Serious about Security
Square’s approach to security is designed to protect both you and your customers. We monitor every transaction from swipe to payment, we continuously innovate in fraud prevention, and we protect your data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.
Data never touches your device
Square enables trusted transactions between you and your customers by making secure payments as simple as possible. We do this by bringing to our sellers the technologies and monitoring that were once available only to the largest merchants.
Square encrypts transactions at the point-of-swipe and tokenizes data once it reaches our servers. We track the purchase as it goes through our software. We monitor your money until it’s deposited into your bank account.
In addition, we monitor each transaction to detect suspicious behavior from swipe to settlement. Square uses our algorithms to spot and freeze malicious or suspicious activity. We’re looking out for you and your customers at each step.
Partners in security
Square is the merchant of record for every transaction, which means we’re dedicated to keeping your business safe. We deal with the banks on your behalf and take care of compliance, regulation and processing so you can focus on running your business. We’ll go to bat for you if someone disputes a transaction and we’ll make sure your money moves quickly and securely into your bank account. Square does the heavy lifting. All you need to do is swipe.
Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS).
Stopping fraud before it happens
We stop fraud via live monitoring programs that analyze transactions as they’re happening. This is known as risk visualization—it helps us detect and investigate suspicious activity before a fraudulent charge takes place. This method is not only a pioneering way for us to protect merchants, but it’s also a better way to build an automated system to detect criminals which will scale as our business grows.
Getting stronger as we grow
We’ve designed Square to grow stronger the more people transact. The more data we have to analyze, the smarter our anti-fraud algorithms become. Think of it this way: if cars on a highway drove by only occasionally, it’d be tough to distinguish the ones speeding from the ones travelling within the limit. But on a crowded highway, it’s easy to spot the reckless driver weaving in and out of traffic. Likewise, more Square customers enable our proprietary systems to spot the bad guys easily.
Secure network, servers and data
Square’s network and servers are housed in a secure facility monitored around the clock by dedicated security staff.
- Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS).
- Square requires sensitive data to be encrypted using industry-leading methods when stored on disk or transmitted over public networks.
- Square uses standard, well-reviewed cryptographic protocols and message formats (such as SSL and PGP) when transferring data.
- Square requires that cryptographic keys are at least 128 bits long. Asymmetric keys must be at least 2048 bits long.
- Square regularly installs security updates and patches on its servers and equipment.
- Security settings of applications and devices are configured to ensure appropriate levels of protection.
- Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.
Web and client application security
Square’s software is developed using industry-standard best practices for security.
- Card-processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1.
- Square prohibits the storage of card numbers, magnetic-stripe data and security codes on client devices.
- Applications developed in-house are subject to strict quality testing and security review.
- Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
Secure organization from top to bottom
Square mandates that employees act in accordance with security policies designed to keep merchant data safe.
- Square requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.
- Square controls access to sensitive data, application data and cryptographic keys.
- Two-factor authentication and strong password controls are required for administrative access to systems.
- Security systems and processes are tested on a regular basis by qualified internal and external teams.
- Access to secure services and data is strictly logged, and audit logs are reviewed regularly.
- Security policies and procedures are carefully documented and reviewed on a regular basis.
- Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.
Research and Disclosure
Square recognizes the important contributions that our customers and the security research community can make. We encourage responsible reporting of problems with our service. We also recognize that legitimate and well-intentioned researchers are sometimes blamed for the problems they disclose. In order to encourage responsible reporting practices, we promise not to bring legal action against researchers who point out a problem, provided they:
- Share with us the full details of any problem found.
- Do not disclose the issue to others until we’ve had reasonable time to address it.
- Do not intentionally harm the experience or usefulness of the service to others.
- Never attempt to view, modify or damage data belonging to others.
If you believe you have discovered a problem, please report it at our HackerOne page. Please contact us at firstname.lastname@example.org with any questions.