{"title":"PCI DSS compliance guide","category":"default","creationDate":1572958080,"content":"<div class=\"sc-notice info\"><div>\n<p><strong>PCI DSS v4.0.1 has been released<\/strong><\/p>\n<p><a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/PCI%20DSS\/Standard\/PCI-DSS-v4_0_1.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">PCI DSS v4.0.1<\/a> has replaced v3.2.1. Now, when you assess your compliance, you must use PCI DSS v4.0.1 documents.<\/p>\n<p>If you already completed a v4.0 document, you do not need to complete the v4.0.1 document. Your v4.0 document is valid until it expires.<\/p>\n<\/div><\/div>\n<p>The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.<\/p>\n<p>This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.<\/p>\n<h2>Introduction to PCI DSS<\/h2>\n<p>PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.<\/p>\n<p>As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that do not comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.<\/p>\n<p>Before you continue, it is important to understand that:<\/p>\n<ul>\n<li>PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).<\/li>\n<li>PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS <strong>annually<\/strong> by completing one of the official PCI SSC validation documents.<\/li>\n<\/ul>\n<h2>Adyen's role in PCI DSS compliance<\/h2>\n<p>Implementing PCI DSS in your business can be daunting, especially if you do not have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions&mdash;you never see and never have access to unencrypted cardholder data.<\/p>\n<p>When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.<\/p>\n<ul>\n<li><strong>Adyen's responsibility<\/strong>: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.<\/li>\n<li><strong>Your responsibility<\/strong>: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.<\/li>\n<\/ul>\n<div class=\"notices green\">\n<p>Adyen is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/qualified_security_assessors\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Qualified Security Assessor (QSA)<\/a> annually.<\/p>\n<\/div>\n<h2>Ensuring compliance with PCI DSS v4.0.1<\/h2>\n<p>PCI DSS v4.0.1 was released on June 11, 2024. It has updates to existing requirements and introduces expanded requirements in key security and technology areas, such as:<\/p>\n<ul>\n<li>Mobile phones and tablets.<\/li>\n<li>Contactless payments.<\/li>\n<li>Cloud adaptation.<\/li>\n<li>New software development practices.<\/li>\n<li>Increased reliance on third-party services.<\/li>\n<\/ul>\n<p>To validate your compliance with v4.0.1 and review the requirements, refer to the relevant integration sections for <a href=\"#online-payments\">Online payments<\/a>, <a href=\"#mobile-in-app-online-payments-integration\">Mobile in-app online payments<\/a>, and <a href=\"#in-person-payments\">In-person payments<\/a>.<\/p>\n<h2 id=\"online-payments\">Online payments integration<\/h2>\n<p>Select your <a href=\"\/online-payments\">Web online payments<\/a> integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:<\/p>\n<p><span style=\"font-size: 12px;\"> The following validation requirements are based on Adyen's acceptable risk profile for each integration type. These may differ from what other acquirers require. <\/span><\/p>\n\n<div id=\"tabHmKeg\">\n    <div data-component-wrapper=\"tabs\">\n        <tabs\n                        :items=\"[{&quot;title&quot;:&quot;Drop-in \\\/ Components \\\/ Plugins&quot;,&quot;content&quot;:&quot;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required documents:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You must &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide\\\/saq-a-eligibility\\&quot;&gt;make sure that you have eligibility for SAQ A&lt;\\\/a&gt;. &lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You use Drop-in, Components, or a plugin that uses Adyen&#039;s &lt;a href=\\&quot;\\\/payment-methods\\\/cards\\\/web-component\\\/\\&quot;&gt;Card Component&lt;\\\/a&gt; to embed a web page within your website using an &lt;a href=\\&quot;https:\\\/\\\/developer.mozilla.org\\\/en-US\\\/docs\\\/Web\\\/HTML\\\/Element\\\/iframe\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;&lt;code&gt;iframe&lt;\\\/code&gt; element&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;p&gt;The content of the embedded elements is isolated from your web page, and the cardholder data is encrypted on your shopper&#039;s browser. You do not have access to decryption keys, thus you do not have access to your shoppers&#039; cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low-Medium:&lt;\\\/strong&gt; This integration type may still be susceptible to data compromises by malicious actors. If an attacker gains unauthorized access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an iframe over the already existing iframe. In this scenario, the payment may still be completed, but a copy of the cardholder data is sent to the attacker.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration can be significantly reduced by doing the following:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;Making sure vendor-supplied usernames and passwords are not used within your environment.&lt;\\\/li&gt;\\n&lt;li&gt;Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of identified vulnerabilities.&lt;\\\/li&gt;\\n&lt;li&gt;Using unique user IDs and requiring strong passwords of at least 12 characters.&lt;\\\/li&gt;\\n&lt;li&gt;Implementing a security policy that includes an incident response plan and defines information security roles and responsibilities for all personnel.&lt;\\\/li&gt;\\n&lt;li&gt;Performing external vulnerability scans every 3 months. This is a new requirement in PCI DSS v4.0.1.&lt;\\\/li&gt;\\n&lt;li&gt;Ensure all other iframes loaded into your page follow security best practices, and that the entities loading them are PCI DSS compliant.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;Adyen iframes are designed to be isolated, which prevents browser-based malware from spreading to other elements of the webpage or network. Other iframes we load for additional payment methods or partners are vetted during our third-party onboarding process, ensuring the same level of security and PCI compliance.