On Thursday August 16th at 1 PM PST / 4 PM EST, we hosted a Live Q&A about Square and security. We know that the terms thrown around like security, data breaches, and fraud can be overwhelming and intimidating as you try to keep your business and customers safe. We had @flee, one of our security experts, here to answer any of your questions about these terms, PCI compliance, and how Square has you covered.
@flee is the Head of Information Security at Square. He has a history of solving security problems for a range of organizations all the way from large enterprises (Bank of America) to small startups (Twillio). He's experienced in building and leading global security teams and specializes in application security. He's passionate about all things security, but finds time to indulge in other hobbies including road cycling, mountain biking, rock climbing, snowboarding, backpacking, and photography.
A couple example questions:
- What kinds of security breaches should I be concerned about as a business owner?
- What does Square do to ensure that I’m protected from security threats?
- What can I do as a business owner to ensure I’m not susceptible to a hack?
Thank you all for the great questions—we’re really glad you took the time to participate.
We’re always working to keep your business and your customers’ data secure. But there’s a lot you can do on your end to keep yourself safe, as well. To wrap this up, I thought I’d leave you with my top tips for keeping your Square account safe:
- Make sure you choose a strong, unique password—and only use it for your Square account. I know it’s hard to keep track of multiple passwords, but if you use your password multiple times outside of the Square website, you’re increasing your risk of that information being compromised in a data breach. You might consider using a password manager such as 1Password, which will help you keep track of all of your login information without opening yourself up to an attack.
- Enable 2-step verification on your Square account. We have a great team that monitors your Square account for unusual activity, but you can add an extra layer of protection by linking your phone number to your account. Every time there’s a login attempt on your account, two-step verification confirms that it’s really you by asking you to verify the login on a separate device (your phone). That way, even if a hacker were to get hold of your information from a website outside of Square, they would also have to have gotten ahold of your phone. It’s even better to enable two-step verification on all of your accounts, like your email and your bank accounts.
- Keep an eye out for phishing emails. Make sure you’re verifying the sender of any email you receive; any emails from Square will come from an address ending in @messaging.squareup.com. Be wary of emails that don’t address you by name (“Hello, Customer”). And while Square does review accounts from time to time and may ask for personal information, you’ll never be asked to provide the following via email: SSN (even the last 4 digits), full credit card numbers, 2-Step verification code, password, or point of sale passcode.
Hey Flee! Thanks so much for taking the time to do a Q&A with us, and for all of the awesome things you do to keep us secure
Here's a fringe security & safety question, but still super important.
There's a lot of third party apps sharing Square Data now, big and small.
Recently I was looking into sharing just my Employee data with Homebase to use it for my Timesheets and use only Square for my Employee management & sales/labor % data. However I was told by Homebase that Square makes the API so that Sales data must be shared, even if I only want to share Employee data. While I trust Square with all of my data, I do not trust/want third parties to have more data than they have to, including my sales info.
Is it true that Square makes it Mandatory for sellers to share the Sales data with these third party apps?
Can a change be made where the seller can pick and choose which sets of data we actually want to give them, and also which sets we want them to give Square?
Thanks for this one, @Pesso, and agreed - super important.
At a high-level, Square does not require Sellers to share sales data with all 3rd party apps.
Square's APIs provide several permission options for 3rd parties seeking to integrate with our platform. Those permissions vary from simple merchant profile info, employee information, and even sales information. Prior to utilization of 3rd party apps, Sellers are displayed the list of permissions applications would like to use and have the opportunity to deny or accept the permission request.
Here is an example of permissions that are requested:
Thanks for the info @flee!
Homebase represenatives are saying that in through the Square API they have to request Sales Data - if this is not true, then a conversation needs to be had with Homebase because they are hugely misleading Square Customers and requiring to collect Sales data.
Thank you for that example.
I understand that the seller is given a list of permissions requested - I think that rather than having to agree to a blanket of all requested permissions, the seller should be able to pick and choose which of the requested permissions the seller agrees to.
Hi again @Pesso - to clarify, Homebase may ask for or require sales data in order to integrate with Square, but you of course have the option to opt out. If you’re on Google, this is similar to how sharing permissions work when you use your Google account to login on other platforms, or if you install a game or app. While we do not determine what information partners require for their integrations, we have taken that feedback to explore how we can give sellers more choice in what they share. Thank you for the question.
Yes I can opt out, but I have to opt out of everything and cannot share any information or take advantage of the integration.
Usually with Google or Facebook, you can toggle on and off each of the requested permissions so you can still use the integration but not give access to all of your data.
My big point here is that Homebase is putting the blame on Square, saying that Square does in fact determine that sellers must share Sales information in order for the integration to work.
