iZettle: Square Killer?
(Now with an update from iZettle: see below)
iZettle, a card payments company, is getting some press today due to their UK launch. They’re pitching themselves as a European Square, the key difference being they accept EMV ‘smart’ (chip) credit cards through their iPhone compatible reader. I’ve already blogged about Square’s difficulties with the Chip & PIN sector before, so I was interested to see how iZettle are tackling the problem.
Their solution is something of a compromise, mainly due to restrictions imposed by card issuers. Whilst anything to allow more convenient payments is good, I’m worried about how iZettle will deal with fraud and liability. Here’s why:
PINs and Terminals
Although iZettle’s reader takes EMV chipped cards, you don’t use your PIN to pay for a purchase. Instead, you sign on the iPhone’s screen. It turns out there’s a reason for this: card issuers only allow approved hardware terminals to be used for Chip & PIN purchases. There is simply no way to run PIN transactions through a standard mobile device.
This means that the only difference between iZettle and Square is the former reads cards using the chip, and the latter using the magnetic strip. In terms of security, the only advantage iZettle has is that it’s much harder to clone an EMV card. Unlike Chip & PIN proper, iZettle doesn’t protect against someone stealing your card - all they need to do is mimic your signature. What you sign on the screen with your finger is not likely to bear much resemblance to the signature on the back of your card anyway: this is hardly a blocker for fraud.
This would be less concerning if you as the retailer weren’t liable for fraudulent transactions:
If you search iZettle’s help portal for ‘Fraud’ or ‘Liability’ you won’t find any results. In fact, iZettle are very careful to avoid mentioning that in the UK retailers who don’t accept Chip & PIN are liable for all fraudulent transactions.
What does this mean in practice? Let’s say someone steals my credit card and buys something at a shop with an iZettle terminal. Later on, I find out my card is missing and call the bank. Who’s liable for that fraudulent purchase? Since I didn’t use Chip & PIN it’s the retailer, who ends up out of pocket.
To put it in plain English: it’s my understanding that by using iZettle you will be liable for any payment fraud your customers commit, rather than iZettle or the issuing bank. The only place this is mentioned on iZettle’s site is in their Terms of Service, and even then it’s opaquely phrased.
iZettle’s target market is clearly people who currently don’t take card payment. These people may not know much about how the market works, and may be totally in the dark when it comes to who’s liable for fraudulent transactions. I applaud iZettle for trying to shake-up the market, and I have nothing against them or the product. I do, however, think that they could be much clearer on their site in terms of who’s responsible for fraudulent transactions. iZettle have said they’re going to look at their FAQs, so hopefully some more clarity will be forthcoming.
iZettle have updated their FAQ page to make it clearer that liability mainly rests with the person taking the payment (in the small set of cases where a stolen card that hasn’t been reported is being used). I think this is a great improvement, and they’ve been very pro-active in dealing with it.