Set up network requirements for Square hardware
About networking requirements for Square hardware
In most cases, Square hardware is easy to connect to the internet and use straight out of the box. However, if your business has a more complex networking setup, you may want to check Square’s networking requirements to optimize the performance of your Square hardware.
Before you begin
The following requirements typically apply to businesses with more complex internet network setups. We recommend only making changes to your network configuration if you are knowledgeable about network requirements, or working with a professional.
Protocol/port allowlist
If you enforce restrictions on what protocols and ports that devices on your network can access, Square devices require the following protocols and their corresponding ports to be allowed through your firewall:
NTP: This is critical for ensuring that the device has the correct time. Connectivity may fail due to certificate validity mismatches if the device time is wrong.
HTTPS (only port 443): All traffic to Square servers is made over HTTPS.
The following ports are also used for network printers, but these do not require access to the internet:
UDP: 22222, 3289
TCP: 9100:9109
Domain filtering
If you enforce restrictions on what domains can be accessed from within your network, Square devices require the following domains to be allowlisted.
All subdomains of:
- squareup.com
- issquareup.com
- squarecdn.com
- cash.me
- Cash.app
- squarecloudservices.com
As well as the following FQDNs:
- api.skyhookwireless.com
- notify.bugsnag.com
- sessions.bugsnag.com
- apytiqcuyrsq6-ats.iot.us-east-2.amazonaws.com
- square.site
- www.weebly.com
- api.mapbox.com
- mobile-data.onetrust.io
- privacyportal.onetrust.com
- cdn.cookielaw.org
- memfault-prod-east1.s3.amazonaws.com
- memfault-prod-ap-south-1.s3.amazonaws.com
- files.memfault.com
- device.memfault.com
- ingress.memfault.com
NTP requires access to:
- time.android.com
IP addresses
- US: 74.122.184.0/21
- Asia/Pacific: 103.31.216.0/22
- Europe: 185.57.56.0/22
Square devices also rely on access to Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS IP ranges are published here, and Google is AS15169. Make sure to add these IP ranges as well.
Square devices have an internal firewall and an internal (domain, not IP) allowlist, and perform TLS certificate pinning on all Square endpoints, so you may consider the IP allowlisting on your side redundant depending on your purpose. It could make sense to just ensure Square devices can’t access any internal company IP addresses, and leave the rest of the internet open for Square’s on-device firewall and domain filter.
MAC addresses
Square’s MAC OUI: 44:59:25
Merchants should allowlist all MAC addresses that start with the above prefix (ie. devices with MAC addresses following the pattern 44:59:25:XX:XX:XX). Alternatively, merchants can allowlist each individual device that shows up with that MAC address prefix (this prefix is owned by Square and should not be used by any other device vendors).
If you have older Square hardware, you may need to also allowlist the following MAC prefixes:
Older MAC OUIs: 2C:D1:41:D, 8C:47:6E:5, 1C:59:74:6