PCI DSS 3.2: What you need to know

Disclaimer: Please note the information provided in the blog post is no longer valid.

Post updated: February 4, 2020

Disclaimer: Please note the information provided in this blog post is no longer valid. For updated information about PCI, please visit our PCI DSS compliance guide on our documentation website.

Go to guide

Every three years PCI DSS undergoes a major update. This is to provide clarification and more guidance about existing requirements. It's also an opportunity to introduce new requirements to help counter security threats.

In January 2015 PCI DSS 3.1 was introduced. Since then, version 3.1 has evolved into version 3.2. Here's what you need to know about PCI DSS 3.2 compliance.

How is PCI DSS 3.2 different from PCI DSS 3.1?

PCI DSS 3.2 consists of a limited set of new requirements. It also comes with clarifications and guidance for existing requirements. You can find more information in our PCI DSS 3.2 compliance guide, or on the PCI Council website.

How do you become PCI DSS 3.2 compliant?

If you're not an Adyen customer, download the PCI Council’s Getting Started Guide or Quick Reference Guide. If you're an Adyen customer, read on.

PCI DSS compliance is split into a few levels, with different requirements for each one. The level you're on depends on your annual card transaction volume and card acceptance channel(s). For most levels, you need to complete a self-assessment questionnaire (SAQ) each year.

This consists of a series of yes/no questions about your security posture and practices. It also gives you some flexibility depending on the complexity of your business.

Do you use Adyen Direct API?

With the Direct API solution, you need to be fully PCI DSS compliant at Level 1 or 2. This will depend on the volume of card transactions you process.

You're using Adyen CSE. Why are you required to use SAQ A v3.2?

An aim of the PCI DSS 3.0 is to ensure that the browser that sends the encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper.

What are the consequences of non-compliance with PCI DSS?

The card schemes manage the enforcement of PCI DSS compliance and all associated fees. If you're found to be non-compliant you might face ongoing fines. On top of that, you'll be subject to further fines and legal actions if a breach occurs. This could lead to immediate termination of your ability to accept card payments.

Can you fully outsource compliance to a third party such as a payment service provider?

No. It's always your responsibility to make sure your service provider is compliant. That said, different connections need different levels of compliance responsibilities as outlined above.

Important to note: Whatever your Adyen integration is, you must be PCI compliant at all times.

Sign up for the newsletter

By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.

Are you looking for test card numbers?

Would you like to contact support?