Skip to main content
Blog
Blog

Can you use Adyen for PCI DSS?

Yes, BUT depending on which on the integration, your business is still responsible for ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Mar 21, 2025 4 min read
adyen-pci-dss-image-cover

Yes, Adyen is PCI DSS compliant as a Level 1 Service Provider but merchants using Adyen are still responsible for their own PCI compliance depending on their integration method.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect card information during and after a financial transaction. Compliance involves adhering to 12 requirements, ranging from installing and maintaining a secure network to monitoring third party scripts on your web applications (PCI 6.4.3and 11.6.1.).

How to be compliant using Adyen

Adyen's products are designed to help businesses reduce their PCI DSS compliance burden by handling sensitive card data securely. However, your compliance requirements depend on how you integrate Adyen.

If you redirect users to Adyen’s hosted payment pages, your PCI scope is minimal (SAQ A).

If you collect cardholder data on your own servers, you will need SAQ D, which comes with stricter compliance obligations.

Your integration method with Adyen determines which SAQ you need to complete:

Integration Type PCI Scope SAQ Required
Adyen Hosted Payment Pages (HPP) Minimal - Adyen fully handles card data SAQ A
Clien-side Ecnrypion CSE)* Minimal - Card data is encrypted before transmission* SAQ A-EP*
Direct API integration High - Cardholder data passes through your server SAQ D

*You now need to monitor dependencies on payment pages, more below.

Which one should you choose?

  • Use Adyen’s Hosted Payment Pages (HPP) → SAQ A (easiest compliance, card data never touches your servers).
  • Use Client-Side Encryption (CSE) → SAQ A-EP (card data is encrypted before it reaches Adyen).
  • Use direct API integration → SAQ D (you handle raw card data, highest PCI burden).

If your business processes or stores cardholder data (SAQ D), you must:

  • Implement strong encryption for payment data.
  • Set up firewall and access control policies.
  • Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
  • Complete a full PCI DSS audit if you’re a Level 1 merchant (6M+ transactions/year).

*Monitoring dependencies for SAQ A compliance

As per the January 2025 update, the PCI Security Standards Council emphasized the importance of monitoring dependencies. This includes both first-party and third-party scripts on websites. This update requires merchants to ensure their sites are not susceptible to attacks originating from these scripts.

Adyen's PCI DSS compliance guide is the primary processor-specific source for Adyen integrations. If you're comparing provider scope, see the related Stripe PCI DSS guide.

Determine your PCI compliance level

Level Criteria Validation Requirement
Level 1 Over 6 million transactions annually Full onsite audit by a QSA + SAQ D
Level 2 1 to 6 million transactions annually SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)
Level 3 20,000 to 1 million online transactions annually SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)
Level 4 Less than 20,000 online transaction OR up to 1 million total transactions SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)

Related reading: our PCI DSS 6.4.3 and 11.6.1 compliance guide · PayPal Braintree's PCI DSS shared responsibilities

  • Level 1 = Must do a ROC (Full PCI DSS Assessment with Full Report on Compliance by QSA)
  • Level 2 = Must do at least an SAQ with third party QSA or ISA attestation
  • Level 3 = Must do SAQ
  • Level 4 = Optional

Submit PCI compliance certification

  • Using hosted payment pages? → SAQ A
  • Using client-side encryption (CSE)? → SAQ A-EP
  • Using direct API integration? → SAQ D

For SAQ A and SAQ A-EP merchants:

  • Complete the SAQ in Adyen’s PCI compliance portal.
  • Ensure no third-party scripts interfere with Adyen’s hosted fields.
  • Keep documentation for annual PCI reviews.

For SAQ D merchants:

  • Implement strong security controls (firewall, encryption, monitoring).
  • Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
  • Undergo an onsite QSA audit if processing high volumes.

Once you've identified the correct SAQ based on your integration method, complete it thoroughly. Adyen's PCI DSS documentation explains the evidence and validation steps merchants should prepare for their specific integration.

For a detailed breakdown of which PCI DSS requirements Adyen covers and which remain your responsibility, see Adyen and PCI DSS: what the processor covers vs. what you must do.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks, web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

Adyen holds PCI DSS Level 1 certification for its own payment infrastructure, but merchants using Adyen are not automatically PCI compliant. You still need to complete a SAQ, and if you use Adyen's hosted checkout you can qualify for SAQ A, but only if no cardholder data touches your servers. The moment you use Adyen Web Components or Drop-in, SAQ A-EP applies, which includes requirements 6.4.3 and 11.6.1 for client-side script monitoring.

SAQ A applies when payment pages are fully outsourced (Adyen-hosted). SAQ A-EP applies when your site controls how payment pages are constructed, including any use of Adyen Web Components, Drop-in, or iframe integrations. SAQ A-EP requires script inventory (6.4.3) and tamper detection (11.6.1) that Adyen does not provide.

No. Adyen tokenizes cardholder data on their servers, but Magecart-style skimmers attack the browser layer before data reaches Adyen. A compromised script on your checkout page can capture keystrokes or scrape fields before Adyen's SDK processes the card. Browser-layer monitoring is required to detect these attacks.

Adyen covers infrastructure-level requirements (encryption, key management, storage). It does not cover 6.4.3 (script inventory on payment pages), 11.6.1 (script tamper detection), or 12.8 (vendor risk management for other third-party scripts on your checkout). See our PCI Shield guide for browser-layer compliance.

You need a browser-layer solution that inventories every script on your Adyen checkout page, tracks changes, and generates QSA-ready reports. cside deploys via a single script tag, works alongside Adyen's SDK, and produces audit-ready evidence for 6.4.3 and 11.6.1.

Yes. cside is AWS's preferred vendor for PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, backed by a global partnership. Merchants adopting cside for browser-layer script monitoring can procure through the AWS Marketplace and align the deployment with their existing AWS security tooling and compliance workflows.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo