Verifone's letter about the security risks of Square's non-encrypted card reader has sparked a lot of debate about card skimming in the mobile age. Regardless of how the topic was presented, the problem is very real and should be properly understood and addressed by industry regulators before it grows exponentially along with the exploding mobile commerce market.
Many consumers do not see card fraud as their problem, unless they have been hit by the hassles personally. Most do not realize the cost of card fraud (in the $Billions each year) is first burdened by merchants, is then spread to consumers with higher prices at checkout. This is equivalent to us collectively writing a multi-million dollar check every single day to pay criminals for stealing our card data. The size of that check is directly proportional to the ease of access to card fraud tools.
“Skimming” is the leading form of card fraud in the United States and refers specifically to electronically capturing of cardholder information stored on the magnetic stripe called “track data”. It is different than copying the numbers on a card with a pen, because track data can be used to reproduce fake credit cards to make large purchases at retail locations.
Why is skimming in today’s mobile arena more dangerous than traditional skimming at restaurants and gas pumps? Because it is harder to catch, and skimming tools are easier to proliferate if not encrypted. As an example, criminals can sell ½ price T-Shirts in front of sports or concert venues using a fake POS device to skim card data in bulk then immediately reproduce and use the fake cards at any store to rack up thousands of dollars in charges before the consumer even gets home that day. To pull off this kind of mobile skimming “in the open” use to require sophisticated criminals’ to create a fake POS device that looks real. In the case of Square’s reader, the actual skimming device is the real device, since it has no encryption, no alteration is required and the readers are given away for free to anyone who asks for it. Combine that with the ease of smartphone software access and there is no doubt this problem can explode and be more dangerous than many people think.
Some suggest authenticating the track data as a fix, but that does not address the source of the problem, and won't stop card number from being used online, not to mention it would take a very long time to implement at all the stores. The immediate and most important fix is to stop the spread of non-encrypted mobile readers that can be used as skimmers in the open. Making skimmers hard to access won’t eliminate skimming all together, just like making illegal drugs hard to access won’t completely eliminate its use, but it does dramatically curb the damage.
Today mobile card acceptance can be secure and cost effective, choosing the right solution is key. Verifone's reader is encrypted but it fits only certain iPhones and is much more expensive to produce than Square’s or ROAM’s readers. Square leverages a simple audio jack technology to keep cost down and to reach more devices, but it has no electronics for encryption. Audio jack methodology is not new, ROAM Data is using technology originally developed in 2007, and has licensed the patent filed in Feb of 2009, (before Square started its business.) ROAM’s solution fully encrypts the track data before it leaves the reader and is decrypted only at a secure and PCI Compliant payment server. ROAM’s audio reader contains more sophisticated electronics than Square’s reader which enables not only security, but higher card read rates, and when combined with its software, supports more mobile devices than any other solution on the market. ROAM has developed its own patented mCommerce technology platform, and it has licensed multiple related patents exclusively and non-exclusively, to create the industry’s leading mobile phone card acceptance solution that is easy to sell and cost effective enough for many of our resellers to give it away for free to their customers.
Note that ROAM does not compete directly with Square for merchants, see "Is ROAM competing with Square". ROAM is a mobile commerce technology and service provider founded by payment industry veterans. It won the 2010 Technology Innovation Award at the ETA, and already has about 200 Merchant Service Providers (MSPs) reselling its solution, including some of the largest payment providers in the world. ROAM provides a suite of mobile commerce applications for its MSP partners to better service their merchants. As a Level-1 PCI Certified third party processor, ROAM takes security very seriously. We chose to provide a slightly more expensive but more robust reader solution, to reduce skimming and provide a better experience for end-users.
Before we blame Square for proliferating skimming tools, do keep in mind there are no rules yet to mandate encryption on mobile readers. If regulators from PCI-SSC do not act soon however, there will be pressure from MSPs to suppliers like us to follow Square’s example, which would definitely worsen the problem. A simple ruling now to mandate encryption of card data before it arrives on the phone can save merchants and issuers a ton from fraud, and would help consumers feel safer about paying mobile merchants.
We all want mobile commerce to grow, but security should not be an option! Through technology innovation, we can have low cost and convenient mobile card acceptance, without sacrificing security. We are relying now on industry regulators to issue new rules for new environments to keep fraud down and consumer trust high.
Will Wang Graylin
CEO, ROAM Data, Inc.
About ROAM Data
ROAM Data provides patented mCommerce software, hardware and services that enable merchants to win customer spend and loyalty. ROAM Data securely delivers faster more convenient transactions for small and large merchants across virtually any mobile device. ROAM’s mission is to enable mCommerce to improve lives.
ROAM’s team has been innovating in this space for over 10 years and has cracked the four major problems that have held back the full scale adoption of mCommerce namely: device complexity, payment security, legacy system integration and app deployment/maintenance. ROAM partners and customers include some of the largest payment providers e.g. Intuit Payment Solutions, Ingenico, First Data, Chase Paymentech. ROAM won the 2010 Technology Innovation Award sponsored by the Electronic Transaction Association and is setting the standard for scalable mCommerce solutions for merchants everywhere. Visit us at www.roamdata.com