1. Q: What is PCI DSS Compliance?
Let's start with what PCI DSS stands for. PCI DSS stands for Payment Card Industry Data Security Standard. It is a global standard adopted by the major card schemes that define technical and operational requirements to protect cardholder data.
2. Q: Why is it important?
Despite the fact that protecting sensitive information, such as credit card and credit card holder data, is vital for any party that accepts credit card payments, validating PCI DSS compliance is mandatory.
3. Q: How can we validate PCI DSS compliance?
All you need to do is check and ensure you have certain safeguards in place by following the steps as described in
4. Q: What are safeguards?
Safeguards are measures and controls, such as procedures and technical configurations, which are implemented to protect information. A well-known safeguard is, for example, password protection.
5. Q: Who is responsible for having the safeguards in place?
In short: It's a shared responsibility.
PCI DSS is a continuous security exercise. Hence, all parties always need to adhere to the applicable requirements to stay compliant.
As we are partners and Convious and your Payment Service Provider supplies a major part of your infrastructure, demonstrating the required safeguards (or requirements) are in place and checking those is on these service providers while you too carry a responsibility to do your part. With that said, while the PCI DSS validation renews automatically annually it is your responsibility to ensure the safeguards are in place. See Q6 for details on the safeguards/requirements
6. Q: Where can we view the safeguards/requirements we need to check?
Go to Settings > Account > Integrations
By clicking Onboarding you will see the onboarding page of the PSP. At the bottom you will see PCI DSS questionnaire.
If you click Download a copy you can view the most recent version of the PCI DSS questionnaire that has been automatically signed for you.
7. Q: Who and how can we sign the PCI DSS Questionnaire?
Great news: The PCI DSS Questionnaire is automatically signed and renewed annually.
This questionnaire is also called SAQ-A. This is the document required to validate your compliance. The questionnaire holds all the requirements and responsibilities that apply to the involved parties.
Once again, it is important to emphasize the answers to these questions are standard answers defined by PCI Security Standards Council and are required to be compliant. Therefore, they cannot be adjusted.
Please Note: As of October 2024, the latest version of the questionnaire is SAQ-A v4.0.1.
8. Q: How do we know Adyen has the safeguards in place?
"Adyen meets the highest standard of security and stability. We’re a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually." - Source
Convious holds a copy of Adyen's latest PCI DSS Attestation of Compliance (AoC).
9. Q: How do we know Convious has the safeguards in place that are included in my signed questionnaire?
As outlined before, the validated requirements are often a shared responsibility. Therefore, below you can find the results of our assessment to the questions validated with your signature.
A kind reminder: A shared responsibility means that your answer to the asked questions should also be yes.
| Question | Convious' Answer |
| Do you confirm that every user in your company has unique login credentials for the systems in your cardholder data environment, and there are no shared, group, or generic accounts? | Yes |
| Do you confirm that every user in your company has a strong password of minimum 7 characters long and another method of secure authentication, such as a token device, smart card, or biometric controls? | Yes |
| Does your company modify or terminate users' access immediately after they change roles or leave the company? | Yes |
| Does your company ensure that passwords are set to a unique value immediately after the first use and upon reset, that none of the new passwords are the same as the previous 4 passwords and changed at least once every 90 days? | Yes |
| Do you confirm that your company never physically or electronically stores any cardholder data in your environment in any capacity? | Yes |
| Do you confirm that your company never stores sensitive authentication data on any of your systems? | Yes |
| Does your company perform due diligence to evaluate new service providers such that you only outsource the processing of cardholder data to service providers that are PCI DSS compliant? | Yes |
| Does your company maintain, for each service provider that you use, a description of the services provided and a written agreement of each party's responsibilities regarding the security of cardholder data? | Yes |
| Does your company annually verify the compliance status of all service providers with whom you share cardholder data? | Yes |
| Does your company maintain an incident response plan in case of a security incident, including; containment and mitigation for different types of incidents, business continuity procedures and that you will immediately contact your payments partner, other involved service providers, and, if applicable, the relevant authorities? | Yes |
| Does your company identify and address security vulnerabilities according to a risk ranking by using industry-recognised sources and apply security patches/updates accordingly? | Yes |
| Do you confirm that your company conducts external vulnerability scans by PCI SSC Approved Scanning Vendor (ASV) at least once every 3 months and after any significant change as such when a critical vulnerability has been resolved? | Yes |
Further, as explained in Q8, within the signed SAQ-A, you may see requirements validated that go beyond your responsibilities. Therefore, you did not see them within the questions you've had to validate but were automatically filled for you.
10. Q: How often does the validation need to be renewed?
PCI DSS compliance validation needs to be renewed annually. Luckily, your PSP ha automated the process of (re-)validating your PCI DSS compliance.
11. Q: On-site payments & PCI DSS compliance
For on-site payments a different questionnaire has to be completed: The SAQ B-IP. Please be assured that if you are using PIN terminals from Cnvious, the SAQ B-IP is included in the automated renewal workflow. As far as documentation for PCI DSS continuous compliance, there is no further actions required from your side. However, PCI DSS is a continuous security exercise. Hence, partners always need to adhere to the applicable requirements to stay compliant.
*Please note that the information given is in no form any legal advice. The information aims to help our partners understand the basics of the subject and the Convious tools so that partners can determine and execute their own level of compliance. While we do our best to provide helpful information as a starting point, certain concepts may not apply in all countries. Thus, nothing can substitute regional legal advice. Convious accepts no liability for the correctness and completeness of the information and the affirmative actions taken as a response.