The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.
This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.
Introduction to PCI DSS
PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.
As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that don't comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.
Before you continue, it is important to understand that:
- PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).
- PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.
Adyen's role in PCI DSS compliance
Implementing PCI DSS in your business can be daunting, especially if you don't have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions—you never see and never have access to unencrypted cardholder data.
When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.
- Adyen's responsibility: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.
- Your responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.
Adyen is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.
Transitioning to PCI DSS v4.0
PCI DSS v4.0 was released in 2022, and introduces expanded requirements in key security and technology areas such as:
- Mobile phones and tablets.
- Contactless payments.
- Cloud adaptation.
- New software development practices.
- Increased reliance on third-party services.
You can already start verifying compliance requirements, and prepare or use PCI DSS v4.0 documents today. If you already accept credit card payments, the date from which you must use PCI DSS v4.0 compliance documents depends on when your current validation document expires:
- Before March 31, 2024: you can continue to use v3.2.1 until March 31, 2024. After March 31, 2024 you must use v4.0.
- After March 31, 2024: you can continue to use v3.2.1 until your document expires. After your document expires, you must use v4.0.
Learn more about how to prepare on our blog post about the transition.
Validating your PCI DSS compliance
If you are accepting credit card payments, you have to validate your PCI DSS compliance annually. You can validate your compliance either by:
- Completing a Self-Assessment Questionnaire (SAQ). You can use this option if you process less than 6 million transactions per acquiring region per year.
- Engaging a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you.
The requirements are the same and the same assessment is performed for both options. The only difference is that you complete the SAQ on your own, while the RoC is completed by a QSA.
Results of the assessment must be included in an official PCI SSC validation document and then provided to Adyen. If you are using one of our encrypted solutions, we may contact you on an annual basis to complete a Self-Assessment Questionnaire using DocuSign.
The specific PCI DSS requirements applicable to you depend on how you process payments and on the Adyen integration you use. Refer to the Online payments, Mobile in-app online payments, and Point of sale sections below to know which requirements you need to comply with.
Online payments integration
Select your Web online payments integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:
* The validation requirements below are based on Adyen's acceptable risk profile for each integration type. These may differ from what other acquirers require.
Mobile in-app online payments integration
Integration: Your app generates the payment form using Adyen's Drop-in or Components solution, and the shopper submits their payment details. Cardholder data is encrypted in the app, sent to your server, and then transmitted to Adyen. The Drop-in or Components solution works with a native library, which is embedded in your mobile app.
Possible risks | Low: Since the Drop-in and Components native library is implemented in your app and not on a public website, the risks associated with your integration are considerably low. While malicious actors are not able to target the majority of your app users since the app runs on individual devices, they still could potentially target security vulnerabilities of a specific mobile device.
Mitigating the risks: The risks associated with this integration can be significantly reduced by doing the following:
- Making sure vendor-supplied usernames and passwords are not used within your environment.
- Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of identified vulnerabilities.
- Implementing controls to manage payment page scripts securely.
- Using unique user IDs and requiring strong passwords of at least 12 characters.
- Implementing a security policy that includes an incident response plan and defines information security roles and responsibilities for all personnel.
- Performing external vulnerability scans every 3 months. This is a new requirement in PCI DSS v4.0.
- Deploying change- and tamper-detection systems on payment pages. This is a new requirement in PCI DSS v4.0 and a best practice until March 31, 2025.
Validation document and requirements: Adyen requires that you assess your PCI DSS compliance according to the following requirements of the Self-Assessment Questionnaire A (SAQ A):
- PCI DSS v4.0: Requirements 2, 6, 8, 11, and 12.
- PCI DSS v3.2.1: Requirements 2, 6, 8 and 12.
In-person payments integration
When implementing a in-person payments integration, you have the option to use either our default End-to-End Encryption (E2EE), Point-to-Point Encryption (P2PE), or Tap to Pay solution. Select the encryption standard below to learn about the PCI DSS requirements you must comply with and the corresponding documentation that you should provide.
If you are using our in-person payments integration, you only have to provide Adyen with Self-Assessment Questionnaire B-IP if you process over 1 million card-present transactions annually.
Integration: The payment terminals provided by Adyen are all PTS-approved Point-of-Interaction (POI) devices. Adyen's in-person payments integration has been designed to reduce your PCI DSS scope as much as possible through End-to-End Encryption (E2EE). None of your systems, including your POS system, receive cardholder data in unencrypted forms.
Possible risks | Low: Adyen ensures End-to-End Encryption and is responsible for the security of your shoppers' cardholder data as soon as we receive the data through the payment terminal. The risks for in-person payments integrations are related to the physical security of the payment terminal. Malicious actors can tamper with or replace payment terminals.
Mitigating the risks: Risks associated with this integration, such as skimming attacks, can be significantly reduced by doing the following:
- Implementing policies and procedures to periodically inspect the security of the payment terminals, to confirm that they have not been tampered with and that seals have not been broken.
- Actively monitoring industry sources for vulnerability information and patching software according to the risk ranking of the spotted vulnerabilities. This applies only if you update your terminals manually.
- Implementing a security policy which defines information security roles and responsibilities for all personnel.
- Engaging and maintaining a relationship with only PCI DSS compliant third-party service providers.
Validation document and requirements: Adyen requires you to assess your PCI DSS compliance along with any other requirements that might apply to your environment with the following requirements from the Self-Assessment Questionnaire B-IP (SAQ B-IP):
- PCI DSS v4.0: Requirements 9.1, 9.5, and 12.
- PCI DSS v3.2.1: Requirements 9.9 and 12.
Because Adyen processes your payments, Adyen is regarded as a Service Provider. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of your PCI DSS obligations towards them.
To carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:
- Making sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.
- Identifying the functions each service provider is performing.
- Ensuring that the service providers acknowledge their PCI DSS responsibilities.
Adyen has a trusted list of partners, which includes: Zuora, VTEX, Recurly, and PCI Proxy. Refer to Adyen's partner page for our complete list of partners.
Requirements when using a Service Provider
If you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:
- Ask your service provider for their Service Provider's Attestation of Compliance.
- Ensure that the service provider is registered with the schemes and is listed on Visa's Global Registry of Service Providers and Mastercard's Compliant Service Provider List.
After you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Adyen with:
- Names of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).
- The Service Provider's Attestation of Compliance.
The use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider's PCI DSS compliance status (by requesting their AoC every year).
PCI DSS Glossary
AOC – Attestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).
ASV – Approved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.
CHD – Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.
PTS - PIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals
QSA – Qualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.
RoC – Report on Compliance - Report documenting detailed results from an entity's PCI DSS assessment.
SAD – Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.
SAQ – Self Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
TLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.