Inspection of Point of Sale Application
The Square POS application provides its own internal integrity verification processes. Ensure you are using the
latest version of the app by checking your native application store. The SPoC-enabled application will show
“SPoC version 1.0” under Support -> About -> Application.
Automatic Tamper Response
The Reader may identify certain events as attempts to tamper with its operations to alter its inner workings. If the
Reader identifies a tamper event it will erase the encryption key material it contains and become inoperable.
The Reader is rated for normal operation and any of the below scenarios may tamper the device and cause it to
become inoperable:
●
Temperatures outside of the range of 0 and 40 degrees Celsius
●
Voltage greater or less than 5V input for charging the device via USB
●
Any attempt to open/disassemble/take apart the Reader or access parts inside
The Reader is intended to be fully charged once a year. If the Reader’s primary battery is fully discharged and
left for more than a year without a recharge it may become inoperable.
The Seller can detect if a tamper event has occurred by connecting the Reader to an approved mobile device
with the Point of Sale application installed. Opening the Point of Sale application will notify the Seller if the
device has experienced a tamper event.
If the Reader experiences one of the above tamper events, Square will reach out to the Seller and communicate
as appropriate how to return the Reader to Square for secure disposal and replacement.
Software Development Guidance
The Reader is designed for use with Square products and applications, and does not work with other
applications. All code is developed, written, and managed by Square. Square developers must refer to the
Software Engineering and Vulnerability Management Procedures when developing new software for Readers.
Encryption and key management
The Reader is only intended for use with other Square applications and services. Square performs all key
management, key loading, and acquiring. Attempts to operate the Reader with any other key loading, acquirer,
or key management will render the device inoperable. In addition, use of the Reader with different key
management systems will invalidate the PCI approval of this device.
All of the cryptographic keys used by the Reader to protect the confidentiality and integrity of sensitive data are
injected at the time of manufacture using a Square-proprietary protocol. The keys are stored within the Reader’s
secure boundary, and are protected from both disclosure and modification; such protection is achieved with a
key-encrypting key that meets the PCI PTS key strength requirements. Sensitive data is encrypted by a unique
