PCI DSS 3.2: What you need to know

PCI DSS is a set of requirements to make sure companies that process, store, or transmit credit card information maintain a secure environment.

Every three years PCI DSS undergoes a major update. 

This is to provide clarification and more guidance about existing requirements. It's also an opportunity to introduce new requirements to help counter security threats.

In January 2015 PCI DSS 3.1 was introduced. Since then, version 3.1 has evolved into the version 3.2.

Here's what you need to know about PCI DSS 3.2 compliance.

Security image for PCI DSS

PCI DSS 3.2 is available now

If you're currently updating your PCI documents you'll need to switch to the latest version, 3.2.

Version 3.1 expired in October 2016 and we can't accept this older version.

How is PCI DSS 3.2 different from PCI DSS 3.1?

PCI DSS 3.2 consists of a limited set of new requirements. It also comes with clarifications and guidance for existing requirements. 

You can find more information in our PCI DSS 3.2 compliance guide, or on the PCI Council website.

How do you become PCI DSS 3.2 compliant?

If you're not an Adyen customer, download the PCI Council’s Getting Started Guide or Quick Reference Guide. If you're an Adyen customer, read on.

PCI DSS compliance is split into a few levels, with different requirements for each one. The level you're on depends on your annual card transaction volume and card acceptance channel(s).

For most levels, you need to complete a self-assessment questionnaire (SAQ) each year.

This consists of a series of yes/no questions about your security posture and practices. It also gives you some flexibility depending on the complexity of your business.

For Adyen's integrations, the SAQ requirements you must act on are as follows:

Do you use Adyen Direct API?

With the Direct API solution, you need to be fully PCI DSS compliant at Level 1 or 2. This will depend on the volume of card transactions you process. So you'll need to:

You're using Adyen CSE. Why are you required to use SAQ A v3.2?

One of the aims of PCI DSS 3.2 is to ensure that encrypted payment data is sent to Adyen, and no one else.

Since the encryption key that's provided by Adyen to the CSE merchant cannot be used to decrypt the cardholder data, and the decryption key is never available to the merchant or the shopper, the primary concern is to ensure the integrity of the merchant website's assets (including contents and codes) and not to protect cardholder data which is never available there as all cardholder data functions are outsourced. 

What are the consequences of non-compliance with PCI DSS?

The card schemes manage the enforcement PCI DSS compliance and all associated fees. And if you're found to be non-compliant you might face ongoing fines.

On top of that, you'll be subject to further fines and legal actions if a breach occurs. This could lead to immediate termination of your ability to accept card payments.

Important: Whatever your Adyen integration is, you must be PCI compliant at all times.

Can you fully outsource compliance to a third party such as a payment service provider?

No. It's always your responsibility to make sure your service provider is compliant.  That said, different connections need different levels of compliance responsibilities as outlined above.


Sign up for the newsletter

By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.


Are you looking for test card numbers?

Would you like to contact support?