The VeriFone-Square Battle Moves The Encryption Debate

In last week's kerfuffle over VeriFone's encryption fight with Square, the issue of whether a free, early-stage mobile payment device needed to have hardware encryption was key. But the capabilities of most of today's POS units are such that it may be a silly debate. Many of the units can't handle the encrypted communications, forcing the data to be converted into plain text so the POS station can comprehend it.

"Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals," said Tom Siegler, VP of Strategic Market Development at UIC USA, another vendor in the payment space. "The reader must be key-injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gate the transaction and charge a fee for the service. This was VeriFone's and MagTek's business model. All encrypted transactions would generate revenue. Nice business, if you can get it."

Siegler's point is not that mobile payment encryption won't ever happen, but that it will take time and standards so the transaction format is accepted at every level. "These payments are a chain of events, and there are about five different players involved. If they all don't play together, the device won't work," he said, adding that the device will say "I've never seen this message format before" and then "the transaction just won't happen."

(Envision a Retail IT version of A Few Good Men, with the lead POS played by Jack Nicholson, who's arguing with a cocky card reader. "You want the encryption? You can't handle the encryption!")

The risk argument that VeriFone has made is that cyberthieves could use the Square device to steal data from consumer payment cards. To do that, though, the thief would need to physically access the card. And if retailers are using the device, the only fraud risk is that their systems would have unencrypted payment card data, which most chains have anyway due to current POS limitations.

The bigger risk, VeriFone argues, is that a store associate might take the payment device, use it to access Web sites and unknowingly download a Trojan horse program. That program would hide within an innocuous application or file and then copy the payment data, later transmitting it to the thief who created the Trojan horse. "There is no malware protection generally available for these devices," said Paul Rasori, VeriFone's Senior VP for Global Marketing.

Making this situation a lot trickier is that the PCI Council has delisted mobile applications and is refusing to approve any until it completes a lengthy review of all mobile issues.

In one to two years, these issues will almost certainly be addressed. The PCI Council will have issued its guidance by then, and newer POS systems—and all of the downwind players—will likely have embraced a standardized approach to encryption.

The future for mobile payments looks bright. But right now, here in the present, retail needs to adopt a series of temporary measures. These are approaches that will allow for mobile experimentation and limited deployments to happen while the more permanent fixes are being finalized.

In this stopgap environment, easy and low-cost options like Square are going to look very attractive.