Physical and Network Security
- Fully encrypted: Square performs data encryption within the card reader at the moment of swipe.
- Sensitive data is encrypted using industry-standard methods when stored on disk or transmitted over public networks.
- Only standard, well-reviewed cryptographic protocols and message formats (such as SSL and PGP) are used when transferring data.
- Symmetric cryptographic keys are required to be at least 128 bits long. Asymmetric keys must be at least 2048 bits long.
- Security updates and patches are installed on servers and equipment in a timely fashion.
- Security settings of applications and devices are tuned to ensure appropriate levels of protection.
- Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.
- Card-processing systems adhere to PCI Data Security Standard (PCI-DSS), Level 1.
Web and Client Application Security
- Card numbers, magnetic stripe data, and security codes are not stored on Square client devices.
- Applications developed in-house are subject to strict quality testing and security review. Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
- Card-processing applications adhere to the PCI Data Security Standard (PCI-DSS), Level 1.
- Access to sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis.
- Two-factor authentication and strong password controls are required for administrative access to systems.
- Security systems and processes are tested on a regular basis by qualified internal and external teams.
- All access to secure services and data is strictly logged, and audit logs are reviewed on a regular basis.
- Security policies and procedures are carefully documented, and are reviewed on a regular basis.
- Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.
Payment Card Industry Data Security Standard
Square complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf so you do not need to individually validate your state of compliance. The following are items that Square has addressed on your behalf:
- Square Register does not retain payment card data on the mobile device or within the application.
- Square Register uses the Square Reader to encrypt all card-present transactions at the point of swipe, so information remains encrypted throughout transmission from the reader, to the application, to Square’s data centers. All communications are secure whether connected to the Internet via wireless or cellular data network (EDGE, 3G or 4G.)
- Square Register enables you to enter payment card data. In addition, you can review transactions via the online dashboard or within the application itself. Square does not surface or display the full credit card number to the seller so there is no way to inadvertently display this data to any Square account holder.
- Square Register provides an application that is secure by default allowing customers to focus on their business. There are no configurable security controls within the application.
- Square Register does not require or permit remote connectivity to the application.
- Square Register updates are available through the Apple iTunes and Google Play stores.