I'm kind of surprised Square didn't include some kind of hardware encryption, but then again, it would probably make the readers a lot more expensive to manufacture.
One of the amazing things about plastic cards is that they were never designed in the 1960s with security or the internet in mind. The card itself (with its Primary Account Number) is an inherently insecure medium. PCI DSS tries to make up for this by layering rule after rule on how you can treat PAN data, but as most professionals in the space know, a system is only as secure as its weakest link. There's really nothing PCI or any other standard can do. By focusing on cards, Square has opened itself up to all of the problems associated with them.
Starting from scratch is the best way, and pretty much the only way, to create a secure payment network in today's environment.
One of the amazing things about plastic cards is that they were never designed in the 1960s with security or the internet in mind. The card itself (with its Primary Account Number) is an inherently insecure medium. PCI DSS tries to make up for this by layering rule after rule on how you can treat PAN data, but as most professionals in the space know, a system is only as secure as its weakest link. There's really nothing PCI or any other standard can do. By focusing on cards, Square has opened itself up to all of the problems associated with them.
Starting from scratch is the best way, and pretty much the only way, to create a secure payment network in today's environment.