thread Re: Live Q&A: Ask us anything about Square and Security in Archived Discussions (Read Only)

Live Q&A: Ask us anything about Square and Security

katieand — Mon, 15 Jul 2024 19:41:12 GMT

On Thursday August 16th at 1 PM PST / 4 PM EST, we hosted a Live Q&A about Square and security. We know that the terms thrown around like security, data breaches, and fraud can be overwhelming and intimidating as you try to keep your business and customers safe. We had @flee, one of our security experts, here to answer any of your questions about these terms, PCI compliance, and how Square has you covered.

@flee is the Head of Information Security at Square. He has a history of solving security problems for a range of organizations all the way from large enterprises (Bank of America) to small startups (Twillio). He's experienced in building and leading global security teams and specializes in application security. He's passionate about all things security, but finds time to indulge in other hobbies including road cycling, mountain biking, rock climbing, snowboarding, backpacking, and photography.

A couple example questions:

What kinds of security breaches should I be concerned about as a business owner?
What does Square do to ensure that I’m protected from security threats?
What can I do as a business owner to ensure I’m not susceptible to a hack?

Re: Live Q&A: Ask us anything about Square and Security

pessosices — Fri, 10 Aug 2018 17:34:13 GMT

Hey Flee! Thanks so much for taking the time to do a Q&A with us, and for all of the awesome things you do to keep us secure

Here's a fringe security & safety question, but still super important.
There's a lot of third party apps sharing Square Data now, big and small.
Recently I was looking into sharing just my Employee data with Homebase to use it for my Timesheets and use only Square for my Employee management & sales/labor % data. However I was told by Homebase that Square makes the API so that Sales data must be shared, even if I only want to share Employee data. While I trust Square with all of my data, I do not trust/want third parties to have more data than they have to, including my sales info.

Is it true that Square makes it Mandatory for sellers to share the Sales data with these third party apps?
Can a change be made where the seller can pick and choose which sets of data we actually want to give them, and also which sets we want them to give Square?

Thanks,

Pesso

Re: Live Q&A: Ask us anything about Square and Security

Wurstkutchie — Tue, 14 Aug 2018 23:30:55 GMT

Hello!

In the event that Square has a data breach (God forbid) and my customers contact or card information is comprmised, would Square be required to reach out to my customers to notify them?

Re: Live Q&A: Ask us anything about Square and Security

irmg — Wed, 15 Aug 2018 01:28:10 GMT

How does Square ensure that it's hardware has not been compromised and if there ever is a data breach, what course of action would be taken to minimize business disruption. Also, what keeps your team up at night?

Re: Live Q&A: Ask us anything about Square and Security

DianaP — Wed, 15 Aug 2018 19:03:02 GMT

Which type of connectivity is more secure when using the chip reader w/ my iPhone: secure wifi w/ strong password, or my carrier's 4G LTE?

Re: Live Q&A: Ask us anything about Square and Security

Gretsimac — Thu, 16 Aug 2018 20:06:10 GMT

I just read this article about researchers who have figured out how to hack the device. How does this potentially affect us as merchants? https://cyberscout.com/education/blog/researchers-square-knew-6-months-ago-its-credit-card-readers-could-be-compromised

Re: Live Q&A: Ask us anything about Square and Security

CornersTavern — Thu, 16 Aug 2018 19:44:26 GMT

What exactly happens when someone’s account gets hacked? How does Square make sure that doesn’t happen?

Re: Live Q&A: Ask us anything about Square and Security

Gretsimac — Thu, 16 Aug 2018 20:04:53 GMT

When I have trouble getting my reader to read a chip, after three tries it tells me to swipe it. Who bears liability in the case that the card is bad? Your info says liability goes to whever is least compliant; in this case I am as compliant as I can be. Thanks.

Re: Live Q&A: Ask us anything about Square and Security

flee — Thu, 16 Aug 2018 20:07:49 GMT

Thanks for this one, @pessosices, and agreed - super important.

At a high-level, Square does not require Sellers to share sales data with all 3rd party apps.

Square's APIs provide several permission options for 3rd parties seeking to integrate with our platform. Those permissions vary from simple merchant profile info, employee information, and even sales information. Prior to utilization of 3rd party apps, Sellers are displayed the list of permissions applications would like to use and have the opportunity to deny or accept the permission request.

Here is an example of permissions that are requested:

Re: Live Q&A: Ask us anything about Square and Security

flee — Thu, 16 Aug 2018 21:13:03 GMT

Great question, @DianaP! Square's products are encrypted end-to-end. We account for usage on untrusted networks whether that's wifi or cellular/LTE, so you can use whichever network is easiest for you.

Re: Live Q&A: Ask us anything about Square and Security

pessosices — Thu, 16 Aug 2018 20:16:36 GMT

Thanks for the info @flee!

