All You Need to Know About PCI DSS 3.0 Compliance

PCI DSS is a set of requirements to make sure companies that process, store, or transmit credit card information maintain a secure environment.

Every three years, the PCI DSS is updated in consultation with industry stakeholders. The purpose of these updates is to provide clarification and additional guidance regarding existing requirements, and introduce new requirements that help counter emerging security threats.

On January 1, 2014, the most recent update, PCI DSS 3.0, was introduced, with a one-year window in which merchants were required to be compliant. Therefore, from January 1, 2015, any company that stores, processes, or transmits credit card information must be compliant with PCI DSS 3.0.

This post and accompanying download is designed to give you the key information you need to know surrounding PCI DSS 3.0 compliance.

How does PCI DSS 3.0 differ from PCI DSS 2.0?

There are 98 changes with PCI DSS 3.0, however, only about 20% are new requirements, with most of the rest either clarifications or additional guidance regarding existing requirements. Further information on differences can be found in the download at the bottom of this page, or at the PCI Council website.

How do we become PCI DSS 3.0 compliant?

If you do not use the Adyen payment platform, you can download the PCI Council’s Getting Started Guide and/or Quick Reference Guide. If you do use the Adyen payment platform, please read on.

PCI DSS compliance is split into a number of levels, with different requirements for each level.  Which level you are on depends on your Adyen integration type.

For most levels/integrations, merchants are simply required to complete a self-assessment questionnaire (SAQ). These documents include a series of yes/no questions about your security posture and practices, and it allows for some flexibility based on the complexity of a particular business situation. For the key Adyen integrations, the SAQ requirements are as follows:

  • Adyen Hosted Payment Page: With the Adyen HPP solution, merchants outsource all payment processing to Adyen, therefore we (still) do not ask you to complete any self-assessment questionnaire.
  • Adyen Client-Side Encryption: With the Adyen CSE solution, merchants will need to fill out an SAQ A v3.0.
  • Adyen Point-of-Sale or mPOS: With the Adyen POS solution, merchants need to fill out an SAC B-IP v3.0 since January 1, 2015.

We use the Adyen Direct API. How do we become PCI DSS 3.0 compliant?

With the Direct API solution, merchants are required to be PCI DSS compliant at Level 1 or 2, depending on the volume of transactions you process. This means you need to a) fill out SAQ D v3.0 and b) submit to a quarterly network scan by an Approved Scanning Vendor, which includes an on-site visit by a Qualified Security Assessor.

We use Adyen CSE. Why are we now required to use SAQ A v3.0?

An aim of the PCI DSS 3.0 is to ensure that the browser that sends the encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper, the primary concern is to ensure the integrity of the merchant website’s assets and not to protect Cardholder Data, which is never available there as all Cardholder Data functions are outsourced. Adyen does offer the option of hosted CSE Java script where the merchant requires this to avoid even having the encryption keys in their environment.

What are the consequences of non-compliance with PCI DSS?

Enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual card schemes, however, if a merchant is found to be non-compliant they can be levied ongoing large fines. Additionally, they are susceptible to further fines and legal action if a breach occurs, and can lead to immediate termination of your ability to accept card payments.

Can we outsource compliance to a third party such as our payment service provider?

No. It is always the merchant’s responsibility to make sure their third party service provider (according to PCI definitions) is PCI DSS 3.0 compliant. Having said that, different connections require different levels of compliance responsibility as outlined above.

How can I find out more?

You can download the Adyen PCI DSS 3.0 Compliance Guide at the link below, or if you are an Adyen customer, by getting in touch with your account manager.


Sign up for the newsletter

By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.


Are you looking for test card numbers?

Would you like to contact support?