Square working on 'a credit processing and risk issue' before shipping more card readers
By Chris Ziegler 
posted June 19th 2010 10:23AM
posted June 19th 2010 10:23AM
"Dear Square user,
We announced Square with the phrase: "0 to $60 in under 10 seconds."
Square's goal is to enable people to accept payments immediately, everywhere. We realize the amount of time we've taken to ship our Square readers has been frustrating, sometimes confusing, and has generated a number of questions. When we announced the company last December, we estimated Square would be ready in the U.S. sometime in early 2010. Since then, we've let our excitement get the best of us and have released parts of Square before they were fully baked.
A recent email from our support team to a Square user sums up where we are:
Until recently, we were facing a big hardware shortage, but that is now resolved (we sent our co-founder Jim to China for a couple weeks to arrange better manufacturing, and that did the trick). The problem has transitioned to something we've been working on simultaneously, a credit processing and risk issue. We need to strengthen our underwriting infrastructure so that we can handle the huge demand for readers and still manage the risk of chargebacks and fraud. This is the last thing preventing us from shipping readers as fast as we'd like, and we have pretty much the entire team working on it.
The way we are handling the risk of chargebacks and fraud is through transaction limits, but we have received feedback that those limits are too low. We are rethinking and expanding our underwriting infrastructure to address this issue. As soon as we finish, we will send you an email to confirm that you would like us to run a credit check (or you can cancel your request to process cards with Square which will securely remove your personal information). We will then ship your free card reader and activate your account to accept card payments.
We thank you for your continued patience as we work to deliver a utility you can use every day and for allowing us the time to get it right.
Jack Dorsey
Square CEO"
nice addition of text, engadget ;)
@tehslax except you don't actually need the reader.. you can type in the credit card number manually and still be able to use Square.
We were all supposed to be using smartcards or Bluetooth for this by now, not the same old crappy credit cards.
LAME.
@joshl Sorry, but you can't do that. You have to already have received a reader, which is a bit of a Catch 22.
Thanks for posting about this, Engadget! I've been annoyed by this backlog for a while. And the text that was added to the image is so true. I signed up for a Square reader the day they released the iPhone and Android clients, so unless you were an iPad owner, most likely you don't have a reader right now.
Oh well, I'll be happy to see higher limits on transactions. It would have made my business difficult to run the way it was, so I'll be very curious to see what they increase the limit to.
I think square and payment methods of the like will be common pretty soon and people will think it was funny to be so afraid of it.
@uck
Your username inspired me to create mine btw, I thought id let you know.. :D
@uck lol thats a good one as if credit card fraud wasnt bad enough already this wont ever really get main streamed because most people will never trust something this foolish
@uckApple
Ha well I was surprised someone hadn't done it before so welcome to the club ha.
@Jean
I fully agree that it seems iffy but my point is that it is suppose to because it's new and pertains to money transactions but don't be surprised if you be seein them at hotdog stands soon. And you may even be Finding yourself using on before you know it, because those hotdogs are Soooo damn good.
@Jean Marc
TD Canada Trust: "This is a reminder, you just spent $11,000"
Guy: "WHAT THE F****?"
- This just in - Apples Mobile credit card payments found to be insecure, Apple advises all customers to stay away from said services until they have things secured"
Guy: "F****!!!?"
@uck
The only thing we learn here is that you need someone experienced in electronic transactions to plan and design these kind of things.
VISA, AMEX, etc wouldn't have done the misplanning and misdesign of a reader and service, but a founder of Twitter would, unsurprisingly.
@uck ...until people find out there is a demonic subliminal message if the magnetic strip on the card is played backwards.
@uck As soon as people using them realize that both hardware and software are not a secure method of processing a payment then there may be a few businesses and consumers who will avoid this service/product. It would be nice to see them focus more on its security and at some point have PCI compliance certificate of compliance for secure credit card data transmission. Until then all other apps for credit card processing in the app store will continue to take this business away from square. Simply do a search in the app store for Billing app and you will see many apps with better security metrics in place.
