FRAMINGHAM 9 MARCH 2011 - In a highly unusual move, electronic payment vendor VeriFone Wednesday said it found a "gaping" security hole in a free plug-in mobile credit card reader from Square, a startup launched by Twitter founder Jack Dorsey.
In an open letter to "industry and consumers," VeriFone CEO Doug Bergeron called on Square to recall the devices because they pose a serious security threat to consumers.
Square, co-founded by Dorsey and Jim McKelvey in late 2009, offers a free device that can be plugged into the headphone jack of an iPhone, iPad or Android phone to instantly convert the device into a credit card reader.
Bergeron said Square's card readers don't encrypt cardholder data as a payment card is swiped through the device. The vulnerability would allow criminals to write and use applications that can download credit card data to a mobile phone.
In a YouTube video, Bergeron said it took less than an hour for VeriFone personnel to write an application that could be used skim or steal unencrypted cardholder data as its swiped through a Square card reader.
VeriFone has posted a sample skimming application for download by anyone who wants to verify how easy it would be to steal card data from a Square card reader. Bergeron said that VeriFone sent a similar app to Visa, MasterCard, American Express and the other payment card companies.
"If the industry allows Square and others to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure," Bergeron said.
Square did not respond to a request for comment on VeriFone's charges.
Square touts its card readers as devices that can easily be used by taxi drivers and seasonal market and street vendors to accept credit card payments. "You can even have your friend that owes you $20 pay you with their card, since their wallet always seems to be empty when you remind them," the company says in a note on its site.
Square currently accepts U.S.-issued MasterCard, Visa, American Express, and Discover cards and charges a flat 2.75% for all swiped transactions. Anyone can register for the service by simply providing Square with a physical address, a Social Security number and a U.S. bank account number.
Gartner analyst Avivah Litan said Square currently processes card transactions valued at between $2 million and $10 million each week. The company has set a goal of processing $1 billion in card transactions in 2011, Litan said.
Sign up for Computerworld eNewsletters.