PCI DSS v4.0 has been released
PCI DSS v4.0 replaced v3.2.1 on 31 March 2024. Now, when you assess your compliance, you must use PCI DSS v4.0 documents. Your v3.2.1 document is only valid until it expires.
The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.
This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.
Introduction to PCI DSS
PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.
As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that do not comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.
Before you continue, it is important to understand that:
- PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).
- PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.
Adyen's role in PCI DSS compliance
Implementing PCI DSS in your business can be daunting, especially if you do not have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions—you never see and never have access to unencrypted cardholder data.
When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.
- Adyen's responsibility: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.
- Your responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.
Adyen is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.
Transitioning to PCI DSS v4.0
PCI DSS v4.0 was released in 2022, and introduces expanded requirements in key security and technology areas such as:
- Mobile phones and tablets.
- Contactless payments.
- Cloud adaptation.
- New software development practices.
- Increased reliance on third-party services.
You can already start verifying compliance requirements, and prepare or use PCI DSS v4.0 documents today. If you already accept credit card payments, the date from which you must use PCI DSS v4.0 compliance documents depends on when your current validation document expires:
- Before March 31, 2024: you can continue to use v3.2.1 until March 31, 2024. After March 31, 2024 you must use v4.0.
- After March 31, 2024: you can continue to use v3.2.1 until your document expires. After your document expires, you must use v4.0.
To validate your compliance with v4.0 and review the requirements, refer to the relevant integration sections for Online payments, Mobile in-app online payments, or In-person payments.
Online payments integration
Select your Web online payments integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:
The following validation requirements are based on Adyen's acceptable risk profile for each integration type. These may differ from what other acquirers require.
Additional reading
Mobile in-app online payments integration
Select how you implemented your iOS or Android integration below to learn which PCI DSS requirements you must comply with and the corresponding documentation that you should provide:
In-person payments integration
When implementing a in-person payments integration, you have the option to use either our default End-to-End Encryption (E2EE), Point-to-Point Encryption (P2PE), or Tap to Pay solution. Select the encryption standard below to learn about the PCI DSS requirements you must comply with and the corresponding documentation that you should provide.
Service Providers
Because Adyen processes your payments, Adyen is regarded as a Service Provider. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of your PCI DSS obligations towards them.
To carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:
- Making sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.
- Identifying the functions each service provider is performing.
- Ensuring that the service providers acknowledge their PCI DSS responsibilities.
Adyen has a trusted list of partners, which includes: Zuora, VTEX, and Recurly. Refer to Adyen's partner page for our complete list of partners.
Requirements when using a Service Provider
If you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:
- Ask your service provider for their Service Provider's Attestation of Compliance.
- Make sure that the service provider is registered with the schemes and is listed on Visa's Global Registry of Service Providers and Mastercard's Compliant Service Provider List.
After you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Adyen with:
- Names of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).
- The Service Provider's Attestation of Compliance.
The use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider's PCI DSS compliance status (by requesting their AoC every year).
PCI DSS Glossary
-
AOC – Attestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).
-
ASV – Approved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.
-
CDE – Cardholder Data Environment - The people, processes and technology that collect, store, process or transmit cardholder data.
-
CHD – Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.
-
POI - Point of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal.
-
PTS - PIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals
-
QSA – Qualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.
-
RoC – Report on Compliance - Report documenting detailed results from an entity's PCI DSS assessment.
-
SAD – Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.
-
SAQ – Self Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
-
TLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.