Physical and Network Security
- Fully encrypted: Square performs data encryption within the card reader at the moment the card comes in contact with the reader.
- Sensitive data is encrypted using industry-standard methods when stored on disk or transmitted over public networks.
- Only standard, well-reviewed cryptographic protocols and message formats (such as SSL and PGP) are used when transferring data.
- Symmetric cryptographic keys are required to be at least 128 bits long. Asymmetric keys must be at least 2048 bits long.
- Security updates and patches are installed on servers and equipment in a timely fashion.
- Security settings of applications and devices are tuned to ensure appropriate levels of protection.
- Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.
- Card-processing systems adhere to PCI Data Security Standard (PCI-DSS), Level 1.
Web and Client Application Security
- Card numbers, chip and magnetic stripe data and security codes are not stored on Square client devices.
- Applications developed in-house are subject to strict quality testing and security review. Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
- Card-processing applications adhere to the PCI Data Security Standard (PCI-DSS), Level 1.
- Access to sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis.
- Two-factor authentication and strong password controls are required for administrative access to systems.
- Security systems and processes are tested on a regular basis by qualified internal and external teams.
- All access to secure services and data is strictly logged, and audit logs are reviewed on a regular basis.
- Security policies and procedures are carefully documented, and are reviewed on a regular basis.
- Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.
Payment Card Industry Data Security Standard
Square complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf so you do not need to individually validate your state of compliance. The following are items that Square has addressed on your behalf:
- The Square app does not retain payment card data on the mobile device or within the application.
- The Square app uses the Square Reader to encrypt all card-present transactions at the point of swipe, so information remains encrypted throughout transmission from the reader, to the application, to Square’s data centres. All communications are secure whether connected to the Internet via wireless or cellular data network (EDGE, 3G or 4G.)
- The Square app enables you to enter payment card data. In addition, you can review transactions via the online dashboard or within the application itself. Square does not surface or display the full credit card number to the seller so there is no way to inadvertently display this data to any Square account holder.
- The Square app provides an application that is secure by default allowing customers to focus on their business. There are no configurable security controls within the application.
- The Square app does not require or permit remote connectivity to the application.
- The Square app updates are available through the Apple iTunes and Google Play stores.