If you are accepting card payments, you need to validate your PCI DSS compliance annually.
The validation requirement that you should use to assess your compliance depends on your PCI Level. The PCI Level is determined by the number of transactions processed over a 12-month period, per acquiring region, per scheme.
The validation requirements are stated in either:
- A Self-Assessment Questionnaire (SAQ)
Or a Report on Compliance (RoC). The assessment must completed by an external Qualified Security Assessor (QSA) or your internal security resource. If you choose an Internal Security Assessor (ISA) to assess your environment, you must ensure that they complete the PCI SSC ISA training and pass the annual ISA accreditation program.
The requirements are the same and the same assessment is performed for both options. The only difference is that you complete the SAQ on your own, while the RoC is completed by a QSA or your internal security resource.
Depending on your integration, you might also be asked to provide:
- A Quarterly Network Scan performed by an Approved Scanning Vendor (ASV)
Refer to the table below for the criteria and validation requirements for each PCI Level.
|You are processing over 6 million transactions annually per acquiring region, per scheme or if you have previously experienced a breach that resulted in an Account Data Compromise (ADC) Event.|
|You are processing between 1 to 6 million transactions annually per acquiring region, per scheme.|
|You are processing between 20,000 to 1 million transactions annually per acquiring region, per scheme.|
|You are processing less than 20,000 transactions annually per acquiring region, per scheme.|
If you choose to validate your compliance using an RoC, submit only the summary of the assessment results to Adyen—this summary report is called Attestation of Compliance (AoC).
Because the ROC contains detailed information about the technical infrastructure of your cardholder data environment, you should never share the full ROC with Adyen.