A Security Check At Square Ahead Of This Week's Launch

Earlier today, testers of the new mobile payment service, Square, got a scare.

Emails were sent out suggesting that users had changed their bank account information, and Square was emailing to let them know that the new account was verified. The only problem? These users didn’t actually change a thing. Obviously, this caused some concern, as did the note at the bottom of the email, “If you have not requested this change, please contact support@squareup.com.” After Square started receiving emails wondering what was going on, they sent out a second email letting users know that nothing was wrong, they were just tweaking the backend of the system, and forgot to turn off email notifications for current testers. “Your bank account has not been affected. Square, and your data, have not be compromised in any way,” the email read.

I spoke to co-founder Jack Dorsey tonight about the mix-up, and he assures me that this was in no way a breach of security. Obviously, people are on high-alert for these types of things given the news last week that some credit card information ended up on Google compliments of the startup Blippy. But today’s Square incident was just a poorly-timed email, nothing more.

Still, with Dorsey on the phone, and given the Blippy incident, I thought it would be a good time to talk a little bit security at Square. After all, the service is launching this week, Dorsey confirms.

I asked what information Square stores in its system. “The only numbers we store are bank account numbers, and those are never shown once you input them into our system,” Dorsey says. He goes on to note that these numbers are encrypted, and the only way to decrypt them (manually) is by way of a key they keep in a safety deposit box. Credit card information is never stored, Dorsey says. It’s not stored on the mobile device or on Square’s system, it’s simply passed through, he says.

Dorsey also notes that Square is PCI Level 1 compliant (PCI is a data security standard), and that the company must go through an audit with an independent auditor ever six months to ensure its security is perfect. All companies that handle credit card processing must do this, Dorsey says — and obviously, Square is no different. These audits not only check your system, but look at past transaction data to ensure that everything is in order.

In other words, Square has to have a level of security higher than most start-ups. Though, competitor VeriFone, of course, would still say that they’re more secure thanks to their merchant account system.

The reason Square accidentally sent out these emails today is because they are tweaking the backend of their system as they near the general public launch this week. Dorsey wasn’t sure exactly what day it would be, as it depends on when Apple approves the app in the App Store. There is already a version of Square live that works on the iPad, but this new version will be Universal — meaning it will work on the iPad, iPhone, and iPod touch.

These last two are the keys for the service. Square is all about empowering anyone to be able to take credit cards as a method of payment using only their mobile device. This works by way of a tiny card reader that plugs into the headphone jack on the device. These readers readers are now white, I’m told (the tester version we’ve been using at some TechCrunch events has been black), and they have a new spring that makes card readings much easier (you used to have to swipe a few times with the old black reader).

These readers will begin shipping out this week when the app is live in the App Store. Square is sending them out for free to anyone who signs up for an account — you’ll be prompted to visit Square’s site to do this once you download the app.

Look for Square in the App Store later this week. It will be a free download.