&lt;br \\\/&gt;\\nAdditionally, Adyen is a qualified &lt;a href=\\&quot;https:\\\/\\\/listings.pcisecuritystandards.org\\\/assessors_and_solutions\\\/software_lifecycle\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;PCI Secure Software Lifecycle (SLC) software vendor&lt;\\\/a&gt; for the development of payment pages and components, added to its own PCI DSS Attestation of Compliance (AoC) regarding general security controls. Payment components are continuously tested for vulnerabilities and design issues, ensuring the required level of security.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen requires that you assess your PCI DSS compliance according to the following requirements of the Self-Assessment Questionnaire A (SAQ A):&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: Requirements 2, 6, 8, 11, and 12.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;drop-in__components__plugins_0_1&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Pay by Link&quot;,&quot;content&quot;:&quot;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required documents:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;None&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You provide a payment link to your shopper by email, SMS, or QR code. The payment link redirects your shopper to a secure Adyen-hosted payment page to complete the payment. Your responsibility is to provide the shopper with the correct link to the Adyen-hosted payment page.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low:&lt;\\\/strong&gt; An attacker could gain access to your system that generates the link, through API or the Customer Area, and change the payment link from an Adyen-hosted payment page to a fraudulent payment website where they try to steal your shopper&#039;s cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration can be significantly reduced by making sure that vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.&lt;\\\/p&gt;\\n&lt;p&gt;Adyen is a qualified &lt;a href=\\&quot;https:\\\/\\\/listings.pcisecuritystandards.org\\\/assessors_and_solutions\\\/software_lifecycle\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;PCI Secure Software Lifecycle (SLC) software vendor&lt;\\\/a&gt; for the development of payment pages and components, added to its own PCI DSS AoC regarding general security controls. Payment pages are continuously tested for vulnerabilities and design issues, ensuring the required level of security.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen does not require you to submit any PCI DSS documentation. However, you must be PCI DSS compliant at all times. For more information on PCI DSS requirements, refer to &lt;a href=\\&quot;https:\\\/\\\/listings.pcisecuritystandards.org\\\/search_result\\\/documents\\\/pci_ssc_quick_reference_guide\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;PCI DSS Quick Reference Guide&lt;\\\/a&gt;. Furthermore, Adyen may occasionally contact you and ask you to provide necessary PCI DSS documentation depending on your risk profile.&lt;\\\/p&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;pay_by_link_1_2&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Hosted Checkout&quot;,&quot;content&quot;:&quot;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required documents:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You must make sure that you have &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide\\\/saq-a-eligibility\\&quot;&gt;eligibility for SAQ A&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You redirect your shopper from your website to an Adyen-hosted payment page to complete the payment. After your shopper completes the payment, they return to your website with the result of the payment session.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low:&lt;\\\/strong&gt; An attacker could gain access to your website and change the redirect from an Adyen-hosted payment page to a fraudulent payment website where they try to steal your shopper&#039;s cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration can be significantly reduced by making sure that vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.&lt;\\\/p&gt;\\n&lt;p&gt;Adyen is a qualified &lt;a href=\\&quot;https:\\\/\\\/listings.pcisecuritystandards.org\\\/assessors_and_solutions\\\/software_lifecycle\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;PCI Secure Software Lifecycle (SLC) software vendor&lt;\\\/a&gt; for the development of payment pages and components, added to its own PCI DSS AoC regarding general security controls. Payment pages are continuously tested for vulnerabilities and design issues, ensuring the required level of security.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen requires that you assess your PCI DSS compliance according to the following requirements of the Self-Assessment Questionnaire A (SAQ A):&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: Requirements 2, 6, 8, 11, and 12.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;hosted_checkout_2_3&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;API only&quot;,&quot;content&quot;:&quot;\\n&lt;p&gt;This applies if you use raw card data from shoppers.&lt;\\\/p&gt;\\n&lt;div class=\\&quot;sc-notice tip\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required document:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-D-Merchant.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire D&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;If you use Adyen&#039;s &lt;a href=\\&quot;\\\/payment-methods\\\/cards\\\/custom-card-integration\\&quot;&gt;Custom Card Component&lt;\\\/a&gt;, which includes encryption based on our &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide?tab=drop-in__components__plugins_0_1\\&quot;&gt;Card Component&lt;\\\/a&gt; and securely encrypts card details, the required document is:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You build your own UI and use only our APIs. This integration is commonly used when you want to be in full control of the payment flow. The checkout page is hosted, served, and controlled by you. You receive cardholder data from your shopper&#039;s browser, process the data, and then send the raw card data to Adyen over Transport Layer Security (TLS 1.2), according to PCI DSS requirements.