Anyone notice in that picture that the credit card reader actually can't be plugged into anything where it is? The headphone jack is on the opposite end, and the dock connector is in the middle, not on the corner.
@VincentLaw iPod Touch....
@VincentLaw If its an iPod Touch then it would be plugged exactly how it is in the picture as the headphone is in the bottom right hand side...
@rmarqu8 I stand corrected, then.
@rmarqu8 True but since the system only works via 3G it still wouldent make sense.
@VincentLaw
Yeah, I don't see a microphone slot like the iPhone has, so I also vote iPod Touch.
@VincentLaw I was going to ask the same thing never looked at an iPod touch assumed it was exactly the same layout as the iPhone. As for the requiring 3G comment are you sure it can't work in wifi hotspots.
I would never and will never hand over my credit card to anyone that has one of these connected to a phone. I have no idea if that is a personal phone that can be taken outside of the shop and have no assurance they arent not trying to save credit card info even though they are not supposed to. No thanks. Theres a reason REAL shops use real merchant terminals - for the assurance of safety; someones phone isnt giving any kind of impression it is safe to have their card slid through.
@loadoftoad - So long as the person is using an app to do this, such as Square, I don't think you need to worry about any of that. Your CC info is sent directly to Square (or whomever). It doesn't just sit on the phone.
But it's your choice to miss out on the fun.
@MRCUR You mean the app that can be replicated on a jailbroken iPhone?
Brings a new meaning to phreaking.
@MRCUR Not necessarily. Depends on the hardware. Your credit card information is not encrypted on your card. All you need is a simple piece of hardware to read it in to plain text. Most MSRs (Magnetic Stripe Readers) do not encrypt information via hardware and act as what is know as a keyboard wedge (dumps swipe data like it was typed in on a keybaord). New ones do, but are rarer to find and will be some time until they proliferate out to the majority of retailers. Plus they need the right software to interface with it. Alot of Point of Sale software encrypts the card information AFTER it has been swiped and does not yet support hardware encrypted MSR's.
If this dongle itself isn't encrypted, all someone would need is a jailbroken iphone, and a custom app to capture the information on the magnetic stripe.
I would NEVER trust someone using this. I would pay cash before letting them swipe my card with this device. I work with POS hardware and software and deal with PCI compliance every day.
Their website give no clarification on the hardware spec or possible encryption. It does mention PCI compliance but given the hoops retailers who use POS software have to jump through, I'm scratching my head how in the world this software could be compliant on such an inherently INSECURE device (a mobile phone).
@loadoftoad :"I have no idea"
This is all anyone needs to know of your argument.
You have no idea what the actual risks involved are, but yet you still feel entitled to pass judgment on the product.
@radarskiy
You are blind and dilusional. With the ability to easily develop apps for the iphone and android it doesnt take a genius to install software to grab cc data and use it for their own purposes. With so much skimming that occurs this just makes it that much easier.
The data on this device is not encrypted at all when its swipped. I know someone in Visa that has worked with these guys to get their device 'compliant'. They have reported back there has been very little interest in this device from retailers. Nothing is encrypted, nor is anything stored on the iphone; however that doesnt mean someone cant write their own application to grab that data and have it saved - then sell those cc's or commit credit card fraud.
radarskiy you are guliable and naive, and I can almost guarantee you are one of the idiots who have to subscribe to identity theft services because your credit card and social security number has been compromised MULTIPLE TIMES.
@loadoftoad And you are absolutely sure that there's not a keystroke journal somewhere with your credit card number, expiration date and perhaps even the card id number. maybe even your name and birthdate depending on what they entered during the sale.
you might be shocked to find out that there is. Often. And it doesn't help that only the managers have access, if they are the ones selling the info.
@loadoftoad You don't even have to do that much. I was at a street fair just the other day where several vendors where taking credit cards via the paper slips, writing in names, birth dates, phone numbers. and folks were just giving them the info. totally trusting them. No clue what would happen after someone got home and rang up the sales. All it takes is one lucky trash bag of unshredded slips and there's a lot of credit card numbers out there.
