The information in this page is for guidance only. It is not a complete list of all security measures you should take, and should not be taken as definitive advice.
Attackers can try to steal card data by exploiting weaknesses in your systems. To protect your data, and that of your customers, make sure that you implement the security measures described on this page.
Requirements
Before you begin, check if the information on this page applies to you.
Requirement | Description |
---|---|
Integration type | The information on this page is relevant for all Adyen integrations with online payments or in-person payments. |
Protect your online payments integration
Most online attacks are related to security flaws in your checkout or payment pages. The security of your own webpages and apps is your responsibility, because Adyen has limited ability to prevent attacks in environments we do not control.
- Read more about your responsibilities, and those of Adyen, in our PCI DSS compliance guide.
- To make sure you grant access to your webpages and apps securely, check our guidance for identity and access management.
Third-party components
If you have vulnerable third-party components (scripts) in your webpage, attackers might be able to steal data in various ways, for example by making your website execute their own code.
- The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 includes requirements related to script security in ecommerce. To help you comply with these requirements, we have several script security recommendations.
Protect your in-person payments integration
Security risks with in-person payments are related to the payment terminals: physical tampering, and replacing terminals with tampered terminals.
- Maintain an inventory of active and inactive terminals, and review it regularly. See the point-of-sale documentation for what to do when a payment terminal is lost or stolen.
- Update your terminals to the latest software as soon as possible. We strongly suggest you use automatic updating.
- Read the PCI SSC guide on skimming prevention, which explains all forms of skimming, risk profiles, and the impact of skimming. It covers all the points listed below in depth.
Prevent tampering
To keep the data of your customers safe, make sure that malicious actors cannot access your payment terminals.
- Place the terminals in a monitored environment, both during and outside of business hours. Be aware of suspicious activity around the terminal.
- Inspect your payment terminals to make sure they have not been tampered with. You must do this when you receive a new terminal and also at regular intervals after.
- Verify the identity of anyone who requests access to the terminal, for example individuals claiming to be repair or maintenance personnel. Adyen terminal maintenance staff will never arrive without prior arrangement, so check that maintenance is planned.
In-store measures
- Make sure that the location of the payment terminal does not allow the PIN to be observed while the customer is entering it. Pay special attention to reflective surfaces nearby, cameras, or the position of the cashier with respect to the payment terminal.
- Train your staff to instruct customers to hide their PIN while entering it on the payment terminal.
Point to point encryption
If you are using our Point-to-Point Encryption (P2PE) solution, implement all the advice described. You must also implement all the requirements in the P2PE Instruction Manual (PIM).