I was wondering if anyone uses anything like Square up or intuit for local card payments for there companies. I use it for my media production company "69 Studios, Inc.", and Entertainment consulting company "Hit Faction" and i find it very useful compared to other credit card transaction systems which charges can add up quite a bit.
I love the thing.. I own two of them and can't get enough of those little guys. It's really a great great product. I actually blogged a review about them if anyone is interested. http://thecorrosiveone.com/2011/12/15/the-square-credit-card-reader/
Great review, nailed everything. As far as personal users its great, but they need to work on the business verification process. Ive signed up as a company before and was rejected. There response was that the business verification process is not yet up to par so my account had to be deleted for me to resign up for personal use. Other then that everything great!
I'll take as much personal bias out of this as possible and look at it from a business and IT related standpoint. It's great for personal and very small usage. Depending on your type of business the rates they offer could be decent, to mediocre. It's not uncommon for retail merchants to be under 2% for their effective rate, but it all depends on the types of cards they are accepting. 3.5% is normally pretty poor for card not present, but again it depends a lot on the types of cards being accepted. Some merchants that accept mostly international or corporate cards may have legitimate rates over 3.5% just due to the greatly increased interchange rates with those card types. They do keep it very simple, which goes a long way into helping small merchants understand what their costs will be. This is something that merchant account providers have a really hard time doing due to the nature of how our back-end systems work and the various fees and rules that we must adhere to. However, they have an F rating with the BBB, and there are many stories of them holding money and instilling reserve accounts on businesses that would have no problem with a normal processor. My take is their risk management is similar but more stringently than Paypal. This will inevitably lead to a measurable percentage of accounts on reserve and accounts being held. As far as security goes, Square should have been quashed before they got off the ground. It's not secure in any way as far as the reader to phone connection is concerned. Unless they've changed something drastically, literally any app on the phone can read the transaction between the reader and the phone passively or actively. From a consumer's perspective this is a bit scary. Why would a customer want to take the risk of the angry birds app (or something malicious) on your phone being able to read their card when you swipe it. It doesn't even need to store card data for customer's card to be stolen. Thus far there hasn't been any major spyware or attacks hitting android phones that would look for square users and passively read cards as they were swiped, but based on the distribution and how little people understand phone security, the opportunity is there. Their PCI compliance statement is definitely up for interpretation. There isn't really any PCI standard for connecting a phone jack based card reader to a phone. The PCI laws get even more vague when dealing with a PSP like square instead of a traditional merchant account provider. I can say that not using some sort of encryption mechanism between the reader and the phone will most likely be in violation of PCI once they do develop standards for it. Other competitors like VeriFone and Magtek offer card readers that encrypt the card data directly on the reader, and then it is secure through the entire transaction process. Square completely ignored best practices or even any logical security on connecting the reader to the phone. The lack of security built into the reader is completely deplorable considering they are from tech backgrounds, and they are dealing with obvious sensitive data. It really irks me as someone in IT and information security that they would so blatantly disregard security to get their product out as fast and to as many people as possible.
This is how I see it, most pci compliant devices.... such as ps/2 magtek swipes are pci compliant, however they just send the code unencrypted via a keyboard emulator. I've done some extensive work with such devices, to say its not pci compliant was verifones way to try and destroy the company because its so easy and so much cheap for the average small business to use. Did you know that Verifone even created a fake app that would make use of the device as a skimmer! Just to try and hurt the company, a court forced them to take it down, this just proves how scared verifone is of this company, I'll never touch a verifone product after they pulled that one.