Serious about Security

Square’s approach to security is designed to protect both you and your customers. We monitor every transaction, we continuously innovate in fraud prevention and we protect your data like our business depends on it – because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications and set policies across our organisation.

Encryption and monitoring
Square enables trusted transactions between you and your customers by making secure payments as simple as possible. We do this by bringing to our sellers the technologies and monitoring that once were only available to the largest of merchants.

Square Reader keeps payment information safe by encrypting it as soon as it’s received. Whether the card is EMV chip and pin, magstripe or contactless, Square follows the appropriate protocols to ensure the data stays secure. We monitor your money until it’s transferred to your bank account.

In addition, we monitor each transaction to detect suspicious behaviour from the moment it is processed to settlement. Square uses our algorithms to spot and freeze malicious or suspicious activity. We’re looking out for you and your customers at each step.

Partners in security
Square is the merchant of record for every transaction, which means we’ll do the heavy lifting for you. We take care of your compliance and processing. In the event of payment disputes, you don’t have to worry about dealing with the bank. Send us the documentation we need to challenge the dispute, and we’ll take care of the rest. When the bank makes its final decision, we’ll let you know. You just focus on your business.

Layered Security

Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS). In addition to this, we are ISO 27001 certified.

Stopping fraud before it happens
We stop fraud via live monitoring programs that analyse transactions as they’re happening. This is known as risk visualisation. The approach helps us detect and investigate suspicious activity before a fraudulent charge takes place. This method is not only a pioneering way for us to protect merchants, but it’s also a better way to build an automated system to detect criminals that will scale as our business grows.

Getting stronger as we grow
We’ve designed Square to grow stronger the more people transact. The better data set we have to analyse, the smarter our anti-fraud algorithms become. Think of it this way: if cars on a highway drove by only occasionally, it’d be tough to distinguish the ones speeding from the ones travelling within the limit. But on a crowded highway, it’s easy to spot the reckless driver weaving in and out of traffic. Likewise, more Square customers allow our proprietary systems to spot the bad guys easily.

Secure network, servers and data
Square’s network and servers are housed in a secure facility monitored around the clock by dedicated security staff.

  • Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS).
  • Square requires sensitive data to be encrypted using industry-leading methods when stored on disk or transmitted over public networks.
  • Security settings of applications and devices are tuned to ensure appropriate levels of protection.

Web and client application security
Square’s software is developed using industry standard security best practices.

  • Card-processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1.
  • Square prohibits the storage of card numbers, magnetic stripe data and security codes on client devices.
  • Applications developed in-house are subject to strict quality testing and security review.
  • Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.

Secure organisation from top to bottom
Square mandates that employees act in accordance with security policies designed to keep merchant data safe.

  • Square requires sensitive data to be encrypted when stored on disk or transmitted over public networks.
  • Square controls access to sensitive data, application data and cryptographic keys.
  • Two-factor authentication and strong password controls are required for administrative access to systems.
  • Security systems and processes are tested on an ongoing basis by qualified internal and external teams.
  • Access to secure services and data is strictly logged, and audit logs are reviewed regularly.
  • Security policies and procedures are carefully documented and reviewed on a regular basis.
  • Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.

Information Security Governance
We are committed to the highest standards of information security governance to demonstrate leadership in our industry. For this reason we subjected our information security management system to external validation and have achieved the renowned ISO 27001 certification. We continue to build on this to assure our Sellers and partners of our commitment to securing every aspect of our products and services.

Research and Disclosure
Square recognises the important contributions that our customers and the security research community can make. We encourage responsible reporting of problems with our service. We also recognise that legitimate and well-intentioned researchers are sometimes blamed for the problems they disclose. In order to encourage responsible reporting practices, we promise not to bring legal action against researchers who point out a problem, provided they:

  • Share with us the full details of any problem found.
  • Do not disclose the issue to others until we’ve had reasonable time to address it.
  • Do not intentionally harm the experience or usefulness of the service to others.
  • Never attempt to view, modify or damage data belonging to others.

If you believe that you have discovered a vulnerability, please report it at our Bugcrowd page. If you have any other security issues with your account, contact security@squareup.com