Square “Violations”

16 March 2011 (Updated 17 Mar)

My top issue w/ mobile swipe is clearly customer behavior and potential data loss.  I’ve been asked to provide a basis to decline Square transactions (debit particularly) so, rather than sending out multiple e-mail responses, I thought I would share. Issuer Top 4 reasons to decline Square

• PABP/PCI compliance
• Collection and use of ancillary customer information
• Paper Signature requirement
• Chase has all of the equity upside

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data.

http://usa.visa.com/download/merchants/validated_payment_applications.pdf

 

Phase V of PABP went into effect on July 1, 2010. This phase required all Acquirers to ensure that their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP /PCI DSS is available at www.visa.com/pabp. Note Square is missing, how can Chase acquire for merchant/aggregator that is in clear violation?

UPDATE 17 Mar (Thanks Bob Egan) Evidently PCI has revoked certification of all mobile swipes until new rules have been created. See related post  http://storefrontbacktalk.com/securityfraud/pci-council-confirms-multiple-mobile-applications-delisted/2/

From the Visa Operating Reg, (pg 428)

While Square does not “require” mobile number or e-mail address, it is collecting it at time of transaction (plus your location). As this information is associated with the transaction, it must be managed within PCI. The business risk here is that Square will use address and location information for something else.. or Chase gets the e-mail address of all of your card customers. This is why the rules were created.. so this does not happen.

Last is Visa requirement for paper receipts. From Visa’s Transaction Acceptance Device Guide

Chase bears all of the burden here, I hope they have taken a holistic view of the fraud and data compromise risk.. not just approving their own cards… but for every card ever swiped by Square.  Advanced fraud schemes take 18mo-2 years to develop.. so it may take some time for risk to materialize.. and for them to pull back.  Chase.. these future losses will easily wipe out the 15% of Square equity that you hold.  Perhaps they are moving so aggressively here because one of their key partners (ie Apple) is falling down in NFC.  Which brings to mind the larger question: Is Chase Anti NFC? 

Remember just 4 weeks ago that all of the US banks were looking at a future where ISIS would control NFC on the handset. Perhaps this is Chase’s way of developing an alternate strategy to address NFC’s biggest weakness: infrastructure.  If this is true.. then Chase I apologize.. your strategic play here was indeed valid. As of this month, we are looking at a ISIS crash and burn and NFC control with RIM, Google and Nokia. My hope is that Chase will abandon Square once the threat, of MNO control over payments, has been eliminated. 

Recommendation for banks

1. Educate your customers. DO NOT give your personal information out when you use your card
2. Start to educate your customers on mobile payments in general.. how will it work?
3. Encourage use of credit over debit.. greater consumer protection and better margin for you
4. Set some common sense rules .. use your card with trusted vendors (Apple, Grocery, … )
5. Educate your customer facing employees from branch to call center..
6. Think about your small business value proposition, how can you help small businesses accept cards?
7. Issuers, think about declining Square transactions.. particularly for debit