Square

Overview

Square is a comprehensive commerce platform that provides payment processing, point-of-sale systems, and financial services for businesses of all sizes. On the web, Square's scripts appear when merchants embed Square's hosted payment forms, checkout flows, or online store components into their websites. These scripts handle the critical task of securely collecting and tokenizing payment card information, ensuring that sensitive financial data never touches the merchant's servers directly.

For website operators accepting payments through Square, these scripts are not optional enhancements — they are the payment infrastructure. Without Square's scripts, card transactions cannot be processed. The scripts operate within a PCI-compliant iframe environment that isolates payment data from the rest of the page, meeting the stringent security requirements of the Payment Card Industry Data Security Standard.

What This Script Does

Square's payment scripts handle secure transaction processing through several mechanisms:

• Payment form rendering: Embeds Square's hosted payment fields (card number, expiration date, CVV) within an iframe on the merchant's checkout page. The iframe isolation ensures the merchant's JavaScript cannot access raw card data.
• Card tokenization: When the customer submits payment information, Square's scripts convert the raw card data into a secure, single-use token (nonce) that the merchant's server uses to complete the charge via Square's API. The merchant never handles raw card numbers.
• Fraud prevention: Collects device fingerprint data, session signals, and behavioral indicators to feed Square's fraud detection systems. This includes browser characteristics, IP-derived geolocation, and interaction patterns that help distinguish legitimate transactions from fraudulent ones.
• 3D Secure authentication: When required by the card issuer or configured by the merchant, manages the 3D Secure (Strong Customer Authentication) flow, presenting additional verification steps within the payment interface.
• Digital wallet support: Handles Apple Pay, Google Pay, and other digital wallet payment methods through their respective browser APIs, managing the wallet authentication flow within Square's secure environment.
• Session cookies: Sets cookies necessary for maintaining the payment session state, linking the tokenization request to the merchant's Square account, and supporting fraud prevention across the transaction lifecycle.

Consent & Compliance

Square's payment processing scripts are essential for completing financial transactions on merchant websites. Under GDPR, ePrivacy Directive, and virtually all privacy frameworks, scripts that are strictly necessary for completing a transaction explicitly requested by the user are exempt from consent requirements.

The cookies and data collection performed by Square's payment scripts serve two purposes that both qualify as essential:

• Transaction processing: The core payment tokenization and processing functionality cannot work without the scripts and their associated session management.
• Fraud prevention: The device fingerprinting and behavioral analysis performed by Square's fraud detection system is a legal requirement under payment processing regulations and a necessary security measure.

Website operators should still disclose Square as a payment processor in their privacy policy and link to Square's own privacy policy for transparency about how Square handles payment data. However, gating these scripts behind consent would prevent customers from completing purchases — an outcome that contradicts the customer's explicit intent to make a payment.

Should You Block This Without Consent?

Square's payment scripts are essential for processing financial transactions. They handle PCI-compliant card tokenization and fraud prevention, both of which are strictly necessary for the service the customer has requested. Blocking these scripts would make it impossible to accept payments. No.