It would be trivial for people to intercept the PIN number when it is entered on the seller's phone. That's why competitor devices (iZettle, PayPal) all have a keypad and screen on the card reader itself, it lowers the possibility of interception of the PIN number.
In fact, I am fairly sure that I read in the past that the credit card companies wouldn't allow this type of implementation.
I would certainly feel very uncomfortable entering my PIN number into someone's phone.
--
EDIT:
So, from what I can tell the design of the PIN entry keypad for EMV is governed by ISO 9564[1], which states:
"The PIN entry device shall be physically secured so that it is not feasible to modify its operation or extract PINs or encryption keys from it."
I don't believe that entering a PIN into a phone based keypad is compliant with that.
I don't see any indication on their website or marketing materials that they are accepting the PIN. I would be surprised if they did, because EMVCo have been firm in the past that a dedicated keypad is required.
I would be interested to know whether they're either capping the amount that can be charged, or are taking some of the liability themselves.
Square will also be looking to get as many people on contactless as possible, because with Apple Pay / Android Pay you can exceed the usual capped limit in the UK (I believe it's something like £30 with a regular contactless card before PIN entry is required).
This is a very good question and I wonder how they've "squared" that with the credit card companies. Is it by any chance iPhone-only? Or does it actually do a card-not-present transaction?
All the normal Verifone, Ingenico etc EMV devices have built in key pads.
For the types of places this device will appeal to (small businesses where individual transactions are less that £30), contactless is taking over (in the UK at least) so this is less of a concern I think.
The only security-relates info I can find, the PCI PTS certification for the Square contactless and ICC reader, mentions a USB connection to a branded base-station, and nothing much about PIN entry.
I hope they aren't trying an end-run around PCI certs?
1) Amex the same price as other cards. Amex has low penetration among small retailers in the UK because they traditionally cost a lot more to accept.
2) Square are very up-front with costs. All the major banks hide their costs - requiring you to call their sales weasels to get a quote.
3) The card reader cost is the same as PayPal - but Squares costs are fixed @ 1.75%. Paypal's are 1.5%-2.75%. The same applies with iZettle - there's a variable cost which is quite opaque for small businesses.
Essentially, if you don't want to jump through hoops and worry about getting screwed over by small print, it looks like Square is compelling.
I'm not a user but I see that iZettle has an up-front calculator to tell you what your % fee will be. It reaches 1.75% at £6200 which I believe means it's cheaper for most shops.
I see a lot of coffee shops and market stalls with iZettle too.
Interestingly Square seems more expensive than iZettle. Square is flat 1.75% in-person 2.5% online while iZettle is sliding 2.75%-1%. The threshold seems to be £6200/month at which point iZettle is going below 1.75%. That's pretty low so I suspect most shops would still chose them.
You could almost certainly negotiate the rate down with Square. Maybe not for £6200/month, but at a certain volume they'll do you a deal. There's no way Philz Coffee (big coffee chain in the bay), for example, are paying Square their advertised flat rate.
I was in London a few months ago. I have Android Pay (I'm American) and could use it everywhere [1]. Coffee shops, train stations, supermarkets, even a whole in a wall cafe. Unlike in US, payment simply was not a problem/point of friction at all.
I am really curious what was the thinking behind Square's UK launch (if there was). At least as a business traveler (and admittedly in London, the financial center of Europe), I saw no space in the market for Square to enter.
[1] (The ONLY place I could not use Android Pay was Apple Store)
The established nature of the market may be a mixed bag for Square. There is strong competition, but there's also a very large market. Square don't have to convince anyone of the merits of mobile payment, just offer a better solution for some portion of the market. They already have lower transaction fees than Paypal and iZettle for most users; they could gain significant ground by salami-slicing the market with better features for particular niches.
Somewhat related: I wonder if this launch means they will now work to open up their (awesome) Square Cash App to other countries, and sending between countries.
The support says:
> Credit card processing with Square is available in the 50 United States, Canada, Japan, and Australia. Payments can only be processed in the country in which you activate your account. For example, if you activate your account in the United States, you’re not able to process credit card payments in Canada, and vice versa.
Hopefully they are working to open up now that they are launching in the UK.
I was a little curious about the detail of this, since I didn't really know what Square offers beyond being a 'payments company' (which could mean anything).