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | High:&lt;\\\/strong&gt; This integration requires a wider PCI DSS scope as your system receives, transmits, and potentially stores and processes cardholder data&amp;mdash;giving you full control of the payment flow and the payment data. A malicious actor that successfully compromises your website or your systems will potentially be able to access large amounts of cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration are considered higher, since you are completely in control over the collection, transmission, and optional storage of cardholder data. Consequently, you&#039;ll have to comply with all eligible PCI DSS requirements, because these functions are not outsourced to Adyen.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; To mitigate the risks associated with this integration, Adyen requires that you assess your PCI DSS compliance according to &lt;em&gt;Self-Assessment Questionnaire D&lt;\\\/em&gt; (&lt;em&gt;SAQ D&lt;\\\/em&gt;), the most extensive form of self-certification. Because SAQ D is the default catch-all SAQ, there may still be parts of it that are not applicable to your environment. We recommend that you ensure that you have sufficient resource and capacity to handle this level of security.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;ASV Network Scan:&lt;\\\/strong&gt; Because your network is included or connected to the cardholder data environment, you are also required to perform &lt;em&gt;quarterly&lt;\\\/em&gt; external vulnerability network scans.  This scan has to be performed by an &lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/assessors_and_solutions\\\/approved_scanning_vendors\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Approved Scanning Vendor&lt;\\\/a&gt; (&lt;a href=\\&quot;#ASV\\&quot;&gt;ASV&lt;\\\/a&gt;). The scans are conducted over the internet, as a remote service and do not require on-site presence to execute.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/ASV_Program_Guide_v3.0.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;* Approved Scanning Vendors Program Guide &lt;\\\/a&gt;&lt;\\\/p&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;api_only_3_4&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Client-Side Encryption&quot;,&quot;content&quot;:&quot;\\n&lt;h3&gt;JSON Web Encryption (JWE)&lt;\\\/h3&gt;\\n&lt;p&gt;Use a third-party JWE library to encrypt card details client-side.&lt;\\\/p&gt;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required document:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You must make sure that you have &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide\\\/saq-a-eligibility\\&quot;&gt;eligibility for SAQ A&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You generate the payment form on your website where shoppers submit their payment details. Cardholder data is encrypted on your shopper&#039;s browser using a third-party JWE library, sent to your server, and then transmitted to Adyen.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Medium:&lt;\\\/strong&gt; Because you provide the payment form, your systems are in scope for additional PCI DSS controls. The chances of your system being compromised when using Adyen&#039;s CSE integration are potentially higher because you serve the payment form to your shopper. Malicious actors could potentially change your self-hosted CSE JavaScript library and steal your shopper&#039;s cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration can be significantly reduced by making sure you apply mandatory PCI DSS controls, such as not using vendor-supplied usernames and passwords, patching software as soon as released, software being developed addressing vulnerabilities, and more.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Although a JWE integration carries more risks than Pay by Link, Drop in, and Components, the integration could still be scoped on the Self Assessment Questionnaire A (SAQ A) for PCI DSS compliance because once encrypted, you cannot decrypt the data.&lt;\\\/p&gt;\\n&lt;h3&gt;Client-side encryption library&lt;\\\/h3&gt;\\n&lt;div class=\\&quot;sc-notice warning\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;The Client-Side Encryption (CSE) Web integrations are being phased out&lt;\\\/strong&gt;&lt;br \\\/&gt;\\nThis means we are:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;No longer developing the CSE integration.&lt;\\\/li&gt;\\n&lt;li&gt;Not accepting new CSE integrations.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;Switch to one of our latest &lt;a href=\\&quot;\\\/online-payments\\\/build-your-integration\\\/sessions-flow?platform=Web\\&quot;&gt;Web integrations&lt;\\\/a&gt;, to accept payments on your website.&lt;\\\/p&gt;\\n&lt;p&gt;Mobile integrations aren&#039;t affected.&lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;To comply with PCI v4.0.1, you must make a modification to your integration to &lt;a href=\\&quot;\\\/online-payments\\\/classic-integrations\\\/classic-api-integration\\\/client-side-encryption#client-side\\&quot;&gt;implement Subresource Integrity&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required document:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You must make sure that you have &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide\\\/saq-a-eligibility\\&quot;&gt;eligibility for SAQ A&lt;\\\/a&gt;&lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration&lt;\\\/strong&gt;: You generate the payment form on your website where shoppers submit their payment details. Cardholder data is encrypted on your shopper&#039;s browser, sent to your server, and then transmitted to Adyen. The CSE solution works with a JavaScript library, which can be hosted by either yourself or Adyen.