All the security details
Secure Payment Data
Level 1 PCI compliance
Card processing systems adhere to the PCI Data Security Standard (PCI-DSS), Level 1.
Coding best practices
Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
Systematic security updates
Security updates and patches are installed on servers and equipment in a timely fashion.
Compliant data storage
Square prohibits storage of card numbers, magnetic-stripe data, and security codes on client devices.
Strong cryptographic controls
Square uses industry-standard cryptographic protocols and message formats (such as SSL/TLS and PGP) when transferring data.
Square engineers security into every product from the ground up. It all comes out of the box with end-to-end encryption, so there’s no lengthy security configuration process in which mistakes can get made. We don’t outsource any of our essential product security to third-party vendors or services, whose security would be outside our control. Square designs, creates, and maintains it all in-house.
Streamlined product delivery
Security teams are involved at every stage of product delivery. Square has dedicated teams assigned to implementing security best practices at each step of the product journey, from software and hardware development to the factory supply chain to ongoing server operations and maintenance.
Secure information handoff
All sensitive data is encrypted in flight and at rest. We don’t allow servers to connect to Square unless the encryption (SSL/TLS) is in place and configured properly.
Our security teams are staffed by engineers, not administrators. All our proprietary information security tools are engineer-friendly, streamlined for easy adoption, and built to facilitate protection of sensitive assets and data. Engineers are in charge of monitoring and maintaining all vital areas, such as:
- Log management
- Platform and network monitoring
- Identity and access management
- Application and hardware security
- Cryptography and key management
We’re constantly testing our applications, infrastructure, and incident response plans. We regularly engage testing labs to attempt to compromise our security in areas we want to stress-test.
We leverage industry and government groups like ECTF and FS-ISAC to stay abreast of emerging threats, fraud rings, and ecosystem changes.
Public bug bounty
In addition to planned penetration tests, Square security is evaluated every day by public bounty researchers. We’ve issued a 24/7, global invitation to security testers around the world to try to identify areas of potential vulnerability in exchange for a bounty. If you’re a researcher and believe you’ve discovered a vulnerability, please report it at our Bugcrowd page.
Code design reviews
We’ve set up automated analysis of Square’s source code to search for weaknesses. When we write new code, we implement a gated quality control process and staging tests before releasing it into production. Throughout this process, automated tests probe the new code for security vulnerabilities.
Information Security Governance
We are committed to the highest standards of information security governance to demonstrate leadership in our industry. For this reason we subjected our information security management system to external validation and have achieved the renowned ISO 27001 certification. We continue to build on this to assure our Sellers and partners of our commitment to securing every aspect of our products and services.
- Sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis.
- Square requires two-factor authentication and strong password controls for administrative access to systems.
- All access to secure services and data is logged and audit logs are reviewed on a regular basis.
Reduced compliance costs
It’s costly to cover compliance on your own—and even if you do, the average business falls out of compliance every nine months. Square stays compliant for you. We take audits and SAQs, vulnerability scanning, training and policy development, and remediation off your list of things to worry about. And unlike other payment processors, we don’t charge a monthly or yearly “regulatory” fee.
|For small businesses||For large enterprises||Square Business|
|SAQ or PCI DSS Audit||~$50-$200 for Self-Assessment Questionnaire||~$40k+ for onsite audit and ~$5k+ for penetration testing||$0|
|Vulnerability scanning||~$100 - $200 per IP address||~ $800+||$0|
|Training and policy development||~$70 per employee||~$5k+||$0|
|Remediation (incl. software and hardware updates, etc.)||~$100-$10k for small businesses||~$10k- $500k||$0|
Full security suite
The technical security controls and processes that make up Square’s security program are audited by external third parties.
- SSAE-18 SOC1 and SOC2
- PCI DSS
- PCI PIN Transaction Security
- PCI PIN Key Injection Facility
- EMV Level 1 and Level 2
- US Money Transmission licenses
- Visa Ready
- Mastercard MPOS and Mastercard Terminal Quality Management
- UK Cards Association / Common Criteria Audit
Pioneers in compliance
Square employs a dedicated team of compliance professionals who are tasked with monitoring payment card industry changes and advising engineering teams throughout the development life cycle of our solutions.
We’re on the PCI Board of Advisors and influence the ongoing development of the PCI Security Standards. We’re well-positioned to be your advocate in conversations with regulators. We pioneered the use of software-based PIN entry and worked alongside the payments industry and the PCI Council during development of the new global standard.