SquareUp

Secure Payment Data

Level 1 PCI compliance

Card processing systems adhere to the PCI Data Security Standard (PCI-DSS), Level 1.

​

Coding best practices

Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP

​

Systematic security updates

Security updates and patches are installed on servers and equipment in a timely fashion.

​

Compliant data storage

Square prohibits storage of card numbers, magnetic-stripe data and security codes on client devices.

​

Strong cryptographic controls

Square uses industry-standard cryptographic protocols and message formats (such as SSL/TLS and PGP) when transferring data.

Secure Hardware

​

Square engineers security into every product from the ground up. It all comes out of the box with end-to-end encryption, so there’s no lengthy security configuration process in which mistakes can get made. We don’t outsource any of our essential product security to third-party vendors or services, whose security would be outside our control. Square designs, creates and maintains it all in-house.

​

Streamlined product delivery

Security teams are involved at every stage of product delivery. Square has dedicated teams assigned to implementing security best practices at each step of the product journey, from software and hardware development to the factory supply chain to ongoing server operations and maintenance.

​

Secure information hand-off

All sensitive data is encrypted in flight and at rest. We don’t allow servers to connect to Square unless the encryption (SSL/TLS) is in place and configured properly.

​

Engineering-first philosophy

Our security teams are staffed by engineers, not administrators. All of our proprietary information security tools are engineer-friendly, streamlined for easy adoption and built to facilitate protection of sensitive assets and data. Engineers are in charge of monitoring and maintaining all vital areas, such as:

• Log management

• Platform and network monitoring

• Identity and access management

• Application and hardware security

• Cryptography and key management

Secure Organization

​

Penetration tests

We’re constantly testing our applications, infrastructure and incident response plans. We regularly engage testing labs to attempt to compromise our security in areas we want to stress-test.

​

Threat intelligence

We leverage industry and government groups like ECTF and FS-ISAC to stay abreast of emerging threats, fraud rings and ecosystem changes.

​

Public bug bounty

In addition to planned penetration tests, Square security is evaluated every day by public bounty researchers. We’ve issued a 24/7, global invitation to security testers around the world to try to identify areas of potential vulnerability in exchange for a bounty. If you’re a researcher and believe you’ve discovered a vulnerability, please report it at our Bugcrowd page.

​

Code design reviews

We’ve set up automated analysis of Square’s source code to search for weaknesses. When we write new code, we implement a gated quality control process and staging tests before releasing it into production. Throughout this process, automated tests probe the new code for security vulnerabilities.

Internal security

• Sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis.

• Square requires two-factor authentication and strong password controls for administrative access to systems.

• All access to secure services and data is logged and audit logs are reviewed on a regular basis.