Can I get those Square Readers to accept EBT cards?
February 27, 2015 6:56 AM   Subscribe

I'd like to mess around with the square readers and see if it would be possible to "hack" it (to use the parlance of our time) and get it to accept EBT food stamp cards as well as other types of payment and currency. Is it possible to do this? Has anybody had any success with this? What should I learn to be able to do something like this, hack the square reader. Thanks
posted by caudal to Shopping (7 answers total) 2 users marked this as a favorite
 
Vendors need to be approved by the USDA in order to accept EBT cards:
To be eligible as a store in the Supplemental Nutrition Assistance Program (SNAP), your store(s) must sell food for home preparation and consumption and meet one of the criteria below:

(A) Offer for sale, on a continuous basis, at least three varieties of qualifying foods in each of the following four staple food groups, with perishable foods in at least two of the categories:

meat, poultry or fish
bread or cereal
vegetables or fruits
dairy products

OR

(B) More than one-half (50%) of the total dollar amount of all retail sales (food, nonfood, gas and services) sold in the store must be from the sale of eligible staple foods.
and even for approved vendors or retailers, selling non-eligible items is a federal crime (pdf):
If you, your staff, your employees, or relatives redeem more SNAP benefits than your total food sales, sell ineligible items, accept SNAP benefits in payment for food sold to a SNAP household on credit, or buy or sell SNAP benefits, you will be disqualified from the Program
and/or assessed a monetary penalty, and you may face criminal prosecution.

Criminal prosecution may result in a prison sentence, seizure of your assets, and additional penalties. You can be fined up to $11,000 for each illegal transaction, plus three times the dollar value of the transaction. You may be referred to the Internal Revenue Service for more extensive investigation, and may lose your State lottery licenses and alcohol beverage sales licenses.
I wouldn't mess around with "hacking" anything involving EBT cards, even if I could.
posted by jaguar at 7:12 AM on February 27, 2015 [11 favorites]


Well, here's a data dictionary that might or might not be helpful should you get to a point where you have access to the Square card reader on a programmatic level.

I see no reason not to streamline this system if you are operating within the limits of the law. You could even get yourself added to a list of third party vendors. Definitely consult a lawyer if you want to go far down this road. By undercutting other third party vendors (which can sometimes charge quite a bit of money per month to lease their equipment), you could be making these services more available for the proletariat.
posted by oceanjesse at 7:22 AM on February 27, 2015


From a technical perspective, not gonna happen. I am only familiar with Square readers that connect to a tablet/smartphone, so I'll answer in that context: The square reader itself just reads the data that's encoded on the card's magnetic strip and passes that information to the Square application (via the device's mic input for the original readers, don't know if that's still the case). At that point, it's all software, and again, the app is "just" a front-end to the Square payment processing service, which is implemented as software on some servers somewhere on the internet.

Now, if you could find a payment processor that was willing to deal in EBT you could theoretically write your own phone/tablet software to read data in over the mic input from the Square reader, decode that, and communicate with the payment processor, but payment processing is so heavily legislated and regulated that, honestly, if you have to ask this question here you are not prepared to start dealing with the issues it entails. By all means read up on it, for all I know this could be a niche you could find a successful way to fill -- but it's not going to be a "hack," it's going to be some fairly serious software development and legal/regulatory work.
posted by Alterscape at 7:23 AM on February 27, 2015 [3 favorites]


From Square: "We don't currently support EBT or other benefits cards." From a quick search, looks like there are other similar services that do support EBT.
posted by Mr.Know-it-some at 8:49 AM on February 27, 2015 [1 favorite]


You might be interested in how farmer's markets accept EBT. In short, no, you cannot use a wireless or mobile device to accept EBT.

This is not due to technology, but due to industry requirements regarding PIN numbers.
posted by Marie Mon Dieu at 8:50 AM on February 27, 2015 [5 favorites]


I work in this space. In order to "hack" Square's card reader, there's two levels on which you'd have to break their system.

Level 1: Payment Processing Backend
As others have said already, Square's app is just a pretty UI on top of their payment processing service. Square (and its competitors) has done a good deal of legal work to be legally allowed to process payments on behalf of a third party. The U.S. government has plenty of regulation in this area that your computer system must comply with. So, you have two options here: hack into Square's system and force it to accept EBT, or create your own payment processing processing service that accepts EBT.

For a single individual, hacking Square's system to get them to accept EBT (something it wasn't designed to do, and for which you'd have to hack authorization to even be allowed to access) is impossible. We're talking the kind of hacks that would take a team of people working together to accomplish, and which would be discovered almost immediately.

Likewise, creating your own payment processing service and hacking Square's app to make all of its service calls to your service is going to be too difficult to be feasible. You'd have to decompile the mobile app and change who it sends and receives data from and then attempt to put the app somewhere people would use it. You can't just upload someone else's app under your account — Apple wouldn't approve the app, and Google would likely take it down if someone complained. Regardless, Square would sue your company into the ground once they found out. This is not to mention the team of lawyers you'd need to understand and comply with the regulations of running a payment processing service, and the team of software engineers you'd need to build this service.

Level 2: Card reader
If the Square card reader is anything like the card readers others in this space use, hacking the card reader is impossible. The card reader hardware used by at least 2 of Square's competitors (to my knowledge) is created by MagTek. As others have said, the card reader simply reads the data kept in the magnetic stripe on the card and sends the data to the app over the audio jack, where the app then just forwards the data on to the banks involved. What others haven't said is that it's highly likely that the data is encrypted before it even enters the app.

MagTek provides card readers set up to encrypt the data read from the card (see here for a list of security features). They use a symmetric encryption algorithm (Triple DES as that's the banking industry's baby) to encrypt the data as it's read from the magstripe. They key used in the encryption algorithm is derived using the DUKPT key derivation scheme. DUKPT (pronounced "duck put") is, for someone who's not the NSA, impossible to break. Each swipe of the card reader is encrypted using a different key and the key is deleted from the hardware after use. The key derivation scheme is pretty much one-way (forward), so even having the current key doesn't guarantee that you'd be able to figure out what the previous key was. The master key is used to derive some of the later keys and then deleted from the device during manufacturing of the hardware. That master key is delivered by courier in pieces to the servers of MagTek's client. In practice, no one knows the master key used to derive all keys, and every device only has the derived keys.

So, long story short, you're not going to hack Square's card reader and do anything useful with it. The data that you'd like to use for your purposes will be encrypted and unreadable by you.

You Can Do It Though
However, depending on what you're trying to do, you can always buy your own card reader from MagTek or another card reader manufacturer to play around with. The card readers have a relatively simple API if all you want to do is view the data stored on a given card. If you're interested in running a business and accepting EBT, there are plenty of companies willing to sell you a point-of-sale device capable of accepting EBT.
posted by Axle at 8:06 AM on February 28, 2015 [1 favorite]


If you want to learn about hacking hardware and software, then anything to do with payments and financial transactions probably isn't the place to start, unless there is something about the problem-space that really draws you to it (and isn't likely to lead you into criminal behavior). You might want to pick something less regulated. You could check out Hack-A-Day.com's blog posts and projects community for an endless supply of "hacks" at a range of skill levels.

If you are really interested in financial systems though, and given the background you described in another question, you might look at the regulatory and compliance frameworks around electronic payments and work your way from that to the point of sale stuff. I hate to think about what you may find, but finding it, or just looking for it, will be a good entre into paying work outside K-12 education.
posted by Good Brain at 1:53 PM on February 28, 2015


« Older I know the towns are there, but how do I find them...   |   Second-hand MacBook Pro - what to look for, 2015... Newer »
This thread is closed to new comments.