Secure Payment Data
Level 1 PCI compliance
Card processing systems adhere to the PCI Data Security Standard (PCI-DSS), Level 1.
Coding best practices
Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP
Systematic security updates
Security updates and patches are installed on servers and equipment in a timely fashion.
Compliant data storage
Square prohibits storage of card numbers, magnetic-stripe data and security codes on client devices.
Strong cryptographic controls
Square uses industry-standard cryptographic protocols and message formats (such as SSL/TLS and PGP) when transferring data.
Square engineers security into every product from the ground up. It all comes out of the box with end-to-end encryption, so there’s no lengthy security configuration process in which mistakes can get made. We don’t outsource any of our essential product security to third-party vendors or services, whose security would be outside our control. Square designs, creates and maintains it all in-house.
Streamlined product delivery
Security teams are involved at every stage of product delivery. Square has dedicated teams assigned to implementing security best practices at each step of the product journey, from software and hardware development to the factory supply chain to ongoing server operations and maintenance.
Secure information hand-off
All sensitive data is encrypted in flight and at rest. We don’t allow servers to connect to Square unless the encryption (SSL/TLS) is in place and configured properly.
Our security teams are staffed by engineers, not administrators. All of our proprietary information security tools are engineer-friendly, streamlined for easy adoption and built to facilitate protection of sensitive assets and data. Engineers are in charge of monitoring and maintaining all vital areas, such as:
Platform and network monitoring
Identity and access management
Application and hardware security
Cryptography and key management
We’re constantly testing our applications, infrastructure and incident response plans. We regularly engage testing labs to attempt to compromise our security in areas we want to stress-test.
We leverage industry and government groups like ECTF and FS-ISAC to stay abreast of emerging threats, fraud rings and ecosystem changes.
Public bug bounty
In addition to planned penetration tests, Square security is evaluated every day by public bounty researchers. We’ve issued a 24/7, global invitation to security testers around the world to try to identify areas of potential vulnerability in exchange for a bounty. If you’re a researcher and believe you’ve discovered a vulnerability, please report it at our Bugcrowd page.
Code design reviews
We’ve set up automated analysis of Square’s source code to search for weaknesses. When we write new code, we implement a gated quality control process and staging tests before releasing it into production. Throughout this process, automated tests probe the new code for security vulnerabilities.
Sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis.
Square requires two-factor authentication and strong password controls for administrative access to systems.
All access to secure services and data is logged and audit logs are reviewed on a regular basis.