume rate plans!

Diane
Diane | June 12 2012

Hi Ray,

How long will it take for the transactions to be credited to my account?

Rhett Baylies
Rhett Baylies | June 13 2012

Hi Diane-

Thank you for your question Diane.  Generally it takes about 2 banking days for your account to be funded with your transactions.  Feel free to contact us if you have any other questions or concerns!

Sincerely,
Rhett

Aaron Zamost
Aaron Zamost | October 09 2012

This article is wrong. Square is PCI-DSS Level 1 compliant. Square’s card reader is fully encrypted, encrypting credit card information at the moment of swipe.

More information about Square’s card reader is here:
https://squareup.com/reader

Additional information about Square and security is also available in Square’s help center: https://help.squareup.com/customer/portal/articles/7764.

david Abron
david Abron | October 09 2012

Well, actually @ Aaron… you are only partially correct…The App for Square is PCI/DSS compliant…and Yet the swiper mechanism is 100% NOT Compliant.  So, if someone were to be mischievous, they could use the Square cardreader to capture CC Holder data and use it for evil purposes…That coupled with the fact that Square offers lowsey customer support and NO LIVE support is all the reason that I would not use it…In fact, if a merchant brings out a Square devise, I don’t even let them swipe my card!

Jon
Jon | November 28 2012

Can I use this device to encrypt the credit card swipe and then feed the encrypted value into a webpage text field?  I’m writing a mobile website that is designed to look like a mobile app.  I’d like to be able to swipe credit card and send encrypted data to my server and then my server can then send this encrypted string to phone swipe mobile for processing if possible.

thanks for help,

Jon

Rhett Baylies
Rhett Baylies | November 28 2012

Hi Jon and Thank You for your question.  Unfortunately no the Phone Swipe app is not integrable with a mobile app/website, however, the Merchant Doctor does have a virtual terminal that can seamlessly integrate for your needs that we can provide you absolutely free.  If you would like more information simply give us a call or email me directly at .(JavaScript must be enabled to view this email address).  We look forward to hearing back from you.
Sincerely,
Rhett

Janice
Janice | April 01 2013

Does your product provide transaction reporting by card holder name or just CC# which is not helpful as we do not store that information?

How can I demo the available reporting?

Can I call someone to ask about how to set up an account and who is authorized to set up an account for a company?

Rhett Baylies
Rhett Baylies | April 01 2013

Hi Janice-

Thank you for your questions. 

You do get detailed real time reports for your transactions, however, there will be no consumer data associated with each transaction.  You will be able to capture their email address and email both your customer and yourself automatically for each transaction so you will be able to track your specific customers that way.

You can access your report features 2 ways either via the app within your mobile device or via our merchant portal on any computer with an internet connection.

Of course you are welcome to contact me directly at 775-745-1087 to schedule a time to set up your account OR you can complete the simple and secure 3 minute application here: http://www.merchantdoctor.net/index.php/site/mobile_step3 

We look forward to working with you!

Sushi Fish
Sushi Fish | June 07 2013

IMHO, these new requires for end to end encryption is really a burden that should be born by the bank card vendors themselves (i.e. Visa, MC, Discover, etc).
The DSS council has finally determined that they need this end to end encryption,  why dont they issue cards that have the data already encoded on the cards themselves? ??
Also, why are they not using smart chips in the US?
Instead, they put the burden on the payment processors and end merchants.

M Sullivan
M Sullivan | January 10 2014

With PCI 3.0 I understand that at retail environments the waiter has to swipe the credit card in view of the cardholder.  The waiter in a restaurant for example can’t take the credit card and walk off to swipe it at a terminal which is out of view of card holder. Is this correct?

Rhett Baylies
Rhett Baylies | January 10 2014

Hi M Sullivan-

Thanks for the great question.  PCI 3.0 came out in November with some minor enhancements mostly focused on education and app development with a focus on reminding merchants that PCI is not just a once a year pain in the a$@ but something is a part of daily operations.  With that being said I have not seen any verbiage that would indicate that restaurants are now required to accept payments in a face to face environment.  That would seem to be an extreme requirement that a vast majority of restaurants would not be able to comply with - without significant investment.  If your restaurant is interested in accepting payments and placing orders table side, however, we do have a great and amazingly affordable solution!

Thanks again!

Rhett Baylies
Rhett Baylies | January 10 2014

Hi M Sullivan-

This Document from the PCI council may be of assistant to you in understanding the changes so you can adapt your POS.  https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

Steve
Steve | January 27 2014

THis may have been true…. however it is not anymore.  The swiper on SQuare encrypts the data on the white device. and then processes encrypted to the web.

Rhett Baylies
Rhett Baylies | January 28 2014

Hi Steve-

Yes Steve you are correct as I have acknowledged, however, the entirety of the rest of the article is accurate.  The card reader is still most defective on the market, there are still thousands of un-encrypted card readers on the market that the public has the right to know about, and the mere lack of due diligence on the behalf of Square, in my opinion, demonstrates a total disregard for the safety of businesses and card users.  This mentality shows in their lack of service and thousands of severe complaints.  The pressure from these complaints and VS/MC stepping in are the only reasons they now have encrypted card readers.

Wouldn’t you rather do business with a company that has always had the needs and safety of its clients and card users at the top of their list?  A company with live U.S. Based 24/7 customer support?  A company that gives your business a unique account rather than mingling your business’ money with that of hundreds and thousands of other accounts?

With the recent problems that major national retailers (like Target) have had I would think that security and customer protection should be the main focus of any payment provider.

Comment Here

The Merchant Doctor Will Not Share, Sell, or Compromise Your Contact Details. Really!

Are you Human? CAPTCHA ID:

Please enter the word you see in the image below: