Malicious actors might target your integration with Adyen to steal cardholder data. To protect your data, and that of your customers, make sure that you implement the security measures described on this page.
Customer Area accounts
To keep your Customer Area accounts safe:
- Make sure that people in your organization use strong passwords.
- Enable two-factor authentication, to prevent unauthorized users from logging in.
- Don't give users more permissions than they need to perform their tasks.
- When creating a user, define trusted IP addresses from which the user can log in.
Online payments integration
Most online attacks are related to security flaws in your checkout or payment pages. The security of your own webpages and apps is your own responsibility, as Adyen has limited capabilities to prevent attacks in these environments. Read more about your responsibilities, and those of Adyen, in our PCI DSS compliance guide.
Attackers might try to forge or steal login credentials to gain access to your system environment. Some well-known techniques to do so are:
- Brute-forcing weak passwords
- Phishing or other social engineering techniques
- Exploiting weak or broken authentication to admin pages
Exploiting vulnerable components
If you have inherent vulnerable components in your webpage, attackers might be able to execute code or exfiltrate data. For example, through:
- Cross-Side Scripting (XSS)
- SQL Injection
Web components that you load from external services can also be vulnerable to attacks. Other third-party service providers in your stack or supply chain can also be a point of entry into your systems.
Card data exfiltration
Attackers can steal card data in different ways, for example:
- Changing the destination of a payment redirect to collect card data. The shopper is then redirected back your website.
- Placing overlays over iframes and collecting card data before the payment is made.
- Manipulating the checkout page with malicious code, for example through keyboard capturing.
Mitigating online payment risks
Implementing basic security measures can reduce risks significantly. Some important security measures are outlined below.
User Account Management
- Replace vendor-supplied usernames and passwords.
- Prevent shared accounts.
- Prevent brute-force attacks, for example by blocking the session after an incorrect password is entered five times.
- Keep systems and software updated with latest security patches.
- Read and implement security recommendations given by your e-commerce or website provider.
Software Development Lifecyle Management (SDLC)
- Take security best practices into account in the design, development and testing phases of your development lifecycle.
- Review changes to your payment pages and related source code. Set up continuous monitoring to detect and respond to unexpected changes.
- Manage supply-chain risks to identify, handle, and prevent attacks through third-party suppliers.
- Make sure that your
returnUrlcannot be easily tampered with. For example, you should not generate the
returnUrlon a system that is publicly accessible. Automatically validate the host part of the URL before including it in your API request.
- When using Web Drop-in/Components, implement Subresource Integrity hashes.
- Implement Content Security Policy (CSP) to prevent attacks such as Cross-Site Scripting and data injection attacks. When implementing CSP, specify the following directives, depending on which payment methods you are accepting through Adyen:
script-src: https://*.adyen.com style-src: https://*.adyen.com img-src: https://*.adyen.com
Point of sale integration
The risks related to a Point of sale integration are related to payment terminals. To keep the data of your customers safe, make sure that malicious actors cannot access your payment terminals. If you're using our Point-to-Point Encryption (P2PE) solution, you must additionally implement all the requirements in the P2PE Instruction Manual (PIM).
Mitigating point of sale risks
- Regularly inspect your payment terminals to make sure they have not been tampered with.
- Maintain an inventory of active and inactive terminals, and review it regularly.
- Place the terminals in a monitored environment, both during and outside of business hours. Be aware of suspicious activity around the terminal.
- Train your store personnel to instruct customers to hide their PIN while entering it on the payment terminal.
- Make sure that the location of the payment terminal does not allow the PIN to be observed while the customer is entering it. Pay special attention at reflective surfaces nearby, cameras, or the position of the cashier with respect to the payment terminal.
- Verify the identity of anyone who requests access to the terminal, for example individuals claiming to be repair or maintenance personnel. Verify whether maintenance is planned.
- Update the terminals to the latest software as soon as possible. We strongly suggest you configure automatic updating.
There are many other public frameworks and guidelines that can help you to secure your business. For example, following secure coding practices and assessing your security posture against reputed maturity frameworks. We recommend the following external resources to learn more: