PCI-Less Card Payments: Square's Mobile Scheme

A new Square mobile POS offering introduced on Monday (May 23) quietly delivers something that many vendors have falsely promised but never delivered: Absolute escape from PCI rules. Yes, the much-promised-but-never-realized claim of PCI out-of-scope actually does exist within the Square offering.

It enables a retailer's customers to pay with Visa (a key backer of Square), MasterCard or American Express without having to abide by any PCI restrictions. And, yes, there are a few (admittedly major) limitations, but the exclusion appears quite real.

When you push all rhetoric aside, PCI in-scope simply comes down to this: If a customer hands a payment card to any of a retailer's employees/contractors—or swipes or waves the card into a device inside or controlled by a retailer or types the information on that card into a Web site branded and controlled by a retailer—that retailer is subject to PCI. If the customer doesn't, the retailer isn't. Even a token doesn't get the retailer out-of-scope, because a vendor has the ability to match that token to the actual card number. As long as that capability exists, that token must be protected as though it were the card number.

What Square's new approach, dubbed Card Case, does is fully take the retailer out of the line of fire of the card information. In effect, Square acts as the retailer. The system has the card data going from the consumer to Square, which interacts with the processor. Even the charge that appears on the customer's bank statement says "Square." (That's something we confirmed Tuesday [May 24] with one of the 50 test retailers that started trialing the service the day before.)

Here's how Square Card Case is supposed to work. There are two hardware elements: The consumer side (typically using an iPhone) and the retailer side (typically using an iPad). Consumers need to download the Square app and complete a one-time-only registration, where they provide their information, including payment-card data, and upload a photograph of themselves.

After the registration has been completed and accepted, the app will list participating retailers in the vicinity of the phone, along with a list of what that merchant is selling. If interested, a consumer selects a retailer, which causes a message to be sent to that retailer to expect that specific consumer. That consumer's name and picture will be displayed on the merchant's iPad.

When the consumer shows up, he/she can make a purchase by going to a store associate at the checkout area and "paying" for the item by simply saying his/her name and that he/she is using Square Card Case. The associate looks at the iPad app and matches the consumer's name with the name and picture on the screen. If it matches, the associate simply enters in the amount of the purchase and executes it.Square then handles the actual transaction and electronically sends the retailer the money, minus a 2.75 percent fee. On the consumer's payment-card statement, Square will appear as the merchant.

If this all works, the retailer would never have access to any card data and would, therefore, be immune from PCI issues. Pragmatically, though, there is no shortage of hurdles for Square to make this happen in any type of meaningful way. First, it requires both the customer and the retailer to be using this service. That necessity is going to run into some serious chicken-and-egg issues, with retailers hesitant to offer the service without hearing from a lot of customers that it's of interest and consumers disinclined to get the service until they see a lot of their favorite retailers offering it.

Security is also a concern, with a photo not being the world's most secure authentication method. (It's better than signature, but that's a rather low bar to clear.) Adds Gartner Security Analyst Avivah Litan: "They also enable PINs on high-value payments, but it’s not clear how easy or hard it would be for a fraudster to impersonate a Square account holder and filch their PIN. I suspect this is a looming weakness of the system."

StorefrontBacktalk's PCI Columnist, Walter Conway, who is also a QSA, shared some of Litan's security concerns about the photo. "Substituting a picture for a signature does not seem like any great step forward in security, although it may seem more customer-friendly. I keep thinking of my driver's license or passport picture, and wondering if the poor barista will recognize me," Conway said. "It seems like a stolen phone—while it will be noticed sooner than a stolen wallet—could still be used for transactions. 'Yeah, that's a pretty bad likeness of me, ha ha.'"

As a practical matter, I don't see the security issue as much of a concern. First, the only real advantage for a thief would be to pretend to be the real cardholder. (There's no reason to create a bogus account with, say, a stolen payment card. If you have the credit card, you might as well use it directly.) For the low-dollar values typically involved with Square (the initial takers tend to be fast food, coffee houses, bars, pizza, etc. No Mercedes dealers or Saks Fifth Ave.), why bother with a disguise to impersonate someone?

There's an even better security defense. The merchant won't accept payment until the merchant expects it. That means the customer would have to select that merchant when the customer is right around the corner. How would the thief know the victim's plans? And isn't it really risky to impersonate someone who you know will walk in the door any second?There are also the practical advantages, such as losing all those paper receipts, a lower interchange fee (for smaller chains and solo-location merchants), easier online reporting stats and the "Get Out Of PCI Free" card. Of course, to truly get out of PCI, the retailer would have to only accept cash, checks and Square. Just one direct Visa charge and it's, "Hello PCI Paperwork."

Todd Michaud, the IT VP for Focus Brands (Carvel, Cinnabon, Schlotzsky’s, Moe’s Southwest Grill, Auntie Anne's and Seattle's Best Coffee Int'l), is skeptical of whether Square Card Case will do much business beyond the 50-merchant trial, especially when the excitement dies down.

"The fact is that my guess is that a large portion of the people with readers are people like me (and I do have one) who got it for the coolness factor, tried it a few times, but rarely use it," Michaud said. "This is the Jack Dorsey hype-machine in over-drive. I saw the same thing happen with Twitter. Their PR machine told everyone how popular it was to make it popular. I guess Square got some coverage at the NRA (National Restaurant Association) show this week, getting all the restaurant companies buzzing. I can't wait to see what happens when the small restaurant companies dive into this, because it's cool, and then a 16-year-old waitress drops three iPads in a week and the restaurant has to buy new ones at $700 to $1,000 a pop."

Conway agreed with Michaud's concerns. "The 'cool' factor has led to many people I know getting their Square and, after they showed it off, it sits in a desk drawer. I really like [Michaud's] dose of QSR reality that many dreamers may be missing."

Conway also expressed concerns that, with such a tight margin, it won't take many surprises to derail it. "One thing to watch will be exception items like chargebacks and disputes that can ruin their profit model," he said. "They'll blow through the 2.75 percent—especially on low-ticket items—pretty quickly."

Given the concerns mentioned above and the logistical challenges—not to mention that Square isn't even initially trying to push this capability for major chains—it would seem to have little near-term impact on retail payment or PCI. But that assumption would not be correct. One of the merchants involved in the trial does not accept any payment cards and limits its tendering to cash, checks and Square. That makes the theoretical retailer able to have customers see charges on their credit-card bill while still avoiding PCI very real.

It means it can be done. Would a tweaked master merchant approach work for major chains? Let's not lose sight of the fact that Visa—one of the original, and arguably the strongest, backers of PCI—is a financial backer of Square. This much is without debate: Between the telecom carriers fumbling over themselves trying to deal with direct payments and the backroom efforts, mobile payment is going to be getting very interesting for the next year or two.