Video Blog


Accept Credit Cards with Square? You are NOT PCI Compliant!

POSTED BY: Rhett Baylies
Square is not within the new PCI compliance guidelines.  Find out more here.

Please upgrade your Flash Player CLICK HERE
Or if you are using a Apple Device...CLICK HERE

Square cannot claim to be PCI compliant.

Square the innovative product brainchild of Twitter Co-Founder Jack Dorsey is no longer can claim to be PCI Compliant.

Square has maintained on their website that their device and service fall within PCI compliance guidelines and is a safe way to process credit card payments. The PCI DSS best practices guidelines established by the PCI Securities Council who had to revise their standards to accommodate this with this rapidly changing new technology. The PCI Compliance standards or best practices are intended to protect consumers from credit card fraud and identity theft.

What is Square?

Square is a credit card reader that plugs into the headphone jack on your smart phone and turns your phone into a credit card terminal without the need for a traditional merchant services account. It is intended to allow individuals and businesses to accept credit cards with minimal effort and expense. To make a sale the merchant or individual simply swipes the credit card through the card reader and the information is sent to a simple mobile application downloaded from the Android or I Tunes Marketplace at which time it is encrypted and sent for authorization.

Why Does Square claim to be PCI Compliant?

PCI DSS guidelines can only cover current technology so when Square came to the marketplace mobile payment technology of this sort did not exist.  Since Square’s introduction the mobile payment marketplace is experiencing unprecedented grow and development which has made it nearly impossible for new products and payment methods to be fully assessed by the DSS council. Square was considered to be compliant under the previous version of the PCI DSS guidelines, however, since mobile payment technology did not exist when those policies were created Square did technically fall within the standards.

Under the latest version of the PCI Compliance Guidelines, however, all devices are now mandated to be “end to end” encrypted meaning when a credit card is swiped it must be encrypted before it is transmitted in any way.  No sensitive information may be stored for any amount of time during the transaction. These requirements were previously only a required for PIN Pad terminals.

How do the New PCI Compliance Regulations Effect Square?

Since credit card information is not encrypted while the credit card is swiped through the credit card reader this leaves a major security weak-point in the transaction because it is very easy to skim sensitive data directly from the card reader before it is sent to the mobile application. This makes the Square card reader easy to turn into a card skimming device with minimal technical knowledge. Square’s only option if they want to offer a PCI Compliant device is to rebuild their credit card reader to encrypt credit card information during the card swipe and prior to being sent to the mobile application to be considered within the PCI compliance standards to accept credit cards.

How Does this Effect Square Users?

Being non PCI compliant is more serious than many small business owners and individuals may realize. Users of a non PCI Compliant device could be open not only to lawsuits but can also be held personally liable for any and all costs associated with a data breaches that result in credit card fraud.  In addition to that businesses could be putting their customers at risk.  For more information on why PCI Compliance is important visit our post on 5 Reasons why you should care about PCI Compliance.

Square has been criticized by credit card terminal producer VeriFone when it was revealed that their credit card reader was not encrypted as being irresponsible. In response Square said that their processing practices were PCI compliant (at the time), however, that they were looking into creating an encrypted credit card reader.  They did not indicate any deadline or prediction on when the encrypted card reader will be released.  The new industry wide PCI regulations are sure force square to step up their game.

How do you protect yourself and your business if you currently use Square?

The mobile payment marketplace is growing at an exponential pace compared to other sectors of the payments industry which is great news if you are a square user and wish to have a more secure device. Square’s success in offering a simplified merchant services account to individuals and businesses as well was unprecedented. There are now many competing devices many of which are associated with traditional merchant services accounts.  A majority of these services are offered with a mobile credit card reader that meets the new PCI standards.

The Merchant Doctor, however, has a program developed to compete directly with Square that allows individuals and businesses to accept credit cards.

The application process takes just 3 minutes and the card reader is offered for free with no contract, no minimums, and no fees. The mobile application is incredibly feature rich with more options and user friendly features than that offered by Square.  The Merchant Doctor solution is end to end encrypted keeping your business and your customers safe and secure while expanding your sales and profits. For more on the features and benefits of the Merchant Doctor solution check out 13 Things That you will Love About Phone Swipe.

Here is a quick graphical comparison of the services offered by Square vs the Merchant Doctor’s mobile solution to accept credit cards:

If you have any questions or would like more information on what a mobile payment credit card processing solution could do for your business or on the Merchant Doctor’s mobile payment solution contact us we will be happy to advise. You can find our application to accept credit cards on your IPhone, Ipad, or Android device here.

