Every three years, the PCI DSS is updated in consultation with industry stakeholders. The purpose of these updates is to provide clarification and additional guidance regarding existing requirements, and introduce new requirements that help counter emerging security threats.
On January 1, 2014, the most recent update, PCI DSS 3.0, was introduced, with a one-year window in which merchants were required to be compliant. Therefore, from January 1, 2015, any company that stores, processes, or transmits credit card information must be compliant with PCI DSS 3.0.
How does PCI DSS 3.0 differ from PCI DSS 2.0?
There are 98 changes with PCI DSS 3.0, however, only about 20% are new requirements, with most of the rest either clarifications or additional guidance regarding existing requirements.
PCI DSS compliance is split into a number of levels, with different requirements for each level. Which level you are on depends on your Adyen integration type.
For most levels/integrations, merchants are simply required to complete a self-assessment questionnaire (SAQ). These documents include a series of yes/no questions about your security posture and practices, and it allows for some flexibility based on the complexity of a particular business situation. For the keyAdyen integrations, the SAQ requirements are as follows:
- Adyen Hosted Payment Page: With the Adyen HPP solution, merchants outsource all payment processing to Adyen, therefore we (still) do not ask you to complete any self-assessment questionnaire. (This is a Classic integration and Adyen no longer offers this integration to new merchants.)
- Adyen Client-Side Encryption: With the Adyen CSE solution, merchants will need to fill out an SAQ A v3.0. (This is a Classic integration and Adyen no longer offers this integration to new merchants.)
- Adyen point of sale or mPOS: With the Adyen POS solution, merchants need to fill out an SAC B-IP v3.0 since January 1, 2015.
We use the Adyen Direct API. How do we become PCI DSS 3.0 compliant?
With the Direct API solution, merchants are required to be PCI DSS compliant at Level 1 or 2, depending on the volume of transactions you process. This means you need to a) fill out SAQ D v3.0 or engage a Qualified Security Assessor to conduct an onsite assessment and b) submit a quarterly network scan by an Approved Scanning Vendor.
We use Adyen CSE. Why are we now required to use SAQ A v3.0?
An aim of the PCI DSS 3.0 is to ensure that the browser that sends the encrypted payment data is securely sent to the Adyen payment platform (and not another recipient). Since the encryption key that is provided by Adyen to the CSE merchant cannot be used to decrypt the Cardholder Data, and the decryption key is never available to the merchant or the shopper.
What are the consequences of non-compliance with PCI DSS?
Enforcement of compliance with thePCIDSS and determination of any non-compliance penalties are carried out by the individual card schemes, however, if a merchant is found to be non-compliant they can be levied ongoing large fines. Additionally, they are susceptible to further fines and legal action if a breach occurs, and can lead to immediate termination of your ability to accept card payments.
Can we fully outsource compliance to a third party such as our payment service provider?
No. It is always the merchant’s responsibility to make sure their third party service provider (according to PCI definitions) is PCI DSS 3.0 compliant. Having said that, different connections require different levels of compliance responsibility as outlined above.