Adyen Security and IT Requirements - Vendors v2.2

• 1. ISO 27001 or SOC 2 certification

  • 1.1 Minimum Security Requirements

    If Supplier has adopted any leading practices, technical specifications or standards that are made available by recognized standardization bodies, such as: 

    • ISO/IEC 27001:2022 – Information Security Management System certificate; 

    • System Organizational Control Reporting 2, Type 2 (SOC 2 Type 2) certification covering, at a minimum, confidentiality, security and availability criteria;

    • PCI Payment Terminal Security Standard (applicable for payment terminals only); or

    • EU Cybersecurity Certification Schemes, or equivalent (applicable for ICT hardware only), and:

    1. Upon request, Supplier will provide a copy, not older than twelve (12) months, of the following to Adyen (as applicable):

       1. ISO/IEC 27001:2022: Statement of applicability, latest ISO external audit report and the certificate; 

       2. SOC 2 Type 2: Full SOC 2 Type 2 report;

       3. PCI Attestation of Compliance certificate; or

       4. EU Cybersecurity Certification Schemes (or equivalent) compliance certification.

    2. If Supplier receives or processes Cardholder Data pursuant to the Agreement, Supplier must comply with PCI Data Security Standards, and upon request, Supplier will provide Adyen a PCI Attestation of Compliance certificate, not older than twelve (12) months.

    3. Supplier must notify Adyen without undue delay via security@adyen.com of all critical vulnerabilities and ICT Incidents pertaining to ICT Services and Data. Supplier will investigate the relevant ICT Incident and vulnerability, determine the root causes and implement appropriate mitigating actions (and patches) immediately. Upon request, Supplier will provide relevant audit logs and list of corrective actions taken.  Adyen may choose to immediately suspend any ICT Service until such ICT Incidents and vulnerabilities are deemed to no longer pose a security risk to Adyen.

    4. Upon request, Supplier will provide Adyen a summary of all penetration testing pertaining to the ICT Service conducted in the previous twelve (12) months.

    5. Any notification pertaining to a change in the Location of any Data made must include the name of the Data host provider and information pertaining to the security practices and procedures of the provider, including its physical security controls and environment.

• 2. Minimum Security Requirements

  • 2.1 Information Security Program

    Supplier is required to implement and maintain a written information security program designed to maintain service availability, Data integrity, and confidentiality, including, but not limited to:

    1. an executive review of all security related policies;

    2. risk assessments pertaining to the ICT Service;

    3. review of ICT Incidents, including determination of root causes and corrective actions;

    4. reviews by internal audit measuring the effectiveness of controls; and

    5. upon request, Supplier will provide security program documentation to Adyen, not older than twelve (12) months.

  • 2.2 ICT Incidents

    1. Supplier must notify Adyen without undue delay via security@adyen.com of all ICT Incidents. Supplier will investigate the relevant ICT Incident, determine the root causes and implement appropriate mitigating actions. Upon request, Supplier will provide relevant audit logs and list of corrective actions taken.  Adyen may choose to immediately suspend any ICT Service until such ICT Incidents are deemed to no longer pose a security risk to Adyen.

  • 2.3 Human Resource and Physical Security

    1. Locations where Data is processed and stored must have the following physical access control measures implemented:

       1. Supplier must only give access to Locations on a need-to-know basis and to personnel that have received appropriate continuous security training; and

       2. continuous monitoring of physical access to Locations.

  • 2.4 Asset Management

    1. Supplier will identify all critical systems that will collect, access, use, store, process, dispose of or disclose Data. Supplier will implement and regularly verify the effectiveness of a secure configuration baseline for systems that process Data. The secure configuration baseline must follow industry best practice standards.

    2. Supplier will implement and ensure that all portable and non-portable hardware (laptops; desktops and flash drives):

       1. are protected by antivirus software;

       2. have appropriate encryption to protect Data;

       3. are kept up to date without compromising security or reliability; and

       4. containing Data will have security controls implemented in use and be appropriately wiped off or destroyed when no longer needed.

    3. Supplier must ensure that none of its security mechanisms can be modified, removed or bypassed by any personnel in an unauthorized manner.

  • 2.5 Identity and Access Management

    1. Supplier must only give access to Data on a need-to-know ad-hoc basis, following the principle of least privilege. Supplier must implement and monitor, as part of their human resources and access control policies, processes on how access to Data is given to personnel and the return and removal of Data upon termination of personnel employment

    2. Supplier must use strong authentication methods consistent with the Security Standards, for remote access to ICT Assets used by Adyen supporting the ICT Service and/or process and store Data. 