Homebase represenatives are saying that in through the Square API they have to request Sales Data - if this is not true, then a conversation needs to be had with Homebase because they are hugely misleading Square Customers and requiring to collect Sales data.

Thank you for that example.
I understand that the seller is given a list of permissions requested - I think that rather than having to agree to a blanket of all requested permissions, the seller should be able to pick and choose which of the requested permissions the seller agrees to.

Re: Live Q&A: Ask us anything about Square and Security

flee — Thu, 16 Aug 2018 20:34:38 GMT

Getting “hacked” can mean all kinds of things, @CornersTavern. When hackers engineer a data breach on a website, they’re often looking for login information (like your email address and password) that you’ve saved on your account on that site. Then they sell it on the dark web to fraudsters, who use that information to access your accounts elsewhere.

They can also pose as a legitimate business (called “phishing” or “social engineering”) to get you to give them your information freely. Once they’ve logged into your account, they may change your login information to prevent you from accessing your account or transfer your funds to their bank account.

Square thinks a lot about the different ways that our sellers can be targeted by schemes like these. To mitigate the risk of stolen credentials from being used on your Square account, we’ve set up 2-factor authentication. Further, we encourage our customers to pick strong passwords that are unique from their other passwords (e.g. a different password for your Square account than your email account) to reduce the likelihood that your credentials will be compromised. We’ll also keep an eye on your account and monitor your transactions for suspicious account behavior. If we notice anything out of the ordinary, we’ll give you a call.

Re: Live Q&A: Ask us anything about Square and Security

DianaP — Thu, 16 Aug 2018 20:34:49 GMT

Great! I've always wondered about that!

Re: Live Q&A: Ask us anything about Square and Security

DianaP — Thu, 16 Aug 2018 20:36:26 GMT

I would like to know the answer to this question too!

Re: Live Q&A: Ask us anything about Square and Security

DianaP — Thu, 16 Aug 2018 20:40:15 GMT

Could you explain what a BAA is and why it's important, and what it means for sellers that Square has one of these?

Re: Live Q&A: Ask us anything about Square and Security

emailbuff — Thu, 16 Aug 2018 20:53:17 GMT

My credit card and banking apps require my thumbprint to enter them. Since I am holding dozens of customers' private information on my Square app, will Square be adding the thumbprint security to the app any time soon?

Re: Live Q&A: Ask us anything about Square and Security

flee — Thu, 16 Aug 2018 20:56:18 GMT

Hi again @pessosices - to clarify, Homebase may ask for or require sales data in order to integrate with Square, but you of course have the option to opt out. If you’re on Google, this is similar to how sharing permissions work when you use your Google account to login on other platforms, or if you install a game or app. While we do not determine what information partners require for their integrations, we have taken that feedback to explore how we can give sellers more choice in what they share. Thank you for the question.

Re: Live Q&A: Ask us anything about Square and Security

flee — Thu, 16 Aug 2018 20:57:27 GMT

Hi @Wurstkutchie - In case of a data breach, our dedicated security teams will ensure that they’re following the required process depending on your state’s regulations and the type of data that has been breached.

It’s important to note that data breaches can mean many different things, but you’re right that industry regulations (called “PCI compliance”) place liability on the seller should their customers’ data be compromised. Square does a lot to protect your customers’ data for you—we’re fully PCI compliant on your behalf as long as our solutions are applied throughout your business. From the time your customer uses a credit card in our readers or enters their information into our APIs, for example, payment data is encrypted until it reaches Square’s processing environment. You can learn more about the protections we put in place to keep Sellers, Buyers, and Square secure here: https://squareup.com/us/en/security

Re: Live Q&A: Ask us anything about Square and Security

pessosices — Thu, 16 Aug 2018 21:04:15 GMT

Thanks @flee

Yes I can opt out, but I have to opt out of everything and cannot share any information or take advantage of the integration.

Usually with Google or Facebook, you can toggle on and off each of the requested permissions so you can still use the integration but not give access to all of your data.

My big point here is that Homebase is putting the blame on Square, saying that Square does in fact determine that sellers must share Sales information in order for the integration to work.

Here is what the representatives told me:

"Currently, we are not able to only sync employee information without syncing sales. This is because Square only allowed us to build the integration this way. We understand your concern and I can pass this information along but as of now, this was the way Square allowed us to build the integration we currently have with them."

Re: Live Q&A: Ask us anything about Square and Security

flee — Fri, 17 Aug 2018 00:08:41 GMT

This is a really great question @Gretsimac! If you do have an EMV reader, present it, and it falls back (this means that you've tried to insert the chip card three times, the card is rejected, and the app tells you to swipe the card instead) to magstripe reader then the normal chargeback process applies.