Thanks for this one, @pessosices, and agreed - super important.

At a high-level, Square does not require Sellers to share sales data with all 3rd party apps.

Square's APIs provide several permission options for 3rd parties seeking to integrate with our platform. Those permissions vary from simple merchant profile info, employee information, and even sales information. Prior to utilization of 3rd party apps, Sellers are displayed the list of permissions applications would like to use and have the opportunity to deny or accept the permission request.

Here is an example of permissions that are requested:

Thanks for the info @flee!

Homebase represenatives are saying that in through the Square API they have to request Sales Data - if this is not true, then a conversation needs to be had with Homebase because they are hugely misleading Square Customers and requiring to collect Sales data. 

Thank you for that example.
I understand that the seller is given a list of permissions requested - I think that rather than having to agree to a blanket of all requested permissions, the seller should be able to pick and choose which of the requested permissions the seller agrees to.

Hi again @pessosices - to clarify, Homebase may ask for or require sales data in order to integrate with Square, but you of course have the option to opt out. If you’re on Google, this is similar to how sharing permissions work when you use your Google account to login on other platforms, or if you install a game or app. While we do not determine what information partners require for their integrations, we have taken that feedback to explore how we can give sellers more choice in what they share. Thank you for the question.

Thanks @flee

Yes I can opt out, but I have to opt out of everything and cannot share any information or take advantage of the integration.

Usually with Google or Facebook, you can toggle on and off each of the requested permissions so you can still use the integration but not give access to all of your data. 

My big point here is that Homebase is putting the blame on Square, saying that Square does in fact determine that sellers must share Sales information in order for the integration to work. 

Here is what the representatives told me:

"Currently, we are not able to only sync employee information without syncing sales. This is because Square only allowed us to build the integration this way. We understand your concern and I can pass this information along but as of now, this was the way Square allowed us to build the integration we currently have with them."

Hi @Wurstkutchie - In case of a data breach, our dedicated security teams will ensure that they’re following the required process depending on your state’s regulations and the type of data that has been breached.

It’s important to note that data breaches can mean many different things, but you’re right that industry regulations (called “PCI compliance”) place liability on the seller should their customers’ data be compromised. Square does a lot to protect your customers’ data for you—we’re fully PCI compliant on your behalf as long as our solutions are applied throughout your business. From the time your customer uses a credit card in our readers or enters their information into our APIs, for example, payment data is encrypted until it reaches Square’s processing environment. You can learn more about the protections we put in place to keep Sellers, Buyers, and Square secure here: https://squareup.com/us/en/security

Thanks for the question @irmg. Square builds security and protection controls into all of our products, and monitors for suspicious activity 24/7. If something is wrong with a piece of hardware, we have a warranty program where the seller can get a replacement. We monitor for suspicious transactions too. If we notice something suspicious, we notify the seller and work with them to protect their goods and sales. In case of a data breach, our dedicated security teams will ensure that they’re following the required process depending on your state’s regulations and the type of data that has been breached.

As I mentioned above, Square does a lot to protect your customers’ data for you. We’re fully PCI compliant on your behalf as long as our solutions are applied throughout your business. You can learn more about the protections we put in place to keep Sellers, Buyers, and Square secure here: https://squareup.com/us/en/security (It's not a coincidence I linked this elsewhere in the Q&A. It's a very information link!)

Regarding what keeps my team up at night, it’s often thoughts about how to continue pushing the boundaries on secure payments software, secure payments hardware, and protecting the privacy of the Square ecosystem. I’d be curious to hear the same from you - what keeps you up as a business owner?

Great question, @DianaP! Square's products are encrypted end-to-end. We account for usage on untrusted networks whether that's wifi or cellular/LTE, so you can use whichever network is easiest for you.

Great! I've always wondered about that!

Hey @Gretsimac - I noticed this article is from 2011. Since that time we’ve increased data security and fraud protection substantially, but you can also read our full original response to that research here.

We’re not just meeting minimum standards—we’re creating new ones. We’re on the PCI Board of Advisors and influence the ongoing development of the PCI Security Standards. This means that we’re not just doing the bare minimum to keep you safe. We’re always on the lookout for new trends in cybersecurity and developing new techniques and tools to keep your data safe.

Getting “hacked” can mean all kinds of things, @CornersTavern. When hackers engineer a data breach on a website, they’re often looking for login information (like your email address and password) that you’ve saved on your account on that site. Then they sell it on the dark web to fraudsters, who use that information to access your accounts elsewhere.

They can also pose as a legitimate business (called “phishing” or “social engineering”) to get you to give them your information freely. Once they’ve logged into your account, they may change your login information to prevent you from accessing your account or transfer your funds to their bank account.

Square thinks a lot about the different ways that our sellers can be targeted by schemes like these. To mitigate the risk of stolen credentials from being used on your Square account, we’ve set up 2-factor authentication. Further, we encourage our customers to pick strong passwords that are unique from their other passwords (e.g. a different password for your Square account than your email account) to reduce the likelihood that your credentials will be compromised. We’ll also keep an eye on your account and monitor your transactions for suspicious account behavior. If we notice anything out of the ordinary, we’ll give you a call. 

I would like to know the answer to this question too!

This is a really great question @Gretsimac! If you do have an EMV reader, present it, and it falls back (this means that you've tried to insert the chip card three times, the card is rejected, and the app tells you to swipe the card instead) to magstripe reader then the normal chargeback process applies.

Ok, so I read the chargeback procedure- does this mean that in this circumstance I would be covered even if the card was hacked or stolen? Assuming that I follow the stated procedure correctly? Thanks!