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Medium:&lt;\\\/strong&gt; Because you provide the payment form and you can host the CSE library, your systems are in scope for additional PCI DSS controls. The chances of your system being compromised when using Adyen&#039;s CSE integration are potentially higher because you serve the payment form to your shopper. Malicious actors could potentially change your self-hosted CSE JavaScript library and steal your shopper&#039;s cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks&lt;\\\/strong&gt;:The risks associated with this integration can be significantly reduced by making sure vendor-supplied usernames and passwords are not used within your environment, software is patched as soon as released, and strong passwords and unique user IDs are used.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements&lt;\\\/strong&gt;: Although a CSE integration carries more risks than Pay by Link, Drop-in, and Components, Adyen only requires you to complete Self-Assessment &lt;em&gt;Questionnaire A&lt;\\\/em&gt; (&lt;em&gt;SAQ A&lt;\\\/em&gt;) for PCI DSS compliance because you cannot decrypt cardholder data.&lt;\\\/p&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;client-side_encryption_4_5&quot;,&quot;relation&quot;:&quot;&quot;}]\"\n            :should-update-when-url-changes='false'>\n        <\/tabs>\n    <\/div>\n<\/div>\n\n<h3>Additional reading<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&amp;time=1565256423488\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Infographic - Strong Passwords<\/a><\/li>\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Payment-Data-Security-Essential-Patching.pdf?agreement=true&amp;time=1565256423505\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Infographic - Patching<\/a><\/li>\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/best_practices_securing_ecommerce.pdf?agreement=true&amp;time=1565342137625\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Best Practices for Securing E-commerce<\/a><\/li>\n<\/ul>\n<h2 id=\"mobile-in-app-online-payments-integration\">Mobile in-app online payments integration<\/h2>\n<p>Select how you implemented your <a href=\"\/online-payments\/ios\">iOS<\/a> or <a href=\"\/online-payments\/android\">Android<\/a> integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:<\/p>\n\n<div id=\"tabOeXob\">\n    <div data-component-wrapper=\"tabs\">\n        <tabs\n                        :items=\"[{&quot;title&quot;:&quot;Drop-in or Components&quot;,&quot;content&quot;:&quot;\\n&lt;div class=\\&quot;sc-notice info\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;&lt;strong&gt;Required documents:&lt;\\\/strong&gt;&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-A.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire A&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You must make sure that you have &lt;a href=\\&quot;\\\/development-resources\\\/pci-dss-compliance-guide\\\/saq-a-eligibility\\&quot;&gt;eligibility for SAQ A&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; Your app generates the payment form using Adyen&#039;s Drop-in or Components solution, and the shopper submits their payment details. Cardholder data is encrypted in the app, sent to your server, and then transmitted to Adyen. The Drop-in or Components solution works with a native library, which is embedded in your mobile app.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low:&lt;\\\/strong&gt; Because the Drop-in and Components native library is implemented in your app and not on a public website, the risks associated with your integration are considerably low. While malicious actors are not able to target the majority of your app users since the app runs on individual devices, they still could potentially target security vulnerabilities of a specific mobile device.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration can be significantly reduced by doing the following:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;Making sure vendor-supplied usernames and passwords are not used within your environment.&lt;\\\/li&gt;\\n&lt;li&gt;Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of identified vulnerabilities.&lt;\\\/li&gt;\\n&lt;li&gt;Using unique user IDs and requiring strong passwords of at least 12 characters.&lt;\\\/li&gt;\\n&lt;li&gt;Implementing a security policy that includes an incident response plan and defines information security roles and responsibilities for all personnel.&lt;\\\/li&gt;\\n&lt;li&gt;Performing external vulnerability scans every 3 months. This is a new requirement in PCI DSS v4.0.1.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen requires that you assess your PCI DSS compliance according to the following requirements of the Self-Assessment Questionnaire A (SAQ A):&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: Requirements 2, 6, 8, 11, and 12.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;h3&gt;Additional reading&lt;\\\/h3&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&amp;amp;time=1565256423488\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Infographic - Strong Passwords&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/Payment-Data-Security-Essential-Patching.pdf?agreement=true&amp;amp;time=1565256423505\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Infographic - Patching&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/pdfs\\\/best_practices_securing_ecommerce.pdf?agreement=true&amp;amp;time=1565342137625\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Best Practices for Securing E-commerce&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;drop-in_or_components_0_1&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;API only&quot;,&quot;content&quot;:&quot;\\n&lt;div class=\\&quot;sc-notice tip\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;Required document:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-D-Merchant.