Happy to follow up! Take a look at the responses below:

1. Our security policies are designed to protect both you and your customers. As noted in our Support Center, if you're subject to HIPAA as a Covered Entity or Business Associate (as defined in HIPAA) and use the Services in a manner that causes Square to create, receive, maintain, or transmit Protected Health Information (PHI) on your behalf, then you agree to the HIPAA Business Associate Agreement (HIPAA BAA).

Square sellers are responsible for determining whether they are subject to HIPAA requirements and whether they intend to use the Services in connection with PHI. You can always learn more by visiting Square's HIPAA Business Associate Agreement.

2. Unlike traditional merchant companies, we don't require account holders to go through a complicated and expensive PCI compliance application. Square itself is PCI compliant, so we take care of it for you.

@ssouza - As for your 3rd question, what kind of information are you specifically looking for? We do keep a record of transactional information, as we're required to by federal regulations. Is this what you mean? 

Yes the Square PTS device is compliant, and its listed on the PCI website.

However merchants still need to fill out a PCI-DSS Self Assessment Questionaire (SAQ).

If the Square encrypts the Card Holder Data and sends it over the phone or iPad (IP based internet traffic), then I believe we would need to fill out a SAQ-B-IP if no Card Holder Data touches the iPad or smartphone.

Just becuase Square's PTS encrypts the data doesnt take it out of scope, please see:

Article URL: https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-encrypted-cardholder-data-...

my next question for Square has to do with the Application it runs on the iPad.

Can you please provide any documentation about how the appication interacts with the Square PTS device

@DH007 - Appreciate the detailed question! Since Square handles PCI Compliance on behalf of our sellers, you won't need to take any additional steps. 

As a follow up, all Square Readers perform data encryption within the card reader, before it's even sent to the Square app on your device. Square doesn't retain payment card data on the mobile device or within the application. In addition, all information submitted to Square by our customers is encrypted and sent to our servers securely, whether you're using Wi-Fi or your device's data service. We also comply with the PCI-DSS standards. 

You can find Square listed as a secure service provider here. I'd also suggest checking out our PCI Compliance Checklist for 2016.

Hope this helps!

Hi @Sean, as a follow up. I understood the PCI requirements that if I have a site that hosts a form that takes in a credit card, but then forwards that over to another server (say by posting it or sending it through JavaScript - like the way you guys do it) I would still need to fill out the SAQ A-EP questionnaire. Or is it that since you guys are the bank in this case, you have the choice to make us the merchant be PCI certified or not, and you're saying we don't need to be.

Is that correct?

I just don't want to have to deal with PCI if I don't have to, and options like PayPal are enticing since they have a hosted form which requires just the SAQ A form, which is really minimal.

Thank you!

Hello @ericb I'm on Square's Governance team and I'm following up on Sean's note about PCI. As long as you implement and use Square according to our Terms of Service and our API/SDK instructions (if applicable), we've got you covered and we won't ask you to fill out any PCI questionnaires. Thanks!

I do not share any health information just credit card via swipe and my business name, so I think I am ok.  As a level one who makes less than 10,000 in transactions in a year do I need to do the SQA? questionairre and if so where do I obtain that?  I think I have the initials wrong.  Also How do I find the business agreement for HIPAA and PCI?

@ericb - Our PCI certification should have you covered, but I'm happy to double check with our Legal / Compliance Team. Please hang tight. 

@sassmeknot - As I mentioned above, Square sellers are responsible for determining whether they are subject to HIPAA requirements and whether they intend to use the Services in connection with PHI.

As a psychotherapist I am interested in Square's payment plan and Square appointments. Are all people who use square automatically granted a business associate agreement? Or must one request to have that status. some companies charge more when they offer a BAA. 

Thanks for your interest @Dan1001! Square isn't subject to HIPAA but facilitates your HIPAA compliance. You don't need to request or pay for a HIPAA Business Associate Agreement, you just need to agree to it! Hope that helps clarify.

If you have any other questions about getting started with Square don't hesitate to browse the Community or create a new thread!

@Helen: I don't understand how Square protects business' client data. i.e. Jotform stores it's HIPAA compliant data on a special server. What does Square do to faciliate the compliance? From the HIPAA article it sounds like all action taken should be on my behalf as a Square customer. How does Square protect the data, and is there anything I need to know about and do for the PHI to be transferred?

Hi @abfriesen , Square's Business Associate Agreement (BAA) includes our obligations and commitments for managing PHI that you share with us.  See our BAA here: https://squareup.com/us/en/legal/general/hipaa . You may have your own legal obligations as a HIPAA "covered entity" which are outside the scope of our BAA.

Thanks for the BAA, @Todd24. Does this need to be signed?

Hi @abfriesen , when you create a Square account and accept our Terms of Service, the BAA is included/accepted. Terms of Service are here: https://squareup.com/us/en/legal/general/ua  and you'll see specific mention of the BAA.  ---  When you set up your Square account, you should choose an appropriate merchant category such as Medical Services, Health Services, or Dental Services as applicable.