Search

Are you looking for test card numbers?

Would you like to contact support?

Developer-resource icon

PCI DSS compliance guide

Learn what you need to do to comply with PCI DSS 3.2.1.

The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.

This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.

Introduction to PCI DSS

PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements help you maintain your shopper's trust.

As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that don’t comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.

Before you continue, it's important to understand that:

  • PCI DSS applies solely to the people, processes, and technology that collect, store, process or transmit cardholder data, known as the Cardholder Data Environment (CDE).
  • PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.

Adyen's role in PCI DSS compliance

Implementing PCI DSS in your business can be daunting, especially if you don't have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handles most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions—you never see and never have access to unencrypted cardholder data.

When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.

  • Adyen's responsibility: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.
  • Your responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.

Adyen is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.

Validating your PCI DSS compliance

If you are accepting credit card payments, you have to validate your PCI DSS compliance annually. You can validate your compliance either by:

  • Completing a Self-Assessment Questionnaire (SAQ). You can use this option if you process less than 6 million transactions per acquiring region per year.
  • Engaging a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you.

The requirements are the same and the same assessment is performed for both options. The only difference is that you complete the SAQ on your own, while the RoC is completed by a QSA.

Results of the assessment must be included in an official PCI SSC validation document and then provided to Adyen. If you are using one of our encrypted solutions, we may contact you on an annual basis to complete a Self-Assessment Questionnaire using DocuSign.

The specific PCI DSS requirements applicable to you depend on how you process payments and on the Adyen integration you use. Refer to the Online payments, Mobile in-app online payments, and Point of sale sections below to know which requirements you need to comply with.

Online payments integration

Select your Web online payments integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:

* The validation requirements below are based on Adyen’s acceptable risk profile for each integration type. These may differ from what other acquirers require.

Required document: Self-Assessment Questionnaire A

Integration: You use Adyen's Drop-in or Components to embed a web page within your website using an IFrame. The solution can either be a collection of components combined together in a single IFrame (Drop-in), or individual components in multiple IFrames (Components).

The content of the embedded IFrames is isolated from your web page and the cardholder data is encrypted on your shopper's browser. You do not have access to decryption keys, thus you do not have access to your shoppers' cardholder data.

Possible risks | Low: This integration type may still be susceptible to data compromises by malicious actors. If an attacker gains unauthorized access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker.

Mitigating the risks: The risks associated with this integration can be significantly reduced by making sure vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.

Validation document and requirements: Adyen requires that you assess your PCI DSS compliance according to Requirements 2, 6, 8 and 12 of the Self-Assessment Questionnaire A (SAQ A).

Required document: Self-Assessment Questionnaire A

This is a Classic integration and Adyen no longer offers this integration to new merchants.

Integration: You generate the payment form on your website where shoppers submit their payment details. Cardholder data is encrypted on your shopper's browser, sent to your server, and then transmitted to Adyen. The CSE solution works with a JavaScript library, which can be hosted by either yourself or Adyen.

Possible risks | Medium: Because you provide the payment form and you can host the CSE library, your systems are in scope for additional PCI DSS controls. The chances of your system being compromised when using Adyen's CSE integration is potentially higher because you serve the payment form to your shopper. Malicious actors could potentially change your self-hosted CSE JavaScript library and steal your shopper's cardholder data.

Mitigating the risks:The risks associated with this integration can be significantly reduced by making sure vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.

Validation document and requirements: Despite presenting more risks compared to Pay by Link, Drop-in, and Components—but because you cannot decrypt the cardholder data when using CSE integration—Adyen only requires that you assess your PCI DSS compliance according to Self-Assessment Questionnaire A (SAQ A).

Required document: Self-Assessment Questionnaire D

Integration: You build your own UI and use only our APIs. This integration is commonly used when you want to be in full control of the payment flow. The checkout page is hosted, served, and controlled by you. You receive cardholder data from your shopper's browser, process the data, and then send the raw card data to Adyen over Transport Layer Security (TLS 1.2 or higher), according to PCI DSS requirements.

