Yeah I saw that here but still I’d not trust it just yet
The PayPal devices are totally fine & secure - same as the iZettle ones. The PIN entry is done within the controlled verified hardware.
The Square one does not have a PIN pad on the device.
I guess I’m just used to the chip and pin devices we have now
In my opinion, they should have sorted out the standards before releasing their device. Or developed compliant hardware. If I were a small business, there’s no way I’d use a Square reader. Seems like I’d either:
- Be liable for fraud
- Lose business from people who aren’t comfortable putting their PIN in my phone
Or probably both of the above!
Or the merchants will now be able to accept card payments from anyone who’s willing to enter their PIN in your phone & everyone else will pay with cash, just as they were before 
1 Like
Yes, but some of those people previously ‘paid’ by not bothering at all. There’s a local café that didn’t accept cards for years, but started to (with SumUp) last year because they found they were just loosing too much business. And I’ve been somewhere before where a card reader wasn’t working, and because I didn’t have the cash on me I had to cancel the purchase. That’s the danger for a small business. Well, the fraud liability is probably the bigger danger, but loss of custom is definitely one as well.
I should add that I’m not trying to argue anyone out of using these readers, either as a business or a consumer. In the end it’s a business or personal decision. If Square can make a go of it, great for them. If enough people don’t care, then it clearly won’t be an issue for them or merchants.
I don’t mind – I find it an odd strategy, and I don’t feel they’re being entirely clear/straightforward about the security compliance of their reader. But I don’t have any agenda here. Just trying to understand whether Square have done something differently to all the other mobile card reader companies (PayPal included), or are just ignoring the requirements (while trying to get them changed). If it is the latter, I won’t use my card with one of their machines. So if I come across a merchant with one I’ll either have to use cash as @alexs and @anon44204028 say, or pass up on the purchase. But that’s my personal stance, I’m quite happy for others to act differently. 
There are also many customers wary about these small handheld payment devices and are reluctant to use anything other than the big traditional terminals
1 Like
I have seen firms like stripe, which can be integrated into a website, be used directly on a merchant’s phone in a browser window to collect payment with card details keyed in!
1 Like
That’s not so bad because it is properly recognised as a card-not-present transaction and the interchange rates are higher to reflect the increased risk. Also the merchant would be entirely liable for any fraud on that transaction.
So I received the reader and had a play with it. It’s exactly as-expected, and there is no obvious way they’ve somehow made the software PIN pad safer.
2 Likes
Amusingly, it turns out that Square has actually now deleted their UK PCI compliance page…
4 Likes
2 Likes
Interesting. I wonder what measures are in place to ensure the security of people’s PINs. Or looking at it another way, how phone apps will be certified (given that physical PIN devices have to go through a stringent security audit).
1 Like
It’s not more nor less secure than a conventional card terminal - what proof do you have that a conventional terminal is secure? The insides could have been replaced with an evil device that steals your PIN and card number just like malware could do for the Square device.
The proper solution to that is to not enter anything on an untrusted device. I remember seeing a picture of a card (could be fake though) with an integrated display and number keys - the idea would be that the card (something you trust) would display the amount and allow you to enter your PIN on its own keypad, so a fraudulent terminal can’t do anything. Another solution is to have no PIN and instead authorise the transaction out of band via a mobile app.
No, that couldn’t happen. To get certified, PIN entry devices have to have tamper detection that disables the unit if it’s opened. And the circuitry that handles the PIN verification is manufactured in a secure facility, coated in resin, and used as a module on the main circuit board. So there are physical security barriers that prevent what you describe, for card machines in the UK.
2 Likes
“Disables the unit” how will it disable the unit if I replace the entire “computer” in there with my own? Or what it I just make my own unit from scratch that looks like the real one ? 
Fraudsters are quite experienced with building real-looking skimmers so I expect them to be able to build an entire fake unit if needed.
1 Like
As a lot of pin entry card readers are actually posted out to users I am sure there is a chance to tamper with devices. And unless you open it to check it still resin covered etc how can you tell if it tampered with. It ultimately comes down to trust.
2 Likes
You assuming a thief/scammer actually takes the money from the transaction where the card is cloned. Why not get a pin entry device, gut it to become a cloning tool, setup a market stall selling stuff with low value but good markup(say phone covers). Those that pay cash fund the items, those paying by card get details stolen, but the item for ‘free’, but scammer gets card details and pin number
1 Like
1 Like