Square Hardening Guide
Commerce platform hardening for Square including SSO configuration, team permissions, and API security
Overview
Square is a comprehensive commerce platform serving millions of businesses for payments, point-of-sale, and business management. As a platform handling payment and customer data, Square security configurations directly impact PCI compliance and business operations.
Intended Audience
- Security engineers managing commerce platforms
- IT administrators configuring Square
- Business owners managing Square access
- GRC professionals assessing retail security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Square Dashboard security including SSO, team permissions, device security, and API management.
Table of Contents
1. Authentication & SSO
1.1 Configure Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SSO for Square Dashboard access (Square for Enterprise).
Prerequisites
- Square for Enterprise plan
- Account owner access
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access SSO Settings
- Navigate to: Square Dashboard → Account & Settings → Security
- Find Single Sign-On section
Step 2: Configure SSO
- Enable SSO
- Configure IdP settings
- Test authentication
Step 3: Enforce SSO
- Enable SSO enforcement
- Configure exceptions
- Document fallback procedures
Time to Complete: ~1-2 hours
1.2 Enforce Two-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require 2FA for all Square accounts.
ClickOps Implementation
Step 1: Enable 2FA
- Navigate to: Account & Settings → Security
- Enable two-step verification
- Configure verification method
Step 2: Require for Team
- Require 2FA for all team members
- Verify compliance
- Monitor enrollment
2. Access Controls
2.1 Configure Team Permissions
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege using Square permissions.
ClickOps Implementation
Step 1: Review Permission Sets
- Navigate to: Team → Permissions
- Review available permissions
- Create custom permission sets
Step 2: Assign Minimum Access
- Assign minimum necessary permissions
- Separate by function:
- Sales access
- Reports access
- Customer data access
- Settings access
- Regular access reviews
2.2 Configure Location Access
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Control team access to specific locations.
ClickOps Implementation
Step 1: Configure Access
- Limit team members to required locations
- Separate production locations
- Audit cross-location access
2.3 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect owner accounts.
ClickOps Implementation
Step 1: Inventory Admins
- Review account owners
- Document admin access
Step 2: Apply Restrictions
- Limit owners to 2-3 users
- Require 2FA
- Monitor activity
3. Device Security
3.1 Configure Device Management
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 1.1 |
| NIST 800-53 | CM-8 |
Description
Manage Square devices and terminals.
ClickOps Implementation
Step 1: Inventory Devices
- Navigate to: Devices
- Review all registered devices
- Document device purposes
Step 2: Configure Security
- Enable device passcodes
- Configure automatic logout
- Monitor device activity
3.2 Configure API Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure Square API access.
ClickOps Implementation
Step 1: Review Applications
- Navigate to: Developer Dashboard
- Review connected applications
- Remove unnecessary apps
Step 2: Secure Credentials
- Protect access tokens
- Use sandbox for testing
- Rotate credentials regularly
4. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Square Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/2FA | 1.1 |
| CC6.2 | Team permissions | 2.1 |
| CC6.7 | API security | 3.2 |
PCI DSS v4.0 Mapping
| Requirement | Square Control | Guide Section |
|---|---|---|
| 7 | Team permissions | 2.1 |
| 8 | Authentication | 1.2 |
Appendix A: References
Official Square Documentation:
API & Developer Tools:
- Square API Reference
- Square Developer Portal
- SDKs available for multiple languages – via Developer Portal
Compliance Frameworks:
- PCI DSS Level 1 (Service Provider), ISO 27001 – via Square Security
- Square sits on the PCI Board of Advisors and helped evolve PCI Data Security Standards
- ISO 27001 Certification Announcement
Security Incidents:
- (2021-12) A former Block (Square) employee accessed Cash App Investing reports after employment ended, exposing full names, brokerage account numbers, and portfolio data for approximately 8.2 million current and former customers. Disclosed April 2022.
- (2023-09) Multi-hour system outage affected merchants; forensic analysis ruled out cyberattack – no data breach confirmed.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO and permissions | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide