Exploring the Dongle: A Tale of Two Swipers

One of the coolest features we’ve ever published on about security took on a device with perhaps the silliest name of any component of payments: the dongle.

Dongle security is an important issue for many small businesses throughout the U.S. While most of the big players in the space keep their sales figures close to the vest, we estimate between 2 and 2.5 million dongles have been delivered to merchants for payment processing.

It follows, then, that millions of merchants would want to know more about what’s inside that all-important dongle. To that end, ROAM Data provided a literal inside look at the technology involved in swipe payment processing near the end of last year. The image appeared on ROAM’s blog as part of a somewhat confrontational post — indeed, the title was, “ROAM Data versus Square.” But the image and the accompany discussion provide key insights into an issue that has to be discussed in any exhaustive look at payment security at the point of sale: the security of the swipe. (A key example: with ROAM, both the swipe reader and the payment app encrypt the data; not so with Square.)

As of yet, no set of standards exists for the regulation of safety in the mobile attachment. But Ken Paull, an executive vice president at ROAM, thinks that day may not be far off. To that end, ROAM’s security is, “ahead of the curve,” Paull explains, and the company is “already working on advanced security, including EMV.”

As for ROAM’s original dongle breakdown, we present the image and description from that blog post below.

One can immediately notice that Square has no electronic components other than the magnetic head tied to an audio jack. When a card is swiped, an analog signal is generated and transmits the track data in the open via the audio jack to the phone, where a piece of software is used to decode the data.

In contrast, when looking at the ROAM swipe internals, the patent pending design is packed with sophisticated electronics that enable power to be generated via sound waves sent by the phone instead of a battery. When a swipe occurs, track data is instantly captured on the reader by the electronics, it is digitized and encrypted by the microprocessor on board, then transmitted via a proprietary communication protocol to the mobile device with compatible software, and then sent to a secure payment server where it is decrypted and passed to the payment processor. This unique design enables ROAM to have superior security, better read rates, and the largest device reach possible.

Problems with the Square design:

  1. Without electronics, it is incapable of encrypting the track data before it arrives on the mobile device. Thus the Square reader can be used by any rogue app as a skimmer with zero hardware change.

  3. If you swipe too slow or too fast the data fails to be captured by the software program on the phone, leading to poor read rates.

  5. The physical design has a short “throw length” (guide that keeps the magnetic card from wobbling during swipe) leading to poor read rates.

  7. Without electronics it cannot control the communication protocol between the swiper and certain mobile devices like Blackberry and certain Android devices, thus reducing device reach.

ROAM’s team has years of experience delivering mobile phone POS solutions to market, and ROAM owns or has licensed a number of granted and pending patents in this space, including exclusive rights to certain IP that are critical for development of these readers.


Featured PYMNTS Study: 

With eyes on lowering costs to improving cash flow, 85 percent of U.S. firms plan to make real-time payments integral to their operations within three years. However, some firms still feel technical barriers stand in the way. In the January 2020 Making Real-Time Payments A Reality Study, PYMNTS surveyed more than 500 financial executives to examine what it will take to channel RTP interest into real-world adoption. Here’s what we learned.

Click to comment