This page discusses various topics related to the security of the Mobile solutions, such as:
- Built-in security of the solutions.
- Security practices you should follow.
- Your role with regard to compliance with security standards.
Security of the solution
Payments using the Mobile SDK are fully secure:
- Payment details that are read from the customer's payment method (card or digital wallet) are not kept locally on the phone or other mobile device.
- The Mobile SDK sends and receives only encrypted payment messages.
- In addition to encryption, the solutions are secured in multiple other ways, such as code obfuscation and monitoring and attestation of the OS, device, application, and SDK.
- When using an iPhone as the payment interface for Tap to Pay on iPhone, transactions are encrypted and handled using Apple's Secure Element.
- The card reader is a PCI PTS-approved Secure Card Reader (SCR). When using the card reader as the payment interface, the payment details are encrypted immediately.
Security best practices
To keep the solution secure, you must:
- Keep your Adyen API keys secret and save them securely in your server.
- Never make requests to Adyen APIs directly from the POS app that is installed on the mobile device.
- Set up a device passcode on the devices used in your mobile solution.
In addition, you should adhere to the following best practices:
- Follow the guidelines in our Integration security guide.
- Establish secure communication between your server and your POS app, using mutual authentication like mTLS.
It is vital to prevent bad actors from modifying Terminal API transaction requests sent from your server to your app. - Implement user authentication in your POS app, such as a login feature, to ensure only trusted users can operate the app.
- Keep the Mobile SDK updated to the latest version. After a short grace period, we do not accept transaction requests made using an older SDK version.
- Keep the Mobile SDK files secure: only get SDK files directly from trusted Adyen sources; when possible, validate the integrity of the SDK files; do not share SDK files with third parties.
- Keep the operating system on your mobile device updated to the latest version and the latest security patch.
- For internal development and testing only use the TEST version of the SDK.
PCI DSS compliance requirements
The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment.
To use an Adyen Tap to Pay or Card reader solution, PCI DSS requires that you complete the v4.0 Self-Assessment Questionnaire B-IP (SAQ B-IP), requirements 9.9 and 12. Requirement 9.9 relates to the physical security of the mobile devices. Personnel who interact with card-present devices on a day-to-day basis, should be trained to be aware of attempted tampering or replacement of devices.
For more information, see our PCI DSS compliance guide.