Adyen retail report: The checkout experience
Every three years, the PCI DSS is updated in consultation with industry stakeholders. The purpose of these updates is to provide clarification and additional guidance regarding existing requirements, and introduce new requirements that help counter emerging security threats.
On January 1, 2014, the most recent update, PCI DSS 3.0, was introduced, with a one-year window in which merchants were required to be compliant. Therefore, from January 1, 2015, any company that stores, processes, or transmits credit card information must be compliant with PCI DSS 3.0.
This post and accompanying download is designed to give you the key information you need to know surrounding PCI DSS 3.0 compliance.
There are 98 changes with PCI DSS 3.0, however, only about 20% are new requirements, with most of the rest either clarifications or additional guidance regarding existing requirements. Further information on differences can be found in the download at the bottom of this page, or at the PCI Council website.
If you do not use the Adyen payment platform, you can download the PCI Council’s Getting Started Guide and/or Quick Reference Guide. If you do use the Adyen payment platform, please read on.
For most levels/integrations, merchants are simply required to complete a self-assessment questionnaire (SAQ). These documents include a series of yes/no questions about your security posture and practices, and it allows for some flexibility based on the complexity of a particular business situation. For the key Adyen integrations, the SAQ requirements are as follows:
With the Direct API solution, merchants are required to be PCI DSS compliant at Level 1 or 2, depending on the volume of transactions you process. This means you need to a) fill out SAQ D v3.0 and b) submit to a quarterly network scan by an Approved Scanning Vendor, which includes an on-site visit by a Qualified Security Assessor.
An aim of the PCI DSS 3.0 is to ensure that the browser that sends the encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper, the primary concern is to ensure the integrity of the merchant website’s assets and not to protect Cardholder Data, which is never available there as all Cardholder Data functions are outsourced. Adyen does offer the option of hosted CSE Java script where the merchant requires this to avoid even having the encryption keys in their environment.
Enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual card schemes, however, if a merchant is found to be non-compliant they can be levied ongoing large fines. Additionally, they are susceptible to further fines and legal action if a breach occurs, and can lead to immediate termination of your ability to accept card payments.
No. It is always the merchant’s responsibility to make sure their third party service provider (according to PCI definitions) is PCI DSS 3.0 compliant. Having said that, different connections require different levels of compliance responsibility as outlined above.
You can download the Adyen PCI DSS 3.0 Compliance Guide at the link below, or if you are an Adyen customer, by getting in touch with your account manager.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.