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire D&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; You build your own UI and use only our APIs. This integration is commonly used when you want to be in full control of the payment flow. The payment form is hosted, served, and controlled by you. You receive cardholder data through the app - which can be optionally stored - and then you send the raw card data to Adyen over Transport Layer Security (TLS 1.2), according to PCI DSS requirements.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Medium:&lt;\\\/strong&gt;  This integration requires a wider PCI DSS scope as your system receives, transmits, and potentially stores and processes cardholder data&amp;mdash;giving you full control of the payment flow and the payment data.  While malicious actors are not able to target the majority of your app users since the app runs on individual devices, a malicious actor that successfully compromises your systems will still potentially be able to access large amounts of cardholder data.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks:&lt;\\\/strong&gt; The risks associated with this integration are considered higher, since you are completely in control over the collection, transmission, and optional storage of cardholder data. Consequently, you&#039;ll have to comply with all eligible PCI DSS requirements, because these cardholder data functions are not outsourced to Adyen.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; To mitigate the risks associated with this integration, Adyen requires that you assess your compliance using a &lt;em&gt;Self-Assessment Questionnaire D (SAQ D)&lt;\\\/em&gt;, the most extensive form of self-certification. Because SAQ D is the default catch-all SAQ, there may still be parts of it that aren&#039;t applicable to your environment. We recommend that you ensure that you have sufficient resources and capacity in order to handle this level of security.&lt;\\\/p&gt;\\n&lt;h3&gt;Additional reading&lt;\\\/h3&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&amp;amp;time=1565256423488\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Infographic - Strong Passwords&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/Payment-Data-Security-Essential-Patching.pdf?agreement=true&amp;amp;time=1565256423505\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Infographic - Patching&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/pdfs\\\/best_practices_securing_ecommerce.pdf?agreement=true&amp;amp;time=1565342137625\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Best Practices for Securing E-commerce&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;api_only_1_2&quot;,&quot;relation&quot;:&quot;&quot;}]\"\n            :should-update-when-url-changes='false'>\n        <\/tabs>\n    <\/div>\n<\/div>\n\n<h2 id=\"in-person-payments\">In-person payments integration<\/h2>\n<p>When implementing an <a href=\"\/point-of-sale\">in-person payments<\/a> integration, you have the option to use payment terminals with either our default End-to-End Encryption (E2EE), or Point-to-Point Encryption (P2PE). Select the encryption standard below to learn about the PCI DSS requirements you must comply with and the corresponding documentation that you should provide.<\/p>\n\n<div id=\"tabVcU3j\">\n    <div data-component-wrapper=\"tabs\">\n        <tabs\n                        :items=\"[{&quot;title&quot;:&quot;E2EE&quot;,&quot;content&quot;:&quot;\\n&lt;p&gt;If you are using our &lt;a href=\\&quot;\\\/point-of-sale\\&quot;&gt;in-person payments&lt;\\\/a&gt; integration, you only have to provide Adyen with &lt;em&gt;Self-Assessment Questionnaire B-IP&lt;\\\/em&gt; if you process over 1 million card-present transactions annually.&lt;\\\/p&gt;\\n&lt;div class=\\&quot;sc-notice tip\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;Required document:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-B-IP.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0 Self-Assessment Questionnaire B-IP&lt;\\\/a&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; The payment terminals provided by Adyen are all &lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/assessors_and_solutions\\\/pin_transaction_devices\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;PTS-approved &lt;\\\/a&gt; Point-of-Interaction (&lt;a href=\\&quot;#POI\\&quot;&gt;POI&lt;\\\/a&gt;) devices. Adyen&#039;s &lt;a href=\\&quot;\\\/point-of-sale\\&quot;&gt;in-person payments integration&lt;\\\/a&gt; has been designed to reduce your PCI DSS scope as much as possible through End-to-End Encryption (E2EE). None of your systems, including your POS system, receive cardholder data in unencrypted forms.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low:&lt;\\\/strong&gt; Adyen ensures End-to-End Encryption and is responsible for the security of your shoppers&#039; cardholder data as soon as we receive the data through the payment terminal. The risks for in-person payments integrations are related to the physical security of the payment terminal. Malicious actors can tamper with or replace payment terminals.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks&lt;\\\/strong&gt;: Risks associated with this integration, such as skimming attacks, can be significantly reduced by doing the following:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;Implementing policies and procedures to periodically inspect the security of the payment terminals, to confirm that they have not been tampered with and that tamper-evident security packing tape or seals have not been broken.&lt;\\\/li&gt;\\n&lt;li&gt;Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of the spotted vulnerabilities. This applies only if you &lt;a href=\\&quot;\\\/point-of-sale\\\/release-updating\\\/#manual-updating\\&quot;&gt;update your terminals manually&lt;\\\/a&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;Implementing a security policy which defines information security roles and responsibilities for all personnel.&lt;\\\/li&gt;\\n&lt;li&gt;Engaging and maintaining a relationship with only PCI DSS compliant third-party service providers.