    3. Supplier will implement and monitor an identity management policy that:

       1. assigns unique identifiers corresponding to a unique user account for each member of its personnel when accessing Data; and

       2. outlines a lifecycle management process for the unique identifiers and user accounts, managing the creation, change, review and update, temporary deactivation and termination thereof.

  • 2.6 Encryption of Data during transit and storage

    1. Supplier must implement and monitor an encryption policy and develop cryptographic controls that:

       1. encrypt communications between Supplier and Adyen; 

       2. encrypt Data in transit and in storage; and

       3. prevent and detect Data leakage.

    2. The policy must contain provisions for cryptographic key management that establish the correct use, protection and life cycle of cryptographic keys.

  • 2.7 Network Management and Malware Protection of Data

    1. Supplier must implement and monitor network management protocols and malware prevention tools in all systems providing the ICT Service in order to protect the Data, containing, at minimum the following:

       1. anti-virus and anti-malware tools;

       2. utilization of spam-filtering systems that block incoming messages containing spam, phishing and malware; and

       3. restrictions on access to Supplier’s internal network, with such access limited to hardware (desktop and laptops) managed by Supplier and then only through a virtual private network connection.

  • 2.8 Vulnerability and Patch Management, and Penetration Testing

    1. Supplier must:

       1. implement and monitor controls for the maintenance and security of Supplier’s source code, where that source code is used to process Data (“Relevant Source Code”);

       2. perform source code reviews on the Relevant Source Code covering both static and dynamic testing, including security testing for internet-exposed systems and applications;

       3. identify and analyze vulnerabilities and anomalies in the Relevant Source Code, adopt an action plan to address vulnerabilities and monitor the implementation thereof. Any Critical Vulnerabilities must be patched immediately and reported to Adyen as prescribed in clauses 1.1(3) and 2.2 (3) protect the integrity of the Relevant Source Code;

       4. ensure that open-source code is analyzed and tested prior to deployment within the ICT Service; and

       5. implement and use secure coding industry leading best practice principles (such as OWASP guides or similar).

    2. Upon request, Supplier will provide a summary of Supplier’s penetration testing results. The testing must not be older than twelve (12) months.

  • 2.9 Incident Management

    1. Supplier must implement, monitor and test mechanisms to detect ICT Incidents and prioritize alerts pertaining to Data and the ICT Service. 

    2. Supplier will manage ICT Incidents within the resolution times outlined in the relevant Service Level Agreement contained in the Agreement.

    3. Upon request, Supplier will provide a summary of any test results pertaining to Supplier’s ICT Incident responses; recovery plans and necessary updates, if any, not older than twelve (12) months.

    4. All ICT Incidents involving Data must be reported to Adyen as stipulated in clauses 1.1(3) and 2.2.

  • 2.10 Log Management

    1. Supplier must implement and monitor procedures, protocols and tools ensuring that all system log entries contain sufficient detail to enable the effective detection of anomalous activities and must protect the logging systems against tampering, deletion and unauthorized access in storage, transit and in use. 

    2. Supplier must log events pertaining to:

       1. physical access control pursuant to clause 2.3 above;

       2. identity management pursuant to clause 2.5 above;

       3. capacity and change management;

       4. ICT operations, including system activities; and

       5. network traffic activities, including ICT network performance.

    3. Supplier must retain all logs pertaining to the ICT Service for at least twelve (12) months.

  • 2.11 Data Management

    1. Supplier must implement physical and logical controls to segregate Data from other client data and maintain facilities to allow for backup and restoration of Supplier’s ICT systems for the delivery of the ICT Service.

    2. No employee (or contractor) of  Supplier, or systems that are not designated for the ICT Service, must not have access to Adyen Data processed by  Supplier, unless required for a legitimate security or operational purpose. Any request to access Adyen Data, including its intended purpose must be authorized by Adyen.

  • 2.12 Business Contingency Plan

    1. Supplier must implement and monitor a Business Continuity Program, which includes the following arrangements:

       1. continuity of Critical Systems based on disaster scenarios;

       2. the availability of adequate personnel, the maximum downtime, failover and recovery to an alternate processing site or solution;  

       3. maintenance of an alternate solution such as a secondary site capable of ensuring continuity identical to the primary site, or cloud based solutions etc. In the case where  a secondary site is utilized, it will have a geographical risk profile, distinct from the primary site;

       4. the immediate access to the secondary site to ensure continuity of the ICT Service, if the primary site is not available;

       5. consider the need for additional sites, to ensure all business continuity objectives will be met in all disaster scenarios;

       6. maintain a documented Disaster Recovery plan covering the scope of service and Data which is tested at least annually; and

       7. recovery time objectives and recovery point objectives aligned business impact analysis and business continuity objectives. 

    2. Upon request, Supplier will provide a copy of the Business Continuity Program and associated tests that is not older than twelve (12) months.

• 3. Specific Security Requirements

  Requirements listed below only apply based on the nature and delivery of the ICT Service to Adyen.

  • 3.1 Secure Software Development

    1. source code must be analyzed and tested via penetration testing before deployment to Adyen;

    2. any and all software delivered will be free from critical vulnerabilities;

    3. the integrity of any source code will be maintained and delivered to Adyen as part of the ICT Service; and 

    4. Security updates to address vulnerabilities shall be provided free of charge.

  • 3.2 Cloud Computing Services

    If the ICT Services contain any type of cloud computing service, Supplier will ensure that:

    1. Supplier is solely responsible for the platform and infrastructure security in case of Software as a Service (“SaaS”) services;

    2. all SaaS service endpoints will be signed by commonly trusted certification authorities or via another trusted established mechanism;

    3. Data portability is possible between different cloud computing ICT Services by supporting standardized file format and import/export functionality;

    4. standard based identity protocols and enforcement are supported such as, OpenID Connect, Security Assertion Markup Language and OAuth2 for propagating and enforcing identity controls through the ICT Service and API;

    5. access to management consoles for entitlement and policy management will be secure and restricted by following the principle of least privilege;

    6. credential(s) for privileged accounts, including root or administrator accounts, shall be managed with strict restrictions and multi-factor authentication will be implemented;

    7. it has capability to dispose of Data securely at Adyen’s request and ensure deleted Data is not recoverable;

    8. all threats and security related events are triaged in multi-tenant environments;

    9. tenants are not permitted to perform independent vulnerability assessments of the Adyen production infrastructure;

    10. Adyen has the option to opt-in or opt-out of specific features in releases;

    11. Supplier has the capability to logically segment and recover Data for Adyen, specifically in the case of a failure or Data loss;

    12. a logging and monitoring framework is in place to allow the isolation of an event to specific tenants;

    13. upon request, Supplier will provide Adyen with appropriate logs depending on the service (audit logs, application logs or API activity logs);

    14. upon request, Data storage can be restricted to specific Locations;

    15. Adyen is provided with geographically resilient hosting options; and

    16. Supplier will, upon request, provide documentation to Adyen in relation to Data security, including the following:

        1. details of the platform/service offering (e.g. incident response, infrastructure support, access management, etc.);

        2. methods for maintaining segregation of duties within the cloud computing service;

        3. scenarios in which the cloud computing service(s) may access Data and Adyen metadata; and

        4. details pertaining to the installation, configuration, and use of the ICT Service.

  • 3.3 Data Center Security

    If the ICT Service includes the supply of data centers to Adyen, Supplier will implement and maintain:

    1. measures protecting the premises against attacks, accidents, operational disruptions, environmental threats and hazards;

    2. measures protecting against environmental threats and hazards will include a Business Continuity Program that is consistent with the importance of the premises, including an electrical blackout test; and

    3. all physical access control devices into the premises are maintained and follow the access control requirements prescribed in clause 2.3(1)(A).

  • 3.4 Physical Security

    If Supplier will have on-going, continued physical access to Adyen offices, data centers, or warehouses (or Adyen managed locations which may process Data) then all such Supplier personnel:

    1. will abide by Adyen’s physical security processes and policies as communicated by Adyen personnel for so long as it has access.

    2. will return all Data and any other ICT Assets  when the ICT Service is no longer deemed necessary.

  • 3.5 Usage of Artificial Intelligence

    1. Data may not be used for training purposes without Adyen’s prior approval;

    2. Data may not be processed by any other fourth party providers without Adyen’s prior approval; and

    3. The AI system has undergone appropriate input and output validation or data sanitization methods are used to prevent unnecessary, unwanted, potentially harmful or biased data from being used to train the system, and to prevent generation of biased, incorrect, harmful or discriminatory content.

  • 3.6 Sub-contracting

  • 3.7 Hardware Security

    If Supplier provides ICT hardware, Supplier will ensure:

    1. all code residing in the hardware will follow the requirements listed in Sections 2.8 and 3.1.

    2. to make use of secure architectural concepts such as signed firmware and secured bootloaders.

    3. to not make use of outdated and insecure coding functions.

    4. development and debug interfaces will be disabled in production builds.

    5. to provide periodical documentation in regards to the packages and libraries that have been updated in new releases including the following:

       1. changes, security improvements and bug fixes that have been implemented;

       2. security checks that have been performed with each new release;

       3. detailed information on how assets are protected within the device; 

       4. secure channels are set up with sufficient detail to allow compatible implementation to be built; and

       5. details on the secure update mechanism.

• 4. Definitions

  Adyen means the Adyen entity as listed in the Agreement.

   Adyen Data Security Requirements means this document is updated from time to time and will be applicable to Suppliers providing ICT Services to Adyen.

  Agreement means the agreement governing the provision of ICT Services by the Supplier to Adyen, consisting of the main agreement, this document, and all other documents referenced within, subject to periodic amendments and supplements.

  AI means Artificial Intelligence.

  API means Application Programming Interface.

  Application Programming Interfaces means the direct secured internet connection between the Adyen’s customer sales channel and the Adyen platform.

  Business Continuity Program means a set of policies, arrangements, plans, procedures, and mechanisms primarily focused on ICT to ensure the continuity, response, and recovery of Critical Systems following ICT Incidents or disruptions.

  Cardholder Data means

  • with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and embedded data (including magnetic stripe data and EMV data); and

  • information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether a physical card is used in connection with such transaction.

  Critical System means any System that stores, processes, transmits, or can affect the security of Data, or Cardholder Data, or any System whose unavailability would significantly disrupt Adyen’s business operations or regulatory compliance.

  Cloud Computing Services means on-demand network access to a shared pool of configurable and scalable computing resources, such as SaaS, PaaS and/or Naas.

  Critical Vulnerability means a flaw or a combination of flaws that could result in a full system compromise, remote code execution, or an ICT incident. 

  Data means all data belonging to Adyen – whether non-personal, personal, sensitive, or otherwise – generated, transferred or received under or in connection with the ICT Service.

  Disaster Recovery plan means the subset of the Business Continuity Program that focuses specifically on the restoration of ICT Assets, services, and infrastructure after a catastrophic event.

  ICT means information and communication technology supporting complex systems used for everyday activities and in keeping key sectors running, including the financial sector.

  ICT Assets means ICT software or hardware assets in the network and information systems used by Adyen.

  ICT Incident means a single or series of unplanned events that compromise the security of Supplier’s network and information systems and adversely impacts the availability, authenticity, confidentiality or integrity of Data or ICT Services.

  ICT Service means any digital or data service provided by Supplier to Adyen through ICT systems on an ongoing basis, including the provision of hardware and/or hardware services as well as the supply of technical support via software or firmware updates.

   Location means any country(ies) where the ICT Service is being provided and where Data is being processed and stored. 

  OAuth2 means Open Authorization 2.0, an open standard for authorization which allows a third-party access to resources on another service without sharing credentials.

  OpenID Connect means OIDC, an identity layer built on top of the OAuth 2.0 framework, used to verify the identity of the user.

  PCI Attestation of Compliance means the form provided by the PCI Security Standards Council (PCI SSC), that serves as a formal declaration by an entity that it has met the requirements of the PCI DSS.

  PCI Data Security Standards means the security standards for the protection of payment card information with which the payment card companies collectively or individually require Adyen’s customers to comply with including, but not limited to:

  • the Payment Card Industry Data Security Standards currently in effect and as may be updated from time to time, and

  • any other applicable payment card industry data security requirements for Cardholder Data that are currently prescribed by the PCI Security Standards Council and may be updated from time to time during the term of this agreement.

  Relevant Source Code means the source code of Supplier's software or systems that is directly used to process Data.

  SaaS means Software as a Service.

  Security Assertion Markup Language means an open-standard framework for exchanging authentication and authorization data between different security domains, generally an identity provider (IdP) and a service provider (SP).

  Security Standards means the practices, technical specifications or standards that are made available by recognized standardization bodies, such as: 

  • ISO/IEC 27001:2022 – Information Security Management Systems certificate or;

  • System Organizational Control Reporting 2, Type 2 (SOC 2 Type 2) certification covering confidentiality, security and availability criteria.

  System means any hardware, software, application, database, network, or cloud infrastructure utilized in the provision of ICT Services to Adyen.

  Subcontractor means an entity who has entered into a contractual arrangement with Supplier to provide specified ICT Services to Adyen on Supplier’s behalf.

  Supplier means an entity who has entered the Agreement with Adyen for the provision of  ICT Services as defined in this document.