PCI DSS compliance
Learn about PCI DSS compliance at Adyen in our compliance guide.
Because your users have a direct connection with card schemes, they must comply with the requirements laid down in the Payment Card Industry Data Security Standards (PCI DSS) for collecting, processing, storing, and transmitting cardholder data in a secure environment. To prove their compliance, they must sign a Self-Assessment Questionnaire (SAQ) before they can start processing card payments. The questionnaire asks them to confirm the security of their cardholder data environment, which typically includes their website, web servers, and employees who can access them.
Depending on your user's sales channels, they must sign one or more SAQs. If you onboard your users using hosted onboarding, this is already part of the process. If you are building your own UI, you must generate required PCI SAQs, show these to your users, and ask them to sign.
The questionnaires that Adyen provides are simplified versions of the full SAQs. If multiple SAQs are required, Adyen provides all the questionnaires and your users will only need to sign once. You'll use the Legal Entity Management API to generate the required questionnaires and send the signed versions to Adyen.
Requirements
Make sure that you have:
- Created a legal entity for the main legal entity/user that has a contractual relationship with your platform and for the individual who will sign the PCI document.
- Created business lines for the main legal entity/for the organization for all the sales channels that they support. The salesChannels determine which and how many PCI documents must be signed.
- Created an account holder for your user.
Step 1: Confirm PCI requirements
When you create an account holder, certain capabilities are requested for them. To check whether your user must sign PCI documents, listen to balancePlatform.accountHolder.updated webhooks.
If your user is required to sign PCI forms, it is indicated in the verificationErrors
array.
Step 2: Generate the questionnaires
To generate simplified questionnaires, send a POST /legalEntities/{id}/pciQuestionnaires/generatePciTemplates request, specifying the legal entity id of the organization in the path.
You can change the language of the questionnaire from the default English by sending the request with language set to the two-character ISO 639-1 code of the desired language. For example, fr.
In the body of the request, you can specify the following:
Parameter | Required | Description |
---|---|---|
additionalSalesChannels | An array of additional sales channels to generate PCI questionnaires. Include the relevant sales channels if you need your user to sign PCI questionnaires. You do not need to provide these if you create stores and add payment methods for your user before you generate the questionnaires. |
The response returns the following information:
Parameter | Description |
---|---|
content | The generated questionnaire in a base64 encoded format. Decode the content with the Base64.Decoder class and present the questionnaires to your user. |
language | The language of the questionnaire. The default value is en. |
pciTemplateReferences | The array of Adyen-generated unique identifiers for the questionnaires. You must include this information in the signing request. |
Step 3: Present the questionnaires to your user
You need to ask your user to review and sign the questionnaires. When presenting them to your user in your website, you can render the documents using the Adyen Document Viewer.
Decode the documents before passing them to the Adyen Document Viewer.
const documentViewer = new AdyenDocumentViewer('#test');
const document = JSON.parse(decodeURIComponent(escape(window.atob(pciTemplateReferences.document))));
documentViewer.render(document);
Step 4: Sign the questionnaires
You must ask your user to declare that they comply with the scheme requirements by signing the generated questionnaires.
To sign the questionnaires, send a POST /legalEntities/{id}/pciQuestionnaires/signPciTemplates request, specifying the id of the main legal entity in the path.
In the body of the request, specify the following:
Parameter | Required | Description |
---|---|---|
signedBy | The legal entity id of the individual who signed the questionnaires. | |
pciTemplateReferences | The array of unique identifiers of the questionnaires. |
The request submits the legal entity ID of the individual who signed the simplified questionnaires and populates the formal PCI SAQ with the legal entity data.
The response returns an array of the unique identifiers of the signed SAQ documents.
Step 5: Get a list of signed SAQs
To retrieve a list of the documents signed by your user, send a GET /legalEntities/{id}/pciQuestionnaires request, specifying the id of the main legal entity in the path.
Step 6: Download a signed questionnaire
To download a signed SAQ, send a GET /legalEntities/{id}/pciQuestionnaires/{pciid} request, specifying the following parameters in the path:
Path parameter | Required | Description |
---|---|---|
id | The legal entity ID of the organization. | |
pciid | The ID of the signed questionnaire. |
The response returns the base64 encoded form of the signed document in PDF format in the content field. To present the document to your user, use the Base64.Decoder class.