It seems that they're claiming to be cheaper for small businesses. Is that true? Their per-transaction fee seems pretty high, and their device is about the same price as a chip and pin reader.
They also have mobile payment support, but surely that's just a gimmick at this point?
Every card in the UK issued in the last few years can be used for contactless payments, and every sandwich shop has a chip-and-pin handset which can process them.
I added the one card which doesn't support contactless to my iPhone wallet but being able to use my debit card is much easier (plus I don't have to worry about draining its battery).
Not every card, my credit card did not, for whatever reason.
There may be better security through Apple/Android pay, IIRC they don't expose a real card number, and the phone must be awake (and sometimes unlocked) to process a payment.
Regardless, it's irrelevant - the processing tech for android/apple pay is the same as for other contactless cards, so it comes for free - lots of places supported it without even knowing. That sandwich shop reader already supports phone payments most likely. I like it - saves me fiddling with my wallet.
My point is, consumers already expect to use their card, not a phone/app; and for users who do have the necessary hardware, it's still about as convenient to use their card rather than their phone.
So, some consumers now like to use their phone, I personally find it more convenient.
As an extra capability that appeals to some folks it's a no-brainer to market it as a feature.
Sure, it's probably only a few percent at present. Your objection seems to be "I don't use that, therefore they shouldn't mention it on their page", no?
> I don't use that, therefore they shouldn't mention it on their page
Oops, that's not my intended message at all! I don't care what they say on their site & I certainly don't expect them to pay attention to the rants of random HN commentators…
I know people don't use their phone to pay for things here, and I don't understand why you think it will help Square make any inroads into the UK market.
I don't understand why people object to it as a marketing selling point - it's a new(ish) payment method that's expected to become more widespread over time. Selling your product to a retailer with "Hey, it does this too" can't be a bad thing?
>> I know people don't use their phone to pay for things here
Where is here?
I've seen folks in London using their phone to pass the Oyster/underground gates, and I see people at work use their phones every day in the on-site eatery. When I brandish my phone at the McDonald's drive-through for a coffee, the staff don't look at me like I'm crazy, they hold out the machine. I'm really not sure why you think that it's objectionable.
I don't object? You're projecting a complaint onto me that I never made.
I don't understand why you think this feature is important when so many existing consumers will use their contactless card to make payments instead.
Making it crystal clear:
Why do YOU think this is good? In actual concrete terms, i.e. this allows contactless payment for purchasing automobiles which is a gamechanger because …
How do they accept pins for chip-and-pin transactions? If it's on the seller's phone then I wouldn't be comfortable using Square on either side of the transaction.
--edit 2-- That's the only one with ICC and contactless I can find, but it talks about USB connections. This surely must be approved for untethered/bt connections? Hmm
Edited to add disclosure: I work for Square, but I don't know the details of our agreement with Square Enix, and I don't know what I'd be allowed to say about it if I did. :-)
That Japanese company is Square Enix (formerly Square, before the merger with Enix), makers of the Final Fantasy games. I'd imagine the US Square must have paid a fairly non-trivial amount for whatever deal was made.
>> "Looks like Square.com redirects now to Squareup.com but the owners are still that Japanese company. Maybe Square has an agreement with them and maybe they will buy Square.com domain name."
I take it Company names mustn't clash, but trademarks can if they are in different sectors? (unless is a name made up especially for the product like CocaCola?)
Square supports NFC, which is compatible with RFID hardware (the physical layer). The protocol is different, so being able to read an RFID tag doesn't guarantee you'll be able to process a credit card transaction.
It would be trivial for people to intercept the PIN number when it is entered on the seller's phone. That's why competitor devices (iZettle, PayPal) all have a keypad and screen on the card reader itself, it lowers the possibility of interception of the PIN number.
In fact, I am fairly sure that I read in the past that the credit card companies wouldn't allow this type of implementation.
I would certainly feel very uncomfortable entering my PIN number into someone's phone.
--
EDIT:
So, from what I can tell the design of the PIN entry keypad for EMV is governed by ISO 9564[1], which states:
I don't believe that entering a PIN into a phone based keypad is compliant with that.1: https://en.wikipedia.org/wiki/ISO_9564