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen requires you to assess your PCI DSS compliance along with any other requirements that might apply to your environment with the following requirements from the &lt;em&gt;Self-Assessment Questionnaire B-IP&lt;\\\/em&gt; (&lt;em&gt;SAQ B-IP&lt;\\\/em&gt;):&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: Requirements 9.1, 9.5, and 12.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;h3&gt;Additional reading&lt;\\\/h3&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/Skimming_Prevention_BP_for_Merchants_Sept2014.pdf?agreement=true&amp;amp;time=1574264409741\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;Best Practices for Merchants: Skimming Prevention&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;\\\/development-resources\\\/e2ee-p2pe-comparison\\&quot;&gt;Comparing Adyen&#039;s E2EE and P2PE solutions&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;e2ee_0_1&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;P2PE&quot;,&quot;content&quot;:&quot;\\n&lt;p&gt;If you are using our &lt;a href=\\&quot;\\\/point-of-sale\\&quot;&gt;in-person payments&lt;\\\/a&gt; integration with Point-to-Point Encryption (P2PE), you are required to implement all the requirements in the &lt;a href=\\&quot;https:\\\/\\\/www.adyen.com\\\/legal\\\/p2pe-instruction-manual\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;P2PE Instruction Manual (PIM)&lt;\\\/a&gt;.&lt;\\\/p&gt;\\n&lt;div class=\\&quot;sc-notice tip\\&quot;&gt;&lt;div&gt;\\n&lt;p&gt;Required document:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: &lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/SAQ%20(Assessment)\\\/SAQ\\\/PCI-DSS-v4-0-1-SAQ-P2PE.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;v4.0.1 Self-Assessment Questionnaire P2PE&lt;\\\/a&gt;\\n&lt;\\\/div&gt;&lt;\\\/div&gt;&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;&lt;strong&gt;Integration:&lt;\\\/strong&gt; The payment terminals provided by Adyen are all validated and listed P2PE-approved solutions. The cardholder data is encrypted from the point of interaction until it reaches Adyen&#039;s secure decryption environment, ensuring that you do not have access to clear-text cardholder data on any systems.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Possible risks | Low:&lt;\\\/strong&gt; Adyen ensures P2PE and is responsible for the security of your shopper&#039;s cardholder data as soon as we receive the data through the payment terminal. The risks for in-person payments integrations are related to the physical security of the payment terminal. Malicious actors can tamper with or replace payment terminals.&lt;\\\/p&gt;\\n&lt;p&gt;&lt;strong&gt;Mitigating the risks&lt;\\\/strong&gt;: Risks associated with this integration, such as skimming attacks, can be significantly reduced by doing the following:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;Implementing policies and procedures to periodically inspect the security of the payment terminals, to confirm that they have not been tampered with and that tamper-evident security packing tape or seals have not been broken.&lt;\\\/li&gt;\\n&lt;li&gt;Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of the spotted vulnerabilities. This applies only if you &lt;a href=\\&quot;\\\/point-of-sale\\\/release-updating\\\/#manual-updating\\&quot;&gt;update your terminals manually&lt;\\\/a&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;Implementing a security policy which defines information security roles and responsibilities for all personnel.&lt;\\\/li&gt;\\n&lt;li&gt;Engaging and maintaining a relationship with only PCI DSS compliant third-party service providers.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;&lt;strong&gt;Validation document and requirements:&lt;\\\/strong&gt; Adyen requires you to assess your PCI DSS compliance according to the requirements in the Self-Assessment Questionnaire P2PE (SAQ P2PE):&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;PCI DSS v4.0.1: Requirements 9.1, 9.5, and 12.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;You are also required to implement all requirements in the P2PE Instruction Manual (PIM).&lt;\\\/p&gt;\\n&lt;h3&gt;Additional reading&lt;\\\/h3&gt;\\n&lt;ul&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/P2PE\\\/Standard\\\/PCI-P2PE-v3.x-Technical-FAQs-04Dec2024.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;P2PE FAQs&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/docs-prv.pcisecuritystandards.org\\\/P2PE\\\/Program%20Documents\\\/PCI-P2PE-Program-Guide-v3.1.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;P2PE Security Program Guide&lt;\\\/a&gt;&lt;\\\/li&gt;\\n&lt;li&gt;&lt;a href=\\&quot;https:\\\/\\\/www.pcisecuritystandards.org\\\/documents\\\/P2PE_v3.0_Standard.pdf\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;P2PE Security Requirements and Testing Procedures&lt;\\\/a&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;p2pe_1_2&quot;,&quot;relation&quot;:&quot;&quot;}]\"\n            :should-update-when-url-changes='false'>\n        <\/tabs>\n    <\/div>\n<\/div>\n\n<h2>Service Providers<\/h2>\n<p>Because Adyen processes your payments, Adyen is regarded as a <em>Service Provider<\/em>. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of your PCI DSS obligations towards them.<\/p>\n<p>To carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:<\/p>\n<ul>\n<li>Making sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.<\/li>\n<li>Identifying the functions each service provider is performing.<\/li>\n<li>Ensuring that the service providers acknowledge their PCI DSS responsibilities.<\/li>\n<\/ul>\n<div class=\"notices green\">\n<p>Adyen has a trusted list of partners, which includes: Zuora, VTEX, and Recurly. Refer to <a href=\"https:\/\/www.adyen.com\/partners\/network\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Adyen's partner page<\/a> for our complete list of partners.