If someone whipped there iPhone out and told me I could pay for there goods by swiping my credit card through that little white plastic thing. I would tell them there F'ing crazy and take my business somewhere else. Why would I do this? Because only tree hugging hippies and soccer mom's use iPhones.
@ObsceneJesster
And communist. Can't forget those communist.
@ObsceneJesster Unsure about the USA, but most banks, especially in the UK and the EU, disallows the magnetic strip to be used, we have to use a "chip and PIN", which uses a SIM chip on the card.
Chip and PIN would make this device useless.
Magnetic strip and signing was done away with years ago because they are susceptible to fraud.
@iDamien
it also works on android
@simonhowes : "Magnetic strip and signing was done away with years ago because they are susceptible to fraud. "
No, the move to Chip and PIN was to shift liability for fraud to the card holder. It does less than you think to stop fraud itself.
@simonhowes The key there is 'unsure in the USA'
the US has not moved to chip and pin and probably won't for a while. The stripe system is rather entrenched. Just getting strip and pin is hard. I often pull out my check card (which works as both a debit and credit card) and want to use debit but the system only takes it as a credit card.
@simonhowes but fraud is what makes the USA awesome!
These people are all about fail.
I can't believe that no instructable has been posted on how to make your own, probably better built, cc reader.
@Godfather
The mob doesn't deal with plastic.
@Godfather
SIMPLE: You make an app that (1) takes a picture of the credit card and (2) does some OCR on the numbers, expiration, and name. NO HARDWARE REQUIRED.
I don't get why anyone really cares about this.
@jfine
Hot dog stands, art/craft fairs, day laboring, adhoc masseuses, mobile strip joints, all are clamoring to be able to swipe your CC in exchange for a service.
@Godfather I bet they're excited to pay the vendor's fee for allowing you to swipe the card too. Tell me again why i would swipe my card, or enter my personal details on someone else's cell phone at any random place where the person holding the card reader is free to run away with my data?
@Godfather Gotcha. For some reason seeing this posted on a consumer blog made me think it was more for "everybody" not unlike PayPal. I can certainly see the usefulness of this in a boutique sort of environment.
This was bound to happen. They are acting as the merchant and also taking the hit for each chargeback not to mention they are wanting to compete with paypal in that respect.
Business owners small or large know too well that they need a merchant account in order to bill their clients and customers while having their DBA or business name on each receipt thus keeping chargebacks less prone due to confusion whereas Square uses a general dba name for all its merchants aliases and thus they wonder why they need to rework there strategy?
Sure twitter works like a charm but get into the merchant services business and try to flip it on its head and see how much well it will work out...
There are dozens of cool merchant centric iphone apps available and most have been available before square was even vaporware. Check out BILLING for example this is one I recommend as it is open and portable meaning one is not forced to use any particular merchant provider instead it supports the popular Authorize.net gateway. It is plug-n-play essentially for any merchant. Here is the link: http://www.spartadata.com
Good luck square ands all that follow their so called merchant offerings...
@paul99 - Square allows you to have have a business name as your "name" AFAIK. It shows up on your statement as SQ* (insert name here). Sure, some people will still be confused, but come on now. There's only so much Square can do to make idiots not be idiots.
Typical Engadget, distorting the situation as always.
@uckEngadget Care to elaborate?
A visit to their website shows that they're not square on letting you in on what their limits are / how they go about setting them up. Their solution to increasing the limits in the future, is to allow them to get a personal credit report from the 3 bureaus (read: soon you'll be able to take a major credit hit on your credit score, by signing up with Square).
But what's very disturbing, is that they require you to use a personal social security number instead of a business' Federal Employer Identification Number. Just another route for your personal information to get loose on the internet.
I just wanted to experiment with the reader and my own software, but it'll be a cold day in Hell before they do a hard pull on my credit score.
I'm glad to see that someone actually read the literature before posting any stupid comments! FTW
Has anyone else noticed in the picture that the Square unit is plugged into a port on the iPhone that doesnt exist?