Square, Verifone, BankAmericard and PayPal: History Requires Payments Innovators to be Security Leaders
March 11, 2011 |
Verifone has fired a missive at Square, aimed squarely at the innovative company that brought card-swipe devices to nearly anyone with a smartphone. As with PayPal a decade ago barriers to becoming a payments-accepting merchant have been removed, this time by Square. As is often the case, in place of the barriers are new security concerns.
BankAmericard and PayPal were launched amidst significant fraud concerns too. In fact, whole new categories of protection methods, technologies, regulations and products came in the wake of what is now Visa and EBay. Here in the San Francisco it’s a given that innovators need room to do what they do, and yet the forces of markets and even regulators (of either the government or industry self-policing variety) will hold innovators accountable.
It’s been said that we can eliminate all fraud by eliminating all transactions. We can also eliminate all fraud by eliminating all innovation, but I don’t think anyone wants that either.
Verifone is the dominant force in payments-swiping terminals, and our research has found them to be among the leaders in security as well. Square is trying to do something quite PayPal and BankAmericard-like. If history is any indication Square must soon become a security leader or they will be forced to surrender their role as payments innovator.
When BankAmericard mailed ready-to-shop cards to every mailbox in Fresno, California, they set the foundation to eclipse the regional success of Charga-plate and Diner’s Club. BankAmericard initially encountered massive fraud, but Visa is now not only a security leader but sometimes even a private-sector regulator of other companies (anyone remember what Visa did in reaction to CardServices, after the acquirer’s security incident?)
PayPal was launched and the phishing attempts started almost immediately (I received one in the late 90’s), not to mention untold regulatory and patent concerns. PayPal embraced security as a strategic advantage (not just an operational imperative), as evidenced of Max Levchin’s innovative authentication method involving two small random deposits in to the new applicants deposit account. The method created by the once-interloper is now used by countless financial institutions around the world, and PayPal’s fraud mitigation teams are known as being world-class.
I’m not certain that I can fault Square for launching the current iteration of it’s card reading device to the masses here, as did VeriFone in their missive. Many other card-reading devices are available to would-be criminals, although VeriFone (another significant security leader, particularly now in point-to-point encryption) is correct in calling out Square for not treating security more prominently. Security is everyone’s responsibility, and payments innovators must particularly embrace this lesson of history.
I feel fairly certain of two things:
1) If massive fraud occurs as a result of Square the industry will soon react, in response to advanced analytics which are now commonly used by the likes of American Express, Discover, First Data, MasterCard, TSYS and Visa. If such fraud suddenly occurs, swift action will be taken by such companies, which could bring Square to a halt. While I disagree with the part of Square’s response that zero-liability provisions are the solution to any risk associated with the company (because Javelin data show that the average existing account card fraud victim actually paid $565 out of pocket last year-see our new Identity Fraud Survey Report), I do believe that back-end industry protections will be a potential backstop to a security catastrophe, but that never absolves any one of consequences or responsibility.
2) As with any true payments innovator, Square must innovate at security if they are to succeed. Unless Square changes the course of payments history, there can be no other way. History has not yet allowed any deviation from this mandate, and the clock is ticking.