Possible risks | High: This integration requires a wider PCI DSS scope as your system receives, transmits, and potentially stores and processes cardholder data—giving you full control of the payment flow and the payment data. A malicious actor that successfully compromises your website or your systems will potentially be able to access large amounts of cardholder data.

Mitigating the risks: The risks associated with this integration are considered higher, since you're completely in control over the collection, transmission, and optional storage of cardholder data. Consequently, you'll have to comply with all eligible PCI DSS requirements, because these functions are not outsourced to Adyen.

Validation document and requirements: To mitigate the risks associated with this integration, Adyen requires that you assess your PCI DSS compliance according to Self-Assessment Questionnaire D (SAQ D), the most extensive form of self-certification. Because SAQ D is the default catch-all SAQ, there may still be parts of it that are not applicable to your environment. We recommend that you ensure that you have sufficient resource and capacity to handle this level of security.

ASV Network Scan: Because your network is included or connected to the cardholder data environment, you are also required to perform quarterly external vulnerability network scans. This scan has to be performed by an Approved Scanning Vendor (ASV). The scans are conducted over the internet, as a remote service and do not require on-site presence to execute.

* Approved Scanning Vendors Program Guide

Additional reading

Mobile in-app online payments integration

Select how you implemented your iOS or Android integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:

Required document: Self-Assessment Questionnaire A

Integration: Your app generates the payment form using Adyen’s Drop-in or Components solution, and the shopper submits their payment details. Cardholder data is encrypted in the app, sent to your server, and then transmitted to Adyen. The Drop-in or Components solution works with a native library, which is embedded in your mobile app.

Possible risks | Low: Since the Drop-in and Components native library is implemented in your app and not on a public website, the risks associated with your integration are considerably low. While malicious actors are not able to target the majority of your app users since the app runs on individual devices, they still could potentially target security vulnerabilities of a specific mobile device.

Mitigating the risks: The risks associated with this integration can be significantly reduced by making sure vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.

Validation document and requirements: Because you cannot decrypt the cardholder data when using this integration, Adyen requires that you assess your PCI DSS compliance according to Requirements 2, 6, 8 and 12 of the Self-Assessment Questionnaire A (SAQ A).

Additional reading

Required document: Self-Assessment Questionnaire D

Integration: You build your own UI and use only our APIs. This integration is commonly used when you want to be in full control of the payment flow. The payment form is hosted, served, and controlled by you. You receive cardholder data through the app - which can be optionally stored - and then you send the raw card data to Adyen over Transport Layer Security (TLS 1.2 or higher), according to PCI DSS requirements.

Possible risks | Medium: This integration requires a wider PCI DSS scope as your system receives, transmits, and potentially stores and processes cardholder data—giving you full control of the payment flow and the payment data. While malicious actors are not able to target the majority of your app users since the app runs on individual devices, a malicious actor that successfully compromises your systems will still potentially be able to access large amounts of cardholder data.

Mitigating the risks: The risks associated with this integration are considered higher, since you are completely in control over the collection, transmission, and optional storage of cardholder data. Consequently, you'll have to comply with all eligible PCI DSS requirements, because these cardholder data functions are not outsourced to Adyen.

Validation document and requirements: To mitigate the risks associated with this integration, Adyen requires that you assess your compliance using a Self-Assessment Questionnaire D (SAQ D), the most extensive form of self-certification. Because SAQ D is the default catch-all SAQ, there may still be parts of it that aren’t applicable to your environment. We recommend that you ensure that you have sufficient resources and capacity in order to handle this level of security.

Additional reading

Point of sale integration

When implementing a Point of sale integration, you have the option to use either our default End-to-End Encryption (E2EE) solution or Point-to-Point Encryption (P2PE). Select the encryption standard below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:

If you are using our Point of sale integration, you only have to provide Adyen with Self-Assessment Questionnaire B-IP if you process over 1 million card-present transactions annually.

