Leveraging the payments community to make subscriptions unstoppable
Post updated: February 4, 2020
Every three years PCI DSS undergoes a major update. This is to provide clarification and more guidance about existing requirements. It's also an opportunity to introduce new requirements to help counter security threats.
In January 2015 PCI DSS 3.1 was introduced. Since then, version 3.1 has evolved into version 3.2. Here's what you need to know about PCI DSS 3.2 compliance.
How is PCI DSS 3.2 different from PCI DSS 3.1?
How do you become PCI DSS 3.2 compliant?
PCI DSS compliance is split into a few levels, with different requirements for each one. The level you're on depends on your annual card transaction volume and card acceptance channel(s). For most levels, you need to complete a self-assessment questionnaire (SAQ) each year.
This consists of a series of yes/no questions about your security posture and practices. It also gives you some flexibility depending on the complexity of your business.
Do you use Adyen Direct API?
With the Direct API solution, you need to be fully PCI DSS compliant at Level 1 or 2. This will depend on the volume of card transactions you process.
You're using Adyen CSE. Why are you required to use SAQ A v3.2?
An aim of the PCI DSS 3.0 is to ensure that the browser that sends the encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper.
What are the consequences of non-compliance with PCI DSS?
The card schemes manage the enforcement of PCI DSS compliance and all associated fees. If you're found to be non-compliant you might face ongoing fines. On top of that, you'll be subject to further fines and legal actions if a breach occurs. This could lead to immediate termination of your ability to accept card payments.
Can you fully outsource compliance to a third party such as a payment service provider?
No. It's always your responsibility to make sure your service provider is compliant. That said, different connections need different levels of compliance responsibilities as outlined above.
Important to note: Whatever your Adyen integration is, you must be PCI compliant at all times.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.