<\/p>\n<\/div>\n<h3>Requirements when using a Service Provider<\/h3>\n<p>If you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:<\/p>\n<ol>\n<li>Ask your service provider for their <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v3_2_1-AOC-ServiceProviders.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Service Provider's Attestation of Compliance<\/a>.<\/li>\n<li>Make sure that  the service provider is registered with the schemes and is listed on <a href=\"https:\/\/usa.visa.com\/splisting\/splistingindex.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Visa's Global Registry of Service Providers<\/a> and <a href=\"https:\/\/www.mastercard.us\/en-us\/merchants\/safety-security\/security-recommendations\/service-providers-need-to-know.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Mastercard's Compliant Service Provider List<\/a>.<\/li>\n<\/ol>\n<p>After you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Adyen with:<\/p>\n<ol>\n<li>Names of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).<\/li>\n<li>The <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v3_2_1-AOC-ServiceProviders.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Service Provider's Attestation of Compliance<\/a>.<\/li>\n<\/ol>\n<p>The use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in <strong>PCI DSS requirement 12.8<\/strong>, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider's PCI DSS compliance status (by requesting their AoC every year).<\/p>\n<h2 id=\"glossary\">PCI DSS Glossary<\/h2>\n<ul>\n<li>\n<p>AOC \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/document_library?category=saqs&amp;subcategory=saqs_saq_aoc\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Attestation of Compliance<\/a> - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC). <a id=\"AoC\"><\/a><\/p>\n<\/li>\n<li>\n<p>ASV \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/approved_scanning_vendors\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Approved Scanning Vendor<\/a> - A company approved by the PCI SSC to conduct external vulnerability network scanning services. <a id=\"ASV\"><\/a><\/p>\n<\/li>\n<li>\n<p>CDE \u2013 Cardholder Data Environment -  The people, processes and technology that collect, store, process or transmit cardholder data. <a id=\"CDE\"><\/a><\/p>\n<\/li>\n<li>\n<p>CHD \u2013 Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and\/or service code.<\/p>\n<\/li>\n<li>\n<p>PCI DSS \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2-1.pdf?agreement=true&amp;time=1577114024374\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Payment Card Industry Data Security Standards<\/a>. <a id=\"PCI-DSS\"><\/a><\/p>\n<\/li>\n<li>\n<p>PCI SSC \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Payment Card Industry Security Standards Council<\/a>. <a id=\"PCI-SSC\"><\/a><\/p>\n<\/li>\n<li>\n<p>POI - Point of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal. <a id=\"POI\"><\/a><\/p>\n<\/li>\n<li>\n<p>PTS - <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/pin_transaction_devices\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">PIN Transaction Security<\/a> - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals<\/p>\n<\/li>\n<li>\n<p>QSA \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/qualified_security_assessors\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Qualified Security Assessor<\/a> - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments. <a id=\"QSA\"><\/a><\/p>\n<\/li>\n<li>\n<p>RoC \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-DSS-v3_2_1-ROC-Reporting-Template.pdf?agreement=true&amp;time=1577114091639\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Report on Compliance<\/a> - Report documenting detailed results from an entity's PCI DSS assessment. <a id=\"ROC\"><\/a><\/p>\n<\/li>\n<li>\n<p>SAD \u2013 Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.<\/p>\n<\/li>\n<li>\n<p>SAQ \u2013 <a href=\"https:\/\/www.pcisecuritystandards.org\/document_library?category=saqs#results\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Self Assessment Questionnaire<\/a> - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment. <a id=\"SAQ\"><\/a><\/p>\n<\/li>\n<li>\n<p>TLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"see-also\">See also<\/h2>\n<div class=\"see-also-links output-inline\" id=\"see-also\">\n<ul><li><a href=\"\/development-resources\/pci-dss-compliance-guide\/merchant-levels\"\n                        target=\"_self\"\n                        >\n                    PCI compliance levels\n                <\/a><\/li><li><a href=\"\/development-resources\/pci-dss-compliance-guide\/pci-with-qsa\"\n                        target=\"_self\"\n                        >\n                    Engaging a Qualified Security Assessor\n                <\/a><\/li><li><a href=\"https:\/\/help.adyen.com\/knowledge\/compliance\/pci-dss-compliance\"\n                        target=\"_blank\"\n                         class=\"external\">\n                    PCI DSS FAQs\n                <\/a><\/li><li><a href=\"https:\/\/www.mastercard.us\/en-us\/merchants\/safety-security\/security-recommendations\/service-providers-need-to-know.html\"\n                        target=\"_blank\"\n                         class=\"external\">\n                    Mastercard's Compliant Service Provider List\n                <\/a><\/li><li><a href=\"https:\/\/usa.visa.com\/splisting\/splistingindex.html\"\n                        target=\"_blank\"\n                         class=\"external\">\n                    Visa's Global Registry of Service Providers\n                <\/a><\/li><\/ul><\/div>\n","url":"https:\/\/docs.adyen.com\/development-resources\/pci-dss-compliance-guide","articleFields":{"description":"Learn what you need to do to comply with PCI DSS v4.0.1.","feedback_component":true,"filters_component":false,"last_edit_on":"27-02-2024 10:02","decision_tree":"[]","page_id":"65a21e38-4368-4e89-8e7f-3114b9fc4095"},"algolia":{"url":"https:\/\/docs.adyen.com\/development-resources\/pci-dss-compliance-guide","title":"PCI DSS compliance guide","content":"\nPCI DSS v4.0.1 has been released\nPCI DSS v4.0.1 has replaced v3.2.1. Now, when you assess your compliance, you must use PCI DSS v4.0.1 documents.