Remember to join us on FaceBook and Twitter!

About the Author: Rhett Baylies

After over 17 years in the service industry not only as an employee but business owner and corporate manager Rhett decided to start his career in the Payment industry with the vision of providing good honest service at a fair price. Rhett now applies his years of service focused business to his daily routine and looks forward to revolutionizing the way you look at your processing statement for many years to come.

Rhett Baylies's avatar
Daniel Bowlin
Daniel Bowlin | November 27 2011

I am working on a presentation for small businesses in my area that will help educate them on options for their current POS systems. When we first began this presentation, we came across a concern with retailers over the compliance of Square, and Intuit’s GoPayment. From what I have gathered from this website, it seems as though you all offer a product that meets the additional needs that Square does not. Given the current state of Square’s lack of compliance, how can you help me to sell this technology to small business owners in my area, and help convince them that they will be protected with your product, thus relieving them of the stress of not being PCI compliant.

Thank you,

Daniel Bowlin

If a phone call would help me to understand this information better, please send me a number that will allow for me to talk with an informed rep regarding the previous questions.

Also, any other links that can be provided will be much appreciated.

Rhett Baylies
Rhett Baylies | November 28 2011

Hi Daniel-

Great questions.  Yes the Phone Swipe is fully “end to end” encrypted and does meet all the PCI DSS equipment requirements.  Let me start by saying that the PCI Compliance validation requirements depend on the account type the business owner decides on. 

With the “Pay as You Go” option there are NO PCI fees or validation needed.

If the merchant would benefit from a “High Volume” standard merchant account(generally if they process more than $3500/month) then the usual PCI compliance validation requirements do apply.

To ease the burden and confusion of maintaining PCI compliance, The Merchant Doctor and NAB has continued our partnership with ControlScan, a leading provider of compliance and security services, and to expand our comprehensive Compliance Program, including access to our website:

In addition to the full-featured program, The Merchant Doctor and NAB are continuing our Breach Protection Program to assist our merchants and help allay their fears of a breach.  For those merchants who successfully complete their applicable PCI compliance requirements, the Breach Protection Program will cover up to $25,000 in merchant fines, assessments and related expenses attributable to a qualified PCI data breach (some restrictions may apply). While this program is clearly not an insurance program, it shares one important objective – to help protect against the unexpected. 

I hope this helps to address your concerns.  If you would like to discuss your PCI questions further or to discuss the affiliate and agent options we offer feel free to contact me directly at 775-745-1087

Ray Do
Ray Do | April 17 2012

I understand that Phone Swipe also assesses a transaction fee per transaction.  IS this true?  If so, what are these fees and why aren’t they included in the comparison above?  Are there any other fees, costs, assessments, etc. associated, at any time and/or under any circumstances, with the use of Phone Swipe?

Lastly, while perusing Phone Swipe’s companion MyBizPerks site, I notice that nowhere does it list the pricing of either their Bronze, Silver or Gold level of services.  Why? What are these prices?



... Ray

Rhett Baylies
Rhett Baylies | April 18 2012

Hi Ray- Thank you for your questions we appreciate it.  This particular blog was solely intended to address the fact that Square is not a PCI compliant device and that is much safer to use a more safety conscious product, like the phone swipe.  When it comes to rates and fees PhoneSwipe is essentially the same as Square since the per swiped transaction fees have been dropped.  The rates are as follows:
Swiped Transactions 2.69%
Manually entered trans 3.49% and $0.19/transaction
NO monthly
NO Minimums
NO annual
NO Contract
the card reader is FREE.

MyBizPerks is a site designed for holders of traditional merchant accounts, however, our No Contract PhoneSwipe account holders are provided a Bronze account which allows them to log in and utilize the reporting tools for FREE.

I hope that answers your questions.  Feel free to write me directly at .(JavaScript must be enabled to view this email address) if you have further questions and thanks again.

Bruce Alborn
Bruce Alborn | April 27 2012

What about annual or monthly pci dss fees?
What about quarterly avs scanning fees?
How are you assured the merchant is pci dss compliant?