Here is what the representatives told me:
"Currently, we are not able to only sync employee information without syncing sales. This is because Square only allowed us to build the integration this way. We understand your concern and I can pass this information along but as of now, this was the way Square allowed us to build the integration we currently have with them."
In the event that Square has a data breach (God forbid) and my customers contact or card information is comprmised, would Square be required to reach out to my customers to notify them?
Hi @Wurstkutchie - In case of a data breach, our dedicated security teams will ensure that they’re following the required process depending on your state’s regulations and the type of data that has been breached.
It’s important to note that data breaches can mean many different things, but you’re right that industry regulations (called “PCI compliance”) place liability on the seller should their customers’ data be compromised. Square does a lot to protect your customers’ data for you—we’re fully PCI compliant on your behalf as long as our solutions are applied throughout your business. From the time your customer uses a credit card in our readers or enters their information into our APIs, for example, payment data is encrypted until it reaches Square’s processing environment. You can learn more about the protections we put in place to keep Sellers, Buyers, and Square secure here: https://squareup.com/us/en/security
How does Square ensure that it's hardware has not been compromised and if there ever is a data breach, what course of action would be taken to minimize business disruption. Also, what keeps your team up at night?
Thanks for the question @irmg. Square builds security and protection controls into all of our products, and monitors for suspicious activity 24/7. If something is wrong with a piece of hardware, we have a warranty program where the seller can get a replacement. We monitor for suspicious transactions too. If we notice something suspicious, we notify the seller and work with them to protect their goods and sales. In case of a data breach, our dedicated security teams will ensure that they’re following the required process depending on your state’s regulations and the type of data that has been breached.
As I mentioned above, Square does a lot to protect your customers’ data for you. We’re fully PCI compliant on your behalf as long as our solutions are applied throughout your business. You can learn more about the protections we put in place to keep Sellers, Buyers, and Square secure here: https://squareup.com/us/en/security (It's not a coincidence I linked this elsewhere in the Q&A. It's a very information link!)
Regarding what keeps my team up at night, it’s often thoughts about how to continue pushing the boundaries on secure payments software, secure payments hardware, and protecting the privacy of the Square ecosystem. I’d be curious to hear the same from you - what keeps you up as a business owner?
Great question, @DianaP! Square's products are encrypted end-to-end. We account for usage on untrusted networks whether that's wifi or cellular/LTE, so you can use whichever network is easiest for you.
I just read this article about researchers who have figured out how to hack the device. How does this potentially affect us as merchants? https://cyberscout.com/education/blog/researchers-square-knew-6-months-ago-its-credit-card-readers-c...
Hey @Gretsimac - I noticed this article is from 2011. Since that time we’ve increased data security and fraud protection substantially, but you can also read our full original response to that research here.
We’re not just meeting minimum standards—we’re creating new ones. We’re on the PCI Board of Advisors and influence the ongoing development of the PCI Security Standards. This means that we’re not just doing the bare minimum to keep you safe. We’re always on the lookout for new trends in cybersecurity and developing new techniques and tools to keep your data safe.
Getting “hacked” can mean all kinds of things, @CornersTavern. When hackers engineer a data breach on a website, they’re often looking for login information (like your email address and password) that you’ve saved on your account on that site. Then they sell it on the dark web to fraudsters, who use that information to access your accounts elsewhere.
They can also pose as a legitimate business (called “phishing” or “social engineering”) to get you to give them your information freely. Once they’ve logged into your account, they may change your login information to prevent you from accessing your account or transfer your funds to their bank account.
Square thinks a lot about the different ways that our sellers can be targeted by schemes like these. To mitigate the risk of stolen credentials from being used on your Square account, we’ve set up 2-factor authentication. Further, we encourage our customers to pick strong passwords that are unique from their other passwords (e.g. a different password for your Square account than your email account) to reduce the likelihood that your credentials will be compromised. We’ll also keep an eye on your account and monitor your transactions for suspicious account behavior. If we notice anything out of the ordinary, we’ll give you a call.
When I have trouble getting my reader to read a chip, after three tries it tells me to swipe it. Who bears liability in the case that the card is bad? Your info says liability goes to whever is least compliant; in this case I am as compliant as I can be. Thanks.
This is a really great question @Gretsimac! If you do have an EMV reader, present it, and it falls back (this means that you've tried to insert the chip card three times, the card is rejected, and the app tells you to swipe the card instead) to magstripe reader then the normal chargeback process applies.
Ok, so I read the chargeback procedure- does this mean that in this circumstance I would be covered even if the card was hacked or stolen? Assuming that I follow the stated procedure correctly? Thanks!