PCI DSS (Payment Card Industry Data Security Standard) Requirements
Card Data Security Compliance
The Payment Card Industry Data Security Standards (PCI DSS) are global requirements that aim to protect cardholder data and have to be fulfilled by every company that deals with card payments.
To accept card payments, your company must always be PCI DSS compliant. You must validate your compliance every year by completing an official PCI DSS document. Your current integration requires a Self-Assessment Questionnaire.
Your company has to ensure the security of all systems, technologies, and people that are responsible for the connection to the payment interface.
The following questionnaire asks you to confirm the security of your cardholder data environment, which typically includes your website, your web servers, and the people in your company who can access them.
You may need to verify your own systems to answer the questions. Or, invite a team member who knows more about your company's security procedures.
Does your company change vendor supplied settings and remove default accounts from any system, device, or application connected to your cardholder data environment?
Devices and applications come with factory settings like default usernames and passwords. These defaults mean that every model has the same username and password, which are often published online or easy to guess.
An attacker may use an automated tool with these common credentials to gain access to systems.
Do you confirm that every user in your company has unique login credentials for the systems in your cardholder data environment, and there are no shared, group, or generic accounts?
Shared accounts are prohibited by PCI DSS. Unique accounts have a much lower impact when compromised than a shared one, and they also allow administrators to monitor system activity (audit trail and logging) on an individual basis.
Unique usernames are more difficult for an attacker to guess than, for instance, "admin," the organization's name, or a combination of both, so potential attacks are less efficient.
Do you confirm that every user in your company has a strong password of minimum 7 characters long and another method of secure authentication, such as a token device, smart card, or biometric controls?
The longer and more complex a password, the more difficult it is for an attacker to crack. PCI DSS requires passwords to be a minimum of 7 characters long, including both letters and numbers.
Instead of a password, users can authenticate their identity with an object, such as a token device or smart card, or a personal feature, like a fingerprint, ocular scan, or voiceprint.
Does your company modify or terminate users' access immediately after they change roles or leave the company?
Terminating every user's access to the cardholder data environment when they no longer need it increases security. This reduces the chances of an attacker accessing sensitive systems since they are simply fewer channels of entry into the system.
Does your company ensure that passwords are set to a unique value immediately after the first use and upon reset, that none of the new passwords are the same as the previous 4 passwords and changed at least once every 90 days?
If the same default password is used for every new user, a malicious individual may easily discover this and gain access to accounts before the authorized user attempts to use the password. Passwords that are re-used or valid for a long time provide malicious individuals with more opportunities and time to break the password.
Do you confirm that your company never physically or electronically stores any cardholder data in your environment in any capacity?
All storing, transmitting, or processing of any cardholder data—such as names, primary account numbers (PANs), and expiration dates—must be done by PCI DSS-compliant third-party service providers. All staff with access to your cardholder data environment must understand the sensitivity of this data, the restrictions against storing it, and the implications of a leak.
Ensuring that your payments integration prevents you from touching cardholder data means that this requirement is fulfilled.
Do you confirm that your company never stores sensitive authentication data on any of your systems?
Sensitive authentication data (SAD) is security-related information used for authentication or authorization. SAD may refer to CAV2, CVC2, CID, and CVV2, which are the 3- or 4-digit values on a card used to verify card-not-present transactions.
Ensuring that your payments integration prevents you from touching cardholder data means that this requirement is fulfilled. In addition, SAD must not be collected or stored anywhere outside of your payments integration.
Does your company perform due diligence to evaluate new service providers such that you only outsource the processing of cardholder data to service providers that are PCI DSS compliant?
Third parties offer services such as payment processing, fraud and chargeback solutions, record management, shopping carts, or tokenization. PCI DSS requires established procedures for performing due diligence before engaging with service providers that can access cardholder data.
Due diligence can include checking the service provider's registration with a card scheme or requesting their Attestation of Compliance (AOC).
Does your company maintain, for each service provider that you use, a description of the services provided and a written agreement of each party's responsibilities regarding the security of cardholder data?
Since some service providers have access to cardholder data, PCI DSS compliance is partly outsourced to your service providers. It is mandatory to maintain a list of all service providers, including Adyen, and a description of the services provided.
It's necessary to maintain a written agreement in which the service providers acknowledge responsibility for the security of all cardholder data that they store, process, or transmit on your behalf. For merchants that integrate directly with Adyen, this is covered in Part 3.2.2 of the Merchant Agreement.
Does your company annually verify the compliance status of all service providers with whom you share cardholder data?
The compliance status of all service providers must be verified annually. PCI DSS requires maintaining a program to monitor the compliance status of every service provider used. This verification is typically done by requesting their Attestation of Compliance (AOC) every year.
Does your company maintain an incident response plan in case of a security incident, including; containment and mitigation for different types of incidents, business continuity procedures and that you will immediately contact your payments partner, other involved service providers, and, if applicable, the relevant authorities?
Every organization experiences system attacks, and sometimes a breach occurs. A breach may mean being liable for fines, losses, and other costs, such as for forensic investigation, onsite assessments, card reissuance penalties, or other fees. Having a comprehensive incident response plan in place reduces negative impacts for everyone.
PCI DSS requires that an incident response plan be in place. It should prepare employees for what to do in case of a breach, starting with contacting your payments partner immediately. Always have a dedicated contact person who will work with your payments partners, the schemes, and other relevant parties in the event of a breach.
Does your company identify and address security vulnerabilities according to a risk ranking by using industry-recognised sources and apply security patches/updates accordingly?
It is essential to ensure that you continuously monitor your payments integration using external sources in order to identify and address potential security vulnerabilities. Security vulnerabilities should be classified according to the potential risk they pose, e.g. a security vulnerability that could result in access to the CDE would be considered critical or high risk.
PCI DSS requires critical/high security patches, such as for applications or platforms, to be installed within 1 month of release. Keep track of recent patches by asking software vendors to be on their patch and upgrade notification lists.
Do you confirm that your company conducts external vulnerability scans by PCI SSC Approved Scanning Vendor (ASV) at least once every 3 months and after any significant change as such when a critical vulnerability has been resolved?
Attackers routinely look for unpatched or vulnerable externally facing servers, which can be leveraged to launch a directed attack. Organizations must ensure these externally facing devices are regularly scanned for weakness and that vulnerabilities are patched or remediated.
You can select an PCI SSC Approved Scanning Vendor (ASV) from this list and find more information in the ASV Program Guide on the PCI website. Once selected, you will have to provide the IP addresses and/or domain names of all Internet-facing systems to the ASV so the ASV can properly conduct a full scan.
By clicking the Accept button, I acknowledge and agree to the following:
We hereby acknowledge that we must remain compliant with the aforementioned PCI DSS requirements at all times as long as we want to receive payments. Consequently, we must continuously reassess our environment and implement any additional PCI DSS requirements if our environment changes.
Based on the above, the signatory above asserts that the information within this attestation form fairly represents the results of the assessment.