Hi there.
A SSAE-16 report is typically required of third-parties that operate in an unregulated environment. This is the case for companies such as data center providers, paper shredding companies, cloud computing providers, and other unregulated service providers.
Square operates directly in the payment card industry (PCI) which is regulated under the PCI Security Standards Council (PCI SSC). As such, we adhere to our industry regulations without the need to have a separate SSAE-16 review.
You can validate our compliance by seeing our listing on the Visa Service Provider website http://www.visa.com/splisting.
- Click Begin Search
- Under Search Criteria and Company: enter Square, Inc.
- Click Go
You will see that we comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard includes the following areas of review:
- Network firewalls and segmentation
- Secure baseline configurations
- Data encryption at rest
- Data encryption in transit
- Anti-virus
- Secure software development
- Patch management
- User account security and management
- Physical security
- Audit logging
- Vulnerability scanning and penetration testing
- File integrity monitoring
- Intrusion detection systems
- Information security policies
Let me know if you have any further questions!
