Tools-2 icon

PCI compliance levels

Know your current PCI level to determine the validation requirements for PCI DSS compliance.

If you are accepting card payments, you need to validate your PCI DSS compliance annually.

The validation requirements that you should use to assess your compliance depends on your PCI compliance level. The PCI compliance level is determined by the number of transactions processed over a 12-month period, per acquiring region, per scheme.

Validation requirements

The validation requirements are stated in either:

  • A Self-Assessment Questionnaire (SAQ).
  • A Report on Compliance (RoC). The assessment must be completed by an external Qualified Security Assessor (QSA) or your internal security resource. If you let an Internal Security Assessor (ISA) assess your environment, you must ensure that they complete the PCI SSC ISA training and pass the annual ISA accreditation program.

    When using an RoC, submit only the summary of the assessment results to Adyen. This summary report is called Attestation of Compliance (AoC).

    Because the RoC contains detailed information about the technical infrastructure of your cardholder data environment, you should never share the full RoC with Adyen.

The requirements are the same for both SAQ and RoC, and the same assessment is performed. The only difference is that you complete the SAQ on your own, while the RoC is completed by a QSA or your internal security resource.

Depending on your integration, you may also need to provide:

  • A Quarterly Network Scan performed by an Approved Scanning Vendor (ASV)

Determine your PCI compliance level

Refer to the table below for the criteria and validation requirements for each PCI compliance level.

PCI compliance level Criteria
Validation requirements
ROC
or
SAQ
Network scan
Level 1
You process over 6 million transactions annually per acquiring region, per scheme or if you have previously experienced a breach that resulted in an Account Data Compromise (ADC) Event.
-white_check_mark-
-x-
Optional, depending on integration
Level 2
You process between 1 to 6 million transactions annually per acquiring region, per scheme.
-white_check_mark-
-white_check_mark-
Optional, depending on integration
Level 3
You process between 20,000 to 1 million transactions annually per acquiring region, per scheme.
-white_check_mark-
-white_check_mark-
Optional, depending on integration
Level 4
You process less than 20,000 transactions annually per acquiring region, per scheme.
-white_check_mark-
-white_check_mark-
Optional, depending on integration

See also