Adyen retail report: The checkout experience
Every three years PCI DSS undergoes a major update.
This is to provide clarification and more guidance about existing requirements. It's also an opportunity to introduce new requirements to help counter security threats.
In January 2015 PCI DSS 3.1 was introduced. Since then, version 3.1 has evolved into the version 3.2.
Here's what you need to know about PCI DSS 3.2 compliance.
If you're currently updating your PCI documents you'll need to switch to the latest version, 3.2.
Version 3.1 expired in October 2016 and we can't accept this older version.
PCI DSS 3.2 consists of a limited set of new requirements. It also comes with clarifications and guidance for existing requirements.
PCI DSS compliance is split into a few levels, with different requirements for each one. The level you're on depends on your annual card transaction volume and card acceptance channel(s).
For most levels, you need to complete a self-assessment questionnaire (SAQ) each year.
This consists of a series of yes/no questions about your security posture and practices. It also gives you some flexibility depending on the complexity of your business.
For Adyen's integrations, the SAQ requirements you must act on are as follows:
With the Direct API solution, you need to be fully PCI DSS compliant at Level 1 or 2. This will depend on the volume of card transactions you process. So you'll need to:
One of the aims of PCI DSS 3.2 is to ensure that encrypted payment data is sent to Adyen, and no one else.
Since the encryption key that's provided by Adyen to the CSE merchant cannot be used to decrypt the cardholder data, and the decryption key is never available to the merchant or the shopper, the primary concern is to ensure the integrity of the merchant website's assets (including contents and codes) and not to protect cardholder data which is never available there as all cardholder data functions are outsourced.
The card schemes manage the enforcement PCI DSS compliance and all associated fees. And if you're found to be non-compliant you might face ongoing fines.
On top of that, you'll be subject to further fines and legal actions if a breach occurs. This could lead to immediate termination of your ability to accept card payments.
Important: Whatever your Adyen integration is, you must be PCI compliant at all times.
No. It's always your responsibility to make sure your service provider is compliant. That said, different connections need different levels of compliance responsibilities as outlined above.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.