Serious about Security
Square’s approach to security is designed to protect both you and your customers. We monitor every transaction, we continuously innovate in fraud prevention and we protect your data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications and set policies across our organisation.
Encryption and monitoring
Square enables trusted transactions between you and your customers by making secure payments as simple as possible. We do this by bringing to our sellers the technologies and monitoring that once were only available to the largest of merchants.
The Square Reader keeps payment information safe by encrypting it as soon as it’s received. When buyers insert their chip card or tap their contactless card or device, it talks back and forth with the Square Reader using encrypted messages to make sure it’s actually the cardholder who’s paying. The transaction information is also securely encrypted when sent to the buyer’s bank in a way that can’t be read by the seller, Square or anyone else. We track the purchase as it goes through our software. We monitor your money until it’s deposited into your bank account.
In addition, we monitor each transaction to detect suspicious behaviour from the moment it is processed to settlement. Square uses our algorithms to spot and freeze malicious or suspicious activity. We’re looking out for you and your customers at each step.
Partners in security
Square is the merchant of record for every transaction, which means we’re dedicated to keeping your business safe. We deal with the banks on your behalf and take care of compliance, regulation and processing so you can focus on running your business. We’ll be there to support you if someone disputes a transaction, and we’ll make sure your money moves quickly and securely into your bank account. Square does the heavy lifting. All you need to do is keep selling.
Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS).
Stopping fraud before it happens
We stop fraud via live monitoring programs that analyse transactions as they’re happening. This is known as risk visualisation. The approach helps us detect and investigate suspicious activity before a fraudulent charge takes place. This method is not only a pioneering way for us to protect merchants, but it’s also a better way to build an automated system to detect criminals that will scale as our business grows.
Getting stronger as we grow
We’ve designed Square to grow stronger the more people transact. The better data set we have to analyse, the smarter our anti-fraud algorithms become. Think of it this way: if cars on a motorway drove by only occasionally, it’d be tough to distinguish the ones speeding from the ones travelling within the limit. But on a crowded motorway, it’s easy to spot the reckless driver weaving in and out of traffic. Likewise, more Square customers allow our proprietary systems to spot the baddies easily.
Secure network, servers and data
Square’s network and servers are housed in a secure facility monitored around the clock by dedicated security staff.
- Card-processing systems adhere to the PCI Data Security Standard (PCI-DSS).
- Square requires sensitive data to be encrypted using industry-leading methods when stored on disk or transmitted over public networks.
- Square uses standard, well-reviewed cryptographic protocols and message formats (such as SSL and PGP) when transferring data.
- Square requires that cryptographic keys are at least 128 bits long. Asymmetric keys must be at least 2048 bits long.
- Square regularly installs security updates and patches on its servers and equipment.
- Security settings of applications and devices are tuned to ensure appropriate levels of protection.
- Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.
Web and client application security
Square’s software is developed using industry standard security best practices.
- Card-processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1.
- Square prohibits the storage of card numbers, magnetic stripe data and security codes on client devices.
- Applications developed in-house are subject to strict quality testing and security review.
- Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
Secure organisation from top to bottom
Square mandates that employees act in accordance with security policies designed to keep merchant data safe.
- Square requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.
- Square controls access to sensitive data, application data and cryptographic keys.
- Two-factor authentication and strong password controls are required for administrative access to systems.
- Security systems and processes are tested on a regular basis by qualified internal and external teams.
- Access to secure services and data is strictly logged and audit logs are reviewed regularly.
- Security policies and procedures are carefully documented and reviewed on a regular basis.
- Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.
Research and Disclosure
Square recognises the important contributions that our customers and the security research community can make. We encourage responsible reporting of problems with our service. We also recognise that legitimate and well-intentioned researchers are sometimes blamed for the problems they disclose. In order to encourage responsible reporting practices, we promise not to bring legal action against researchers who point out a problem, provided they:
- Share with us the full details of any problem found.
- Do not disclose the issue to others until we’ve had reasonable time to address it.
- Do not intentionally harm the experience or usefulness of the service to others.
- Never attempt to view, modify or damage data belonging to others.