Need help?Do you have a question about the Square Contactless and Chip Reader and is the answer not in the manual?
Describes the Square Contactless and Chip Reader as a secure payment device for merchants.
Details how sellers can order and inspect the Square Reader upon receipt.
Explains the cryptographic authentication process between the reader, application, and servers.
Details where and how to acquire the Square Reader for use.
Lists the approval classes and intended use of the Square Reader.
Provides guidance on storing the reader for future use, including battery considerations.
Outlines daily checks and operational messages from the application.
Describes the reader's firmware and terminal configuration authentication.
Provides instructions and an address for decommissioning the reader.
Explains how to check the reader's hardware and firmware versions.
States the reader is not a PIN-entry device and does not require a privacy screen.
Explains automatic firmware updates and potential user notifications.
Discusses battery usage, tamper detection, and charging recommendations.
Details internal tamper-response mechanisms and external inspection procedures.
Explains how the reader identifies tamper events and becomes inoperable.
Mentions the reader is designed for Square products and requires adherence to specific procedures.
Describes how Square handles key management, loading, and acquiring for the reader.
The Square Contactless and Chip Reader is a secure payment device designed for merchants to accept EMV and NFC-based transactions. It adheres to the stringent security requirements of the Payment Card Industry (PCI) Security Standards Council (SSC), PIN Transaction Security (PTS) version 4.1. This document addresses the security requirements outlined in PCI PTS Point of Interaction (POI) version 4.1 Derived Test Requirements (DTRs) B20.
The Square Contactless and Chip Reader ("Reader") facilitates secure card-present payment transactions. It is designed to work exclusively with the Square Register application and a compatible mobile device running in a Square Stand. The Reader supports various approval classes, including Secure Card Reader (SCR), Secure Read and Exchange of Data (SRED), and Integrated Chip Card Reader (ICCR). It is intended for use in attended payment environments and is not designed as an unattended payment terminal (UPT).
Upon connection to the USB hub of a Square Stand, the Reader undergoes cryptographic authentication with both the Register application and Square back-end servers. A valid Reader registers successfully, while an unauthorized reader will be rejected by the Square Register application. The device does not offer user-configurable application or Reader settings for its authentication function.
The Reader performs security self-tests, including firmware and terminal configuration authentication using RSA 3072/SHA-256, every time it is powered on. Additionally, it implements a forced reboot every 23.5 hours, triggering the same self-tests.
The Square Reader is ready for use upon receipt. Merchants can obtain it through the Square website or approved retail outlets. To use, simply remove the Reader from its packaging and connect it to a USB port on the Square Stand. The Reader will then authenticate itself with the Square Register application, allowing operations to proceed.
The Square Register application provides operational messages from the Reader, indicating when the device is ready for payment and when payment data capture is complete. The Reader itself does not have user-configurable security options.
The Square Reader is not a PIN-entry device and, as per PCI POS PED Security Requirements and EPP Security Requirements technical FAQs version 2.0, does not require a privacy screen.
Firmware and software updates for the Square Reader are handled automatically by Square in the background, without requiring user interaction. In the event of a critical update, the Square Register software will notify the user and advise on the necessary actions. Depending on the criticality, Square may temporarily disable transaction processing until the firmware update is successfully applied.
The Square Reader is designed for use with Square products and applications only; it is not compatible with other applications. All code is developed, written, and managed by Square. Square developers adhere to specific Software Engineering and Vulnerability Management Procedures when developing new software for Square Readers.
All cryptographic keys used by the Square Reader to protect the confidentiality and integrity of sensitive data are injected during the manufacturing process using a Square-proprietary protocol. These keys are stored within the Reader's secure boundary and are protected from disclosure and modification by a key-encrypting key that meets PCI PTS key strength requirements.
The Reader supports key injection only during manufacturing; remote key injection is not required as it communicates directly with Square servers. During manufacturing, Square's key provisioning equipment authenticates incoming readers, and the readers authenticate the received key-bundles as originating from Square's factory key provisioning module. The Reader does not accept keys from any entity other than the factory provisioning module.
The cryptographic keys are injected into new devices in encrypted form using the Square-proprietary protocol. These keys are maintained under Square's control, with details transparent to the merchant. The Square Reader does not offer user-configurable encryption key management functions.
Upon receipt, sellers should inspect the Reader to verify that the hardware version (S8) and serial number are visible on its underside.
Before each use, sellers must inspect the Reader for any signs of tampering. This includes checking the chip card slot for foreign objects such as capture devices, card skimmers, extra wires/cables, or other materials. Users should also look for any evidence of modification or disassembly of the Reader, as well as visible or tactile changes to cable connections or the card slot. If any evidence of external tampering is found, Square Support should be contacted.
The Square Reader incorporates internal active tamper-response mechanisms that are enforced automatically and do not require user configuration. If a tamper event is detected, the Reader will erase its encryption key material and become inoperable.
The Reader is designed for normal operation within specific environmental conditions. Temperatures outside the range of 0 to 40 degrees Celsius, voltages outside 1.6 to 3.9 volts, or any attempt to open, disassemble, or access internal parts may trigger a tamper event and render the device inoperable.
The Square Reader has a primary battery for operation and a backup battery to maintain tamper-detection features. If the primary battery is fully discharged, the backup battery will sustain tamper-detection for one year. If the Reader is not fully charged annually, it will enter a tampered state and become inoperable. Regular use and recharging of the primary battery will prevent this. For infrequent or seasonal users, it is recommended to fully charge the Reader at least once a year.
If a tamper event occurs, the Seller will be notified via the Square Register application when the Reader is connected to an approved mobile device. Square will then communicate with the Seller regarding secure disposal and replacement of the device.
To store the Square Reader, simply remove it from the Square Stand USB port. If the Reader will not be used for more than twelve months, it should be charged prior to storage and periodically thereafter to maintain readiness.
To decommission a Square Reader, the device should be shipped to Square for proper decommissioning. The address for decommissioning is provided in the manual.
Sellers can confirm the hardware version by physical inspection and the hardware and firmware version via the Support > Readers screen in the Square Register application. The PCI approved firmware version is 2.2, displayed as "202xxx".
General| Connectivity | Bluetooth LE |
|---|---|
| Compatibility | iOS, Android |
| Payment Types | Contactless, Chip |
| Battery Life | Up to 8 hours |
| Charging | USB |
To Next Page