Integration: The payment terminals provided by Adyen are all PTS-approved Point-of-Interaction (POI) devices. Adyen's POS integration has been designed to reduce your PCI DSS scope as much as possible through End-to-End Encryption (E2EE). None of your systems, including payment tills, receive cardholder data in unencrypted forms.

Possible risks | Low: Adyen ensures End-to-End Encryption and is responsible for the security of your shoppers' cardholder data as soon as we receive the data through the POI device. However, the risks for POS integration are related to the physical security of the POI device: the payment terminal. Malicious actors can tamper with or replace payment terminals.

Mitigating the risks: Risks associated with this integration, such as skimming attacks, can be significantly reduced by implementing policies and procedures to periodically inspect devices, confirm surfaces have not been tampered with and seals have not been broken. Personnel should be also trained to be aware of attempted tampering or replacement of devices.

Validation document and requirements: If you process process over 1 million card-present transactions annually, Adyen requires you to assess your PCI DSS compliance according to Requirements 9.9 and 12 of the Self-Assessment Questionnaire B-IP (SAQ B-IP).

Additional reading

If you are using our Point of sale integration with Point-to-Point Encryption (P2PE), you are required to implement all the requirements in the P2PE Instruction Manual (PIM).

Integration: The payment terminals provided by Adyen are all validated and listed P2PE-approved solutions. The cardholder data is encrypted from the point of interaction until it reaches Adyen’s secure decryption environment, ensuring that you do not have access to clear-text cardholder data on any systems.

Possible risks | Low: Adyen ensures P2PE and is responsible for the security of your shopper’s cardholder data as soon as we receive the data through the Point-of-Interaction (POI) device. However, the risks for POS integration are related to the physical security of the POI device: the payment terminal. Malicious actors can tamper with or replace payment terminals.

Mitigating the risks: Risks associated with this integration such as skimming attacks, can be significantly reduced by following requirements in the P2PE Instruction Manual (PIM). The PIM instructs you to, for example, periodically inspect devices, maintain records for auditing purposes, and monitor the physical environment in order to prevent unauthorized removal or substitution of devices. Personnel should be also trained to be aware of attempted tampering or replacement of devices.

Validation document and requirements: Adyen requires you to assess your PCI DSS compliance according to Requirements 9.9 and 12 of the Self-Assessment Questionnaire P2PE (SAQ P2PE) or of the AoC for P2PE.

Additional reading

Service Providers

As Adyen processes your payments, Adyen is regarded as a Service Provider. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of you PCI DSS obligations towards them.

To carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:

  • Making sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.
  • Identifying the functions each service provider are performing.
  • Ensuring that the service providers acknowledge their PCI DSS responsibilities.

Adyen has a trusted list of partners, which includes: Zuora, VTEX, Recurly, and PCI Proxy. Refer to Adyen's partner page for our complete list of partners.

Requirements when using a Service Provider

If you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:

  1. Ask your service provider for their Service Provider's Attestation of Compliance.
  2. Ensure that the service provider is registered with the schemes and is listed on Visa’s Global Registry of Service Providers and Mastercard’s Compliant Service Provider List.

After you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Adyen with:

  1. Names of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).
  2. The Service Provider's Attestation of Compliance.

The use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider’s PCI DSS compliance status (by requesting their AoC every year).

PCI DSS Glossary

  • AOC – Attestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).

  • ASV – Approved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.

  • CDE – Cardholder Data Environment - The people, processes and technology that collect, store, process or transmit cardholder data.

  • CHD – Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.

  • PCI DSS – Payment Card Industry Data Security Standards.

  • PCI SSC – Payment Card Industry Security Standards Council.

  • POI - Point of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal.

  • PTS - PIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals

  • QSA – Qualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.

  • RoC – Report on Compliance - Report documenting detailed results from an entity’s PCI DSS assessment.

  • SAD – Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.

  • SAQ – Self Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

  • TLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.

See also