\nIf you already completed a v4.0 document, you do not need to complete the v4.0.1 document. Your v4.0 document is valid until it expires.\n\nThe Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.\nThis document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.\nIntroduction to PCI DSS\nPCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.\nAs mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that do not comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.\nBefore you continue, it is important to understand that:\n\nPCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).\nPCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.\n\nAdyen's role in PCI DSS compliance\nImplementing PCI DSS in your business can be daunting, especially if you do not have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions&mdash;you never see and never have access to unencrypted cardholder data.\nWhen you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.\n\nAdyen's responsibility: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.\nYour responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.\n\n\nAdyen is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.\n\nEnsuring compliance with PCI DSS v4.0.1\nPCI DSS v4.0.1 was released on June 11, 2024. It has updates to existing requirements and introduces expanded requirements in key security and technology areas, such as:\n\nMobile phones and tablets.\nContactless payments.\nCloud adaptation.\nNew software development practices.\nIncreased reliance on third-party services.\n\nTo validate your compliance with v4.0.1 and review the requirements, refer to the relevant integration sections for Online payments, Mobile in-app online payments, and In-person payments.\nOnline payments integration\nSelect your Web online payments integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:\n The following validation requirements are based on Adyen's acceptable risk profile for each integration type. These may differ from what other acquirers require. \n\n\n    \n        \n        \n    \n\n\nAdditional reading\n\nInfographic - Strong Passwords\nInfographic - Patching\nBest Practices for Securing E-commerce\n\nMobile in-app online payments integration\nSelect how you implemented your iOS or Android integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:\n\n\n    \n        \n        \n    \n\n\nIn-person payments integration\nWhen implementing an in-person payments integration, you have the option to use payment terminals with either our default End-to-End Encryption (E2EE), or Point-to-Point Encryption (P2PE). Select the encryption standard below to learn about the PCI DSS requirements you must comply with and the corresponding documentation that you should provide.\n\n\n    \n        \n        \n    \n\n\nService Providers\nBecause Adyen processes your payments, Adyen is regarded as a Service Provider. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of your PCI DSS obligations towards them.\nTo carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:\n\nMaking sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.\nIdentifying the functions each service provider is performing.\nEnsuring that the service providers acknowledge their PCI DSS responsibilities.\n\n\nAdyen has a trusted list of partners, which includes: Zuora, VTEX, and Recurly. Refer to Adyen's partner page for our complete list of partners.\n\nRequirements when using a Service Provider\nIf you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:\n\nAsk your service provider for their Service Provider's Attestation of Compliance.\nMake sure that  the service provider is registered with the schemes and is listed on Visa's Global Registry of Service Providers and Mastercard's Compliant Service Provider List.\n\nAfter you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Adyen with:\n\nNames of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).\nThe Service Provider's Attestation of Compliance.\n\nThe use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider's PCI DSS compliance status (by requesting their AoC every year).\nPCI DSS Glossary\n\n\nAOC \u2013 Attestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC). \n\n\nASV \u2013 Approved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services. \n\n\nCDE \u2013 Cardholder Data Environment -  The people, processes and technology that collect, store, process or transmit cardholder data. \n\n\nCHD \u2013 Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and\/or service code.\n\n\nPCI DSS \u2013 Payment Card Industry Data Security Standards. \n\n\nPCI SSC \u2013 Payment Card Industry Security Standards Council. \n\n\nPOI - Point of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal. \n\n\nPTS - PIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals\n\n\nQSA \u2013 Qualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments. \n\n\nRoC \u2013 Report on Compliance - Report documenting detailed results from an entity's PCI DSS assessment. \n\n\nSAD \u2013 Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.\n\n\nSAQ \u2013 Self Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment. \n\n\nTLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.\n\n\nSee also\n\n\n                    PCI compliance levels\n                \n                    Engaging a Qualified Security Assessor\n                \n                    PCI DSS FAQs\n                \n                    Mastercard's Compliant Service Provider List\n                \n                    Visa's Global Registry of Service Providers\n                \n","type":"page","locale":"en","boost":18,"hierarchy":{"lvl0":"Home","lvl1":"Development resources","lvl2":"PCI DSS compliance guide"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/","lvl1":"https:\/\/docs.adyen.com\/development-resources","lvl2":"\/development-resources\/pci-dss-compliance-guide"},"levels":3,"category":"Development Resources","category_color":"green","tags":["compliance","guide"]}}