Rhett Baylies
Rhett Baylies | April 27 2012

Hi Bruce - Thank you for your questions we appreciate it. 
1.  The annual PCI with our preferred provider ControlScan is $79 for standard merchants, however, with our No Contract No Fees PhoneSwipe accounts the PCI Compliance Fee and survey are FREE.
2.  Quarterly scanning is included in the annual PCI fee and is only necessary if processing over IP.
3.  Unfortunately at this time there is no way for a consumer to see if a merchant has taken the necessary steps to protect their customers.  This has been a subject of discussion and in the future I believe that a PCI certification display will be created.  That being said at this time it is 100% certain that any Square user is not and cannot be PCI compliant.

Thanks again Bruce feel free to contact me directly at .(JavaScript must be enabled to view this email address) if you have further questions!

Rhett Baylies
Rhett Baylies | May 04 2012

NEW PRICING ALERT!!! In the above graphic please note that the PhoneSwipe has gotten even better with new lower rates! They are as simple as it gets:

Swiped Transactions are 2.69% with NO transaction fee

Manually Entered Trans. 3.49% and $0.19/transaction

NO contract

NO Minimums

NO Fees

Free Card Reader

Remember if you process more than $5000/month you may benefit from our High Volume rate plans!

Diane | June 12 2012

Hi Ray,

How long will it take for the transactions to be credited to my account?

Rhett Baylies
Rhett Baylies | June 13 2012

Hi Diane-

Thank you for your question Diane.  Generally it takes about 2 banking days for your account to be funded with your transactions.  Feel free to contact us if you have any other questions or concerns!


Aaron Zamost
Aaron Zamost | October 09 2012

This article is wrong. Square is PCI-DSS Level 1 compliant. Square’s card reader is fully encrypted, encrypting credit card information at the moment of swipe.

More information about Square’s card reader is here:

Additional information about Square and security is also available in Square’s help center:

david Abron
david Abron | October 09 2012

Well, actually @ Aaron… you are only partially correct…The App for Square is PCI/DSS compliant…and Yet the swiper mechanism is 100% NOT Compliant.  So, if someone were to be mischievous, they could use the Square cardreader to capture CC Holder data and use it for evil purposes…That coupled with the fact that Square offers lowsey customer support and NO LIVE support is all the reason that I would not use it…In fact, if a merchant brings out a Square devise, I don’t even let them swipe my card!

Jon | November 28 2012

Can I use this device to encrypt the credit card swipe and then feed the encrypted value into a webpage text field?  I’m writing a mobile website that is designed to look like a mobile app.  I’d like to be able to swipe credit card and send encrypted data to my server and then my server can then send this encrypted string to phone swipe mobile for processing if possible.

thanks for help,


Rhett Baylies
Rhett Baylies | November 28 2012

Hi Jon and Thank You for your question.  Unfortunately no the Phone Swipe app is not integrable with a mobile app/website, however, the Merchant Doctor does have a virtual terminal that can seamlessly integrate for your needs that we can provide you absolutely free.  If you would like more information simply give us a call or email me directly at .(JavaScript must be enabled to view this email address).  We look forward to hearing back from you.

Janice | April 01 2013

Does your product provide transaction reporting by card holder name or just CC# which is not helpful as we do not store that information?

How can I demo the available reporting?

Can I call someone to ask about how to set up an account and who is authorized to set up an account for a company?

Rhett Baylies
Rhett Baylies | April 01 2013

Hi Janice-

Thank you for your questions. 

You do get detailed real time reports for your transactions, however, there will be no consumer data associated with each transaction.  You will be able to capture their email address and email both your customer and yourself automatically for each transaction so you will be able to track your specific customers that way.

You can access your report features 2 ways either via the app within your mobile device or via our merchant portal on any computer with an internet connection.

Of course you are welcome to contact me directly at 775-745-1087 to schedule a time to set up your account OR you can complete the simple and secure 3 minute application here: 

We look forward to working with you!

Sushi Fish
Sushi Fish | June 07 2013

IMHO, these new requires for end to end encryption is really a burden that should be born by the bank card vendors themselves (i.e. Visa, MC, Discover, etc).
The DSS council has finally determined that they need this end to end encryption,  why dont they issue cards that have the data already encoded on the cards themselves? ??
Also, why are they not using smart chips in the US?
Instead, they put the burden on the payment processors and end merchants.

M Sullivan
M Sullivan | January 10 2014

With PCI 3.0 I understand that at retail environments the waiter has to swipe the credit card in view of the cardholder.  The waiter in a restaurant for example can’t take the credit card and walk off to swipe it at a terminal which is out of view of card holder. Is this correct?

Rhett Baylies
Rhett Baylies | January 10 2014

Hi M Sullivan-

Thanks for the great question.  PCI 3.0 came out in November with some minor enhancements mostly focused on education and app development with a focus on reminding merchants that PCI is not just a once a year pain in the a$@ but something is a part of daily operations.  With that being said I have not seen any verbiage that would indicate that restaurants are now required to accept payments in a face to face environment.  That would seem to be an extreme requirement that a vast majority of restaurants would not be able to comply with - without significant investment.  If your restaurant is interested in accepting payments and placing orders table side, however, we do have a great and amazingly affordable solution!

Thanks again!

Rhett Baylies
Rhett Baylies | January 10 2014

Hi M Sullivan-

This Document from the PCI council may be of assistant to you in understanding the changes so you can adapt your POS.

Steve | January 27 2014

THis may have been true…. however it is not anymore.  The swiper on SQuare encrypts the data on the white device. and then processes encrypted to the web.

Rhett Baylies
Rhett Baylies | January 28 2014

Hi Steve-

Yes Steve you are correct as I have acknowledged, however, the entirety of the rest of the article is accurate.  The card reader is still most defective on the market, there are still thousands of un-encrypted card readers on the market that the public has the right to know about, and the mere lack of due diligence on the behalf of Square, in my opinion, demonstrates a total disregard for the safety of businesses and card users.  This mentality shows in their lack of service and thousands of severe complaints.  The pressure from these complaints and VS/MC stepping in are the only reasons they now have encrypted card readers.

Wouldn’t you rather do business with a company that has always had the needs and safety of its clients and card users at the top of their list?  A company with live U.S. Based 24/7 customer support?  A company that gives your business a unique account rather than mingling your business’ money with that of hundreds and thousands of other accounts?

With the recent problems that major national retailers (like Target) have had I would think that security and customer protection should be the main focus of any payment provider.

NoneYa | May 11 2015

Soooo, having read every comment in the article, I did not see a single mention by you or one of your staff that acknowledged that the device from square encrypts at the swipe until this last message, yet you say that you mentioned it before and then go on to describe their horrible service, etc…

Personally, if I were in the market, and I might be, I would run from a company that puts a blog post out there like this and leaves it up when it is no longer true.

True that someone is not going to do their research and buy your product over Square’s, but that is a pretty sleazy way to get a sale…

And no, I do not work for, with or have any connection to square.

Rhett Baylies
Rhett Baylies | May 11 2015

Hi NoneYa-

We featured this blog in many locations throughout the net and do mention that Square did finally UNDER FEDERAL PRESSURE release an encrypted card reader.  Personally I do not see how exposing them and their willingness to put merchants and the general public in harms way is in any way “sleazy”.  I think it speaks directly to their intentions.

Yes, NOW they have an encrypted card reader but they are still aggregating accounts, outsourcing service, and using misleading advertising.

This blog post is being left up because we believe it is important for merchants who are truly interested in educating themselves to understand the lack of foresight (or care) that Square has exhibited.  They had a brilliant idea that revolutionized the way small merchants do business but executed it poorly and with total disregard to security.  Personally I would not want to do business with someone like that.


Michelle | August 06 2015

What are the “special rates” you offer for high volume—say $15,000/mo. With average swipe at $12-$15.
While your and Squares convenience and lack of upfront costs is attractive compared to investing in traditional POS hardware system, I find the merchant processing rates high.

Rhett Baylies
Rhett Baylies | August 06 2015

Hi Michelle-

Thank you for your question!  It is a good one.  I agree the “flat rate” processing options that are available are really great for merchants doing less than $5-7,000/month, however, if your business does more than that - you are better off with our low interchange plus pricing.  Our rates on using the phone swipe are as follows:

Interchange Plus 25 basis points (0.25%)

We also offer free tablet programs and many other options for your POS needs.  Feel free to contact me directly at .(JavaScript must be enabled to view this email address) or call 800-705-8090 and I am happy to answer all your questions and concerns

Squared Down
Squared Down | May 27 2016

The writer is ALMOST correct.
If Square Inc. was not PCI compliant, they would receive $10,000 fines for every violation, every day, that is obviously not happening.
The reality is, Square Inc. may be PCI compliant,
but are their customers also PCI compliant…

Comment Here

The Merchant Doctor Will Not Share, Sell, or Compromise Your Contact Details. Really!

Are you Human? CAPTCHA ID:

Please enter the word you see in the image below: