You will find the answers to the following questions in this article:
1. What is PCI DSS Compliance?
3. How can we validate PCI DSS compliance?
5. Who is responsible for having the safeguards in place?
6. Where can I view the requirements?
7. Who and how can we sign the PCI DSS Questionnaire?
8. Who is responsible for having the safeguards in place?
9. How do we know Adyen has the safeguards in place?
11. How often does the validation need to be renewed?
12. Why are we not including POS?
1. Q: What is PCI DSS Compliance?
Let's start with what PCI DSS stands for. PCI DSS stands for Payment Card Industry Data Security Standard. It is a global standard adopted by the major card schemes that define technical and operational requirements to protect cardholder data.
2. Q: Why is it important?
Despite the fact that protecting sensitive information, such as credit card and credit card holder data, is vital for any party that accepts credit card payments, validating PCI DSS compliance is mandatory.
3. Q: How can we validate PCI DSS compliance?
All you need to do is confirm that you have certain safeguards in place by following the steps as described in
7. How can I validate the annual compliance?
4. Q: What are safeguards?
Safeguards are measures and controls, such as procedures and technical configurations, which are implemented to protect information. A well-known safeguard is, for example, password protection.
5. Q: Who is responsible for having the safeguards in place?
In short: It's a shared responsibility.
As we are partners and Convious and your Payment Service Provider supplies quite a part of your infrastructure, demonstrating the required safeguards (or requirements) are in place and checking those is on these service providers while you too carry a responsibility to do your part.
6. Q: Where can I view the requirements?
The easiest way is via your PCI DSS validation flow.
Go to Settings > Account > Integrations
By clicking Sign PCI DSS Questionnaire and starting the following flow, you can view a list of categories with guiding questions representing the applicable requirements.
Please note all answers to these questions are standard answers defined by PCI Security Standards Council and are required to be compliant. Therefore, they cannot be adjusted.
Find out more about the generated pre-filled questionnaire upon signature in
8. Who is responsible for having the safeguards in place?
7. Q: Who and how can we sign the PCI DSS Questionnaire?
a) Who can sign the PCI DSS Questionnaire?
b) How can we sign the PCI DSS Questionnaire?
To validate your compliance, all you need to do are the following 4 simple steps:
In your Control Panel: Go to Settings > Account > Integrations
1. Click Sign PCI DSS Questionnaire and proceed through the signing flow.
First, you will see a general definition of PCI DSS Compliance followed by guiding questions representing the applicable requirements.
Please be aware, that once you click on the Sign PCI DSS Questionnaire button you have to complete the PCI DSS validation flow up until the signature; otherwise, you run the risk of payouts being blocked until you do.
Now you will see the security questionnaire with all relevant requirements:
2. Select eCommerce
3. Validate your acknowledgement of the requirements associated with the compliance by ticking the checkboxes and enter or confirm your details.
4. Hit Sign! ✍️✅
Please note: Validating your PCI DSS compliance will only be possible via the integrated page, as explained above.
Shortly after your signature, once you return to the Convious Integrations page you will see the status of your PCI Compliance will change.
8. Q: What will be generated upon signing?
By hitting sign you submit and sign the questionnaire.
As a result, a filled questionnaire is generated. This questionnaire is also called SAQ-A. This is the document required to validate your compliance. The questionnaire holds all the requirements and responsibilities that apply to the involved parties: You, Convious and your Payment Service Provider, which is why you may see requirements in the signed SAQ-A that may not come back in the list of questions you validate in your PCI validation flow.
Once again, it is important to repeat the answers to these questions are standard answers defined by PCI Security Standards Council and are required to be compliant. Therefore, they cannot be adjusted.
Please Note: You are signing the SAQ-A v3.2.1. More information on the versions and our compliance against the requirements please see 10. How do we know Convious has the safeguards in place that are included in my signed questionnaire?
9. Q: How do we know Adyen has the safeguards in place?
"Adyen meets the highest standard of security and stability. We’re a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually." - Source
Convious holds a copy of Adyen's latest PCI DSS Attestation of Compliance (AoC).
10. Q: How do we know Convious has the safeguards in place that are included in my signed questionnaire?
As outlined before, the validated requirements are often a shared responsibility. Therefore, below you can find the results of our assessment to the questions validated with your signature.
A kind reminder: A shared responsibility means that your answer to the asked questions should also be yes.
| Question | Convious' Answer |
| Do you confirm that every user in your company has unique login credentials for the systems in your cardholder data environment, and there are no shared, group, or generic accounts? | Yes |
| Do you confirm that every user in your company has a strong password of minimum 7 characters long and another method of secure authentication, such as a token device, smart card, or biometric controls? | Yes |
| Does your company modify or terminate users' access immediately after they change roles or leave the company? | Yes |
| Does your company ensure that passwords are set to a unique value immediately after the first use and upon reset, that none of the new passwords are the same as the previous 4 passwords and changed at least once every 90 days? | Yes |
| Do you confirm that your company never physically or electronically stores any cardholder data in your environment in any capacity? | Yes |
| Do you confirm that your company never stores sensitive authentication data on any of your systems? | Yes |
| Does your company perform due diligence to evaluate new service providers such that you only outsource the processing of cardholder data to service providers that are PCI DSS compliant? | Yes |
| Does your company maintain, for each service provider that you use, a description of the services provided and a written agreement of each party's responsibilities regarding the security of cardholder data? | Yes |
| Does your company annually verify the compliance status of all service providers with whom you share cardholder data? | Yes |
| Does your company maintain an incident response plan in case of a security incident, including; containment and mitigation for different types of incidents, business continuity procedures and that you will immediately contact your payments partner, other involved service providers, and, if applicable, the relevant authorities? | Yes |
| Does your company identify and address security vulnerabilities according to a risk ranking by using industry-recognised sources and apply security patches/updates accordingly? | Yes |
| Do you confirm that your company conducts external vulnerability scans by PCI SSC Approved Scanning Vendor (ASV) at least once every 3 months and after any significant change as such when a critical vulnerability has been resolved? | Yes |
Further, as explained in Q8, within the signed SAQ-A, you may see requirements validated that go beyond your responsibilities. Therefore, you did not see them within the questions you've had to validate but were automatically filled for you.
SAQ-A v3.2.1. vs. v4.0
v3.2.1 will be replaced by v4.0 on March 31, 2024. However, if you validated your compliance with the v3.2.1 you do not have to worry; your PCI Documents will remain valid until re-validation.
Key differences between v3.2.1. and v4.0:
- More detailed password and expanded multi-factor authentication (MFA) requirements.
- Monitoring industry sources for vulnerability information.
- Quarterly external vulnerability scans.
Great news: Convious has checked their status against such requirements and concluded to comply with all requirements of v4.0- given v4.0 subsumes the previous versions, we can conclude our validation against the requirements for the current SAQ-A.
11. Q: How often does the validation need to be renewed?
PCI DSS compliance validation needs to be renewed annually. Luckily, we have an easy way for you to (re-)validate your PCI DSS compliance within a matter of minutes using the auto-filled questionnaire via your PCI DSS validation flow.
12. Q: Why are we not including POS?
For in-person payments, due to lower risk, you do need to be able to demonstrate compliance, but only when explicitly asked. In other words, while you are required to be compliant at all times, Adyen does not request the documentation.
*Please note that the information given is in no form any legal advice. The information aims to help our partners understand the basics of the subject and the Convious tools so that partners can determine and execute their own level of compliance. While we do our best to provide helpful information as a starting point, certain concepts may not apply in all countries. Thus, nothing can substitute regional legal advice. Convious accepts no liability for the correctness and completeness of the information and the affirmative actions taken as a response.