Yes, Adyen is PCI DSS compliant as a Level 1 Service Provider but merchants using Adyen are still responsible for their own PCI compliance depending on their integration method.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect card information during and after a financial transaction. Compliance involves adhering to 12 requirements, ranging from installing and maintaining a secure network to implementing strong access control measures. Read our full guide here.
How to be compliant using Adyen
Adyen's products are designed to help businesses reduce their PCI DSS compliance burden by handling sensitive card data securely. However, your compliance requirements depend on how you integrate Adyen.
If you redirect users to Adyen’s hosted payment pages, your PCI scope is minimal (SAQ A).
If you collect cardholder data on your own servers, you will need SAQ D, which comes with stricter compliance obligations.
Your integration method with Adyen determines which SAQ you need to complete:
| Integration Type | PCI Scope | SAQ Required |
|---|---|---|
| Adyen Hosted Payment Pages (HPP) | Minimal - Adyen fully handles card data | SAQ A |
| Clien-side Ecnrypion CSE)* | Minimal - Card data is encrypted before transmission* | SAQ A-EP* |
| Direct API integration | High - Cardholder data passes through your server | SAQ D |
*You now need to monitor dependencies on payment pages, more below.
Which one should you choose?
- Use Adyen’s Hosted Payment Pages (HPP) → SAQ A (easiest compliance, card data never touches your servers).
- Use Client-Side Encryption (CSE) → SAQ A-EP (card data is encrypted before it reaches Adyen).
- Use direct API integration → SAQ D (you handle raw card data, highest PCI burden).
If your business processes or stores cardholder data (SAQ D), you must:
- Implement strong encryption for payment data.
- Set up firewall and access control policies.
- Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
- Complete a full PCI DSS audit if you’re a Level 1 merchant (6M+ transactions/year).
*Monitoring dependencies for SAQ A compliance
As per the January 2025 update, the PCI Security Standards Council emphasized the importance of monitoring dependencies. This includes both first-party and third-party scripts on websites. This update requires merchants to ensure their sites are not susceptible to attacks originating from these scripts.
Please find Stripe’s documentation surrounding PCI DSS here.
Determine your PCI compliance level
| Level | Criteria | Validation Requirement |
|---|---|---|
| Level 1 | Over 6 million transactions annually | Full onsite audit by a QSA + SAQ D |
| Level 2 | 1 to 6 million transactions annually | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
| Level 3 | 20,000 to 1 million online transactions annually | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
| Level 4 | Less than 20,000 online transaction OR up to 1 million total transactions | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
- Level 1 = Must do a ROC (Full PCI DSS Assessment with Full Report on Compliance by QSA)
- Level 2 = Must do at least an SAQ with third party QSA or ISA attestation
- Level 3 = Must do SAQ
- Level 4 = Optional
Submit PCI compliance certification
- Using hosted payment pages? → SAQ A
- Using client-side encryption (CSE)? → SAQ A-EP
- Using direct API integration? → SAQ D
For SAQ A and SAQ A-EP merchants:
- Complete the SAQ in Adyen’s PCI compliance portal.
- Ensure no third-party scripts interfere with Adyen’s hosted fields.
- Keep documentation for annual PCI reviews.
For SAQ D merchants:
- Implement strong security controls (firewall, encryption, monitoring).
- Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
- Undergo an onsite QSA audit if processing high volumes.
Once you've identified the correct SAQ based on your integration method, complete it thoroughly. Stripe provides a PCI wizard in your Dashboard to guide you through this process.