PCI DCSS
One of the 2 steps insecuring an Adyen account is filling out a PCI document.
Funbutler customers only need to fill out the fields marked in purple.
Introduction to PCI DSS
PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.
As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that do not comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.
Before you continue, it is important to understand that:
PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).
PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.
Adyen's role in PCI DSS compliance
Implementing PCI DSS in your business can be daunting, especially if you do not have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Adyen offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions—you never see and never have access to unencrypted cardholder data.
When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Adyen. However, because you accept credit card payments on your website, your app, or in your physical store, your integration with Adyen does not completely eliminate your PCI scope.
Adyen's responsibility: Adyen is solely responsible for the security of cardholder data only as soon as Adyen receives the data through the relevant payment interface. After Adyen receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.
Your responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Adyen. Depending on your integration, you also have to comply with cardholder data storage requirements.
2. Main application
After you have completed your PCI DCSS you will need to fill out the main application in Adyen. A link for this will be recieved from a memeber of our support staff.
The full guide for the Application can be found below
Company registration document
Your company registration document must be issued by one of the following:
A public authority
A government agency
A judicial authority
The company registration document must either:
Be issued within the last 12 months and show the corresponding issuance date
Be signed and dated by the entity's authorized signatory within the last 12 months
The company registration document needs to show the legal entity name and the registration number of your company.
The "doing business as" or "trading as" name is not acceptable as the legal entity name of your company.
For the required format for registration numbers in a particular country/region, see the following list.
Registration numbers
Public companies
Publicly listed companies, or companies that are wholly owned by a publicly listed company, can submit their published annual report as a registration document. The annual report must include the following information:
The name of the legal entity
The country/region of registration
The national ID (i.e. registration number)
The name of the independent auditor's firm
The date of signing by the firm/auditor. The date must be within the past one year.
Company types
As part of your application for a live account with Adyen, you must provide information about the type of your company.
The following lists show local names for different company types in selected countries/regions and maps them to the corresponding Adyen legal entity types.
Proof of tax information
The tax ID document needs to
Be issued by a public authority, government agency or judicial authority.
State the legal entity name and the tax ID number.
State the country/region where the business is registered.
Contain an issuance date within the last 12 months, or be signed and dated by a legal representative within the last 12 months.
Note the following:
The “doing business as” / “trading as” name cannot be accepted as the legal name of your company. Please make sure to fill in the correct legal entity name.
For some countries/regions, the VAT number is not the same as the tax ID number.
The uploaded document must meet the following file format and size requirements:
Formats: JPEG, JPG, PNG, or PDF (maximum 1 file)
Size for PDFs: minimum 1 KB, maximum 15 MB
Size for other formats: minimum 100 KB, maximum 15 MB
VAT information
As part of the verification requirements for legal entities, you need to submit one of the following VAT (value-added tax) documents:
Tax registration form
Residence certificate issued by local tax authority
Confirmation of tax position issued by local tax authority
Copy of a recent corporate income tax return in local country/region
Copy of a recent VAT, GST (goods and service tax) or similar tax return in local country/region
Copy of a tax assessment in local country/region
Deed or statement by a notary, lawyer, regulated/qualified tax advisor, or other comparable official legal service provider
If your company does not have a valid VAT number, you need to generate a VAT exemption form in your Customer Area. An authorized signatory must complete this form and submit it to Adyen.
The VAT document must:
Be issued by a public authority, government agency or judicial authority. If your company registration number and VAT number are the same, you must provide confirmation from your local tax authority that the VAT number is active.
State the name of the legal entity and the VAT number.
State the country/region where the business is registered.
The "doing business as" or "trading as" name is not acceptable as the legal entity name of your company.
The VAT document must also either:
Be issued within the last 12 months and show the corresponding issuance date
Be signed and dated by the entity's authorized signatory within the last 12 months
The list below shows the format for VAT numbers in selected countries/regions. Note that in some countries/regions, the VAT number and tax ID number are different.
VAT numbers
Payout account (Merchant bank statement)
Adyen must verify the existence of your bank account and confirm it is linked to your legal entity.
The proof of bank account can be any of the following:
Bank statements
Deposit tickets or deposit forms
Screenshots of your online banking environment
Official letters issued by a bank
Cheques
Location-specific documents:
Relevé d'Identité Bancaire (RIB): bank document in France
TAMIEYTHPIO: bank document in Greece
Singaporian bank passbooks: bank document in Singapore
Do not upload photos of bank-issued cards, such as credit or debit cards. These contain sensitive information.
Requirements for all documents
The document must show:
Your name. This must match your legal entity name or trading name. This must match your legal entity name.
The account number or IBAN needs to be visible.
The date of issuance needs to be visible and needs to be dated less than 12 months ago. This requirement applies to all types of documents except for RIBs, cheques, online banking environment or TAMIEYTHPIO.
Some RIBs and online banking environments contain a date of issuance. The date of issuance for these must also be less than 12 months ago.
The country/region where the bank account is located. For EU bank statements, Adyen infers the country/region from the IBAN.
An indicator that the document was issued by a bank, such as the bank logo or the bank name in its bank-specific font.
We do not accept:
Photos of bank-issued cards, such as credit or debit cards.
Edited or personalized documents.
Documents issued more than 12 months ago.
Documents where required data points are missing.
Documents with cut-off, blurry, or low-quality images.
Documents issued by third party software platforms or programs.
Requirements for specific document types
Direct deposit tickets and forms:
Must contain a bank logo or bank letterhead.
Can only be accepted with a stamp or signature from the bank.
Cheques:
The name of the account holder, account number, and name of the financial institution or logo need to be printed (not handwritten).
Security features need to be visible for cheques in US and CA.
The account number and routing number need to be fully visible.
We can only accept electronic cheques issued by banks in CA.
We cannot accept any cheques issued by banks in AU.
Letters from bank or bank account agreements:
Must contain a bank logo or a bank letterhead.
All letters must have a stamp or signature from the bank.
The uploaded document must meet the following file format and size requirements:
Formats: JPEG, JPG, PNG, or PDF (maximum 1 file)
Size for PDFs: minimum 1 KB, maximum 15 MB
Size for other formats: minimum 100 KB, maximum 15 MB
Proof of identity
You need to provide proof of identity for:
The person who signs the contract with Adyen.
Shareholders who have 25% or more of the shares or voting rights (in India, 10% or more).
The proof of identity can be any of the following photo IDs:
Passport: Make a copy of the data page, with your picture, details, and machine-readable zone clearly visible.
ID card: Make a copy of both the front and back, and save them to separate files.
Driving license: Make a copy of both the front and back, and save them to separate files.
Proof of identity requirements
The photo ID must:
Be non-expired.
Have the machine-readable zone visible (if available).
Be a physical photo ID document, not digital.
If there is an available field for a signature in the document, it must be signed.
The uploaded document must:
Have separate files for front and back of the ID document (only when providing an ID card or driver's license).
Be a full color and straightened image. The corners and edges of the ID must be fully visible.
Be a photo or a scan of the physical photo ID document.
We do not accept:
Digital IDs.
Secondary copies of IDs. These include screenshots of photos, a photo pasted onto another document, a photo of a screen, or a photo of a printout.
Low-quality images.
The uploaded document can be a maximum of 15 pages.
Additional information for specific countries/regions
Country | Notes |
France | The validity of French national ID cards issued between 2 January 2004 and 31 December 2013 has been extended for 5 years beyond the original expiration date. The original period of validity of these cards was set at 10 years. Following the extension, they are now valid for 15 years from the year of issue. Note that f the card holder was under the age of 18 when the ID was issued, this extension does not apply. The extension does not apply to any other document types. |
Poland | Polish driving licenses do not show an expiration date. Any licenses issued before 2013/19/01 are valid until 2033. They must be exchanged for a new license prior to this date. |
Ukraine | Ukrainian passports are considered valid for 5 years from the original submission date for the extension of its validity period. A signed and stamped passport page must be included. |
The uploaded document must meet the following file format and size requirements:
Formats: JPEG, JPG, PNG, or PDF (maximum 1 file)
Size for PDFs: minimum 1 KB, maximum 15 MB
Size for other formats: minimum 100 KB, maximum 15 MB
We cannot accept uploaded documents that are:
Expired.
Broken or damaged.
Dirty, illegible, or with a watermark.
Blurry or overexposed.
Black and white.
Multiple sides or documents in the same file.
Not cropped, or have a white background.
Angled, rotated, sideways, or upside down.
Overcropped or cut off.
Proof of residency requirements
The following sources can be used as proof of residence documentation. These documents must not be older than the period specified below.
Cannot be older than... | Type of document |
3 months |
|
12 months |
|
The proof of residency must:
Have the name of the individual.
Have the full residence address, residence country/region, and residence state (when applicable).
Have a date within the last 3 or 12 months depending on the document type.
Website and app requirements
If you want to do online payments, there are strict requirements about content that must be clearly visible on your website or app.
To show that your website or app satisfies the requirements below, you'll need to share URLs to either your live website or a test deployment that we can check.
Terms and conditions
The terms and conditions must include:
Your company's legal entity name.
A description of the product or service that you sell.
An explanation of how payments happen, for example instantly or through a subscription.
Delivery information.
The refund and cancellation policy.
Mention of third parties involved in providing the service or product.
Mention of relevant governing law.
Subscriptions and free trials
If you are offering subscriptions or free trials, follow these requirements:
During the order process, make sure that the cardholder gives their consent to enter a subscription service.
Send an electronic reminder notification, such as an email or SMS, and a link to online cancellation at least 7 days before initiating a recurring transaction if:
A trial period, promotional period or introductory offer has expired.
The recurring agreement has changed. For example, the price or the billing period.
Transaction receipts must include:
The length of a trial period, introductory offer, or promotional period.
The amount and date of the initial transaction even if no amount is due.
The amount for subsequent recurring transactions.
A way to allow the cardholder to easily cancel any subsequent transactions, for example a link or using an SMS.
The cancellation of subscription payments must be easily accessible for online shoppers. For example, provide a link to a cancellation page.
Privacy policy
The privacy policy must describe:
What data you are storing.
What data you are sharing with third parties.
Your cookie policy.
Delivery information
The delivery information must include:
How long it takes for the shopper to receive the product or service.
Which countries/regions you deliver your product to, if applicable.
Refund policy
The refund policy must explain:
If the shopper can get their money back for a product or service they bought from you.
The ways in which the shopper can return the product or cancel the service.
The process of returning a product or canceling the service.
Contact information
Shoppers must be able to contact you if they have questions, so the contact information shown on your website or app must include:
Legal entity name.
Email address.
Phone number.
Checkout and payment process information
During the checkout and payment process, your website must clearly show your company's:
Legal entity name.
Trading name, if applicable.
Company registration number.
Company location.
You must have a checkbox with the statement I agree to the Terms and Conditions and the Refund and Cancellation policy. The statement must have hyperlinks to the documents mentioned. Shoppers must select the checkbox to accept the statement before continuing to making their payment.
Ownership and control document
In some cases, we need to ask you for additional documents to verify the ownership and control structure of your company.
Ownership and control chart
The ownership and control chart is a visual diagram of the ownership and control structure of the entity or entities involved in your company, and states the ultimate beneficial owners (UBOs).
The ownership and control chart must include:
The full ownership and control structure of all entities and UBOs under review, including all intermediate companies.
Official legal entity name, legal form, and registered country/region for every entity on the chart.
Ownership and control relation between the entities, including ownership percentages.
Indication of how the criteria for identifying UBOs are fulfilled, for example an individual owning 25% of the total shares (in India, for any individual owning 10% or more).
A signature confirming the organizational chart's content, the name and job title of the signing person, and the date when the signature was given (not older than 6 months).
If the person signing the organizational chart is one of the following, you do not need to send additional documents:
An internal person who is a qualified professional such as a lawyer, accountant or auditor, and whose qualification can be checked through the official website of the professional body. The professional body must be either in the registered country/region of your company, or in the same country/region as another entity in the ownership and control chart.
An external person or a professional body, certified by a consultancy firm, notary, lawyer, auditor, or other comparable official legal service provider from the