This is page 2 of:
PCI-Less Card Payments: Square’s Mobile Scheme
Square then handles the actual transaction and electronically sends the retailer the money, minus a 2.75 percent fee. On the consumer’s payment-card statement, Square will appear as the merchant.
If this all works, the retailer would never have access to any card data and would, therefore, be immune from PCI issues. Pragmatically, though, there is no shortage of hurdles for Square to make this happen in any type of meaningful way. First, it requires both the customer and the retailer to be using this service. That necessity is going to run into some serious chicken-and-egg issues, with retailers hesitant to offer the service without hearing from a lot of customers that it’s of interest and consumers disinclined to get the service until they see a lot of their favorite retailers offering it.
Security is also a concern, with a photo not being the world’s most secure authentication method. (It’s better than signature, but that’s a rather low bar to clear.) Adds Gartner Security Analyst Avivah Litan: “They also enable PINs on high-value payments, but it’s not clear how easy or hard it would be for a fraudster to impersonate a Square account holder and filch their PIN. I suspect this is a looming weakness of the system.”
StorefrontBacktalk‘s PCI Columnist, Walter Conway, who is also a QSA, shared some of Litan’s security concerns about the photo. “Substituting a picture for a signature does not seem like any great step forward in security, although it may seem more customer-friendly. I keep thinking of my driver’s license or passport picture, and wondering if the poor barista will recognize me,” Conway said. “It seems like a stolen phone—while it will be noticed sooner than a stolen wallet—could still be used for transactions. ‘Yeah, that’s a pretty bad likeness of me, ha ha.'”
As a practical matter, I don’t see the security issue as much of a concern. First, the only real advantage for a thief would be to pretend to be the real cardholder. (There’s no reason to create a bogus account with, say, a stolen payment card. If you have the credit card, you might as well use it directly.) For the low-dollar values typically involved with Square (the initial takers tend to be fast food, coffee houses, bars, pizza, etc. No Mercedes dealers or Saks Fifth Ave.), why bother with a disguise to impersonate someone?
There’s an even better security defense. The merchant won’t accept payment until the merchant expects it. That means the customer would have to select that merchant when the customer is right around the corner. How would the thief know the victim’s plans? And isn’t it really risky to impersonate someone who you know will walk in the door any second?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
