This page discusses various topics related to the security of the Mobile solutions, such as:
- Built-in security of the solutions.
- Security practices you should follow.
- Your role with regard to compliance with security standards.
Security of the solution
Payments using the Mobile SDK are fully secure:
- Payment details that are read from the customer's payment method (card or digital wallet) are not kept locally on the phone or other mobile device.
- The Mobile SDK sends and receives only encrypted payment messages.
- In addition to encryption, the solutions are secured in multiple other ways, such as code obfuscation and monitoring and attestation of the OS, device, application, and SDK.
- The card reader is a PCI PTS-approved Secure Card Reader (SCR). When using the card reader as the payment interface, the payment details are encrypted immediately.
Security best practices
To keep the solution secure, you must:
- Keep your Adyen API keys secret and save them securely in your server.
- Never make requests to Adyen APIs directly from the POS app that is installed on the mobile device.
- Set up a device passcode on the devices used in your mobile solution.
In addition, you should adhere to the following best practices:
- Follow the guidelines in our Integration security guide.
- Establish secure communication between your server and your POS app, using mutual authentication like mTLS.
It is vital to prevent bad actors from modifying Terminal API transaction requests sent from your server to your app. - Implement user authentication in your POS app, such as a login feature, to ensure only trusted users can operate the app.
- Keep the Mobile SDK updated to the latest version. After a short grace period, we do not accept transaction requests made using an older SDK version.
- Keep the Mobile SDK files secure: only get SDK files directly from trusted Adyen sources; when possible, validate the integrity of the SDK files; do not share SDK files with third parties.
- Keep the operating system on your mobile device updated to the latest version and the latest security patch.
- For internal development and testing only use the TEST version of the SDK.
Wi-Fi security best practices
The security settings of the Wi-Fi network define the type of authentication and encryption used by your router or access point, and the level of privacy protection for data transmitted over its network.
To help ensure that your devices can connect securely and reliably to your network, apply the following security settings to each Wi-Fi router and access point:
- Set to WPA3, WPA2/WPA3, or WPA 2.
- Set a strong password for joining the network.
Insecure Wi-Fi settings
Do not use our Mobile SDK when connected to a network that uses older, deprecated security protocols. The SDK shows a security warning and cancels the transaction when using insecure settings such as:
- WPA/WPA2 mixed modes
- WPA Personal
- WEP, including WEP Open, WEP Shared, WEP Transitional Security Network, or Dynamic WEP (WEP with 802.1X)
- TKIP, including any security setting with TKIP in the name
- Settings that turn off security, such as None, Open, or Unsecured. Turning off security disables authentication and encryption. This is a risk even if security is turned off temporarily or for a guest network.
Device passcode
To enhance security and protect against unauthorized refunds, we strongly recommend setting a screen lock passcode on your Android devices.
PCI DSS compliance requirements
The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment.
To use an Adyen Tap to Pay or Card reader solution, PCI DSS requires that you complete the v4.0 Self-Assessment Questionnaire B-IP (SAQ B-IP), requirements 9.9 and 12. Requirement 9.9 relates to the physical security of the mobile devices. Personnel who interact with card-present devices on a day-to-day basis, should be trained to be aware of attempted tampering or replacement of devices.
For more information, see our PCI DSS compliance guide.