The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.
The initial releases from credit card provider MasterCard look to be more than a toe-dip into APIs. With its MasterCard Payments API and two others, the company could be diving straight into the deep end. Though the services are still in beta, MasterCard appears to be taking very seriously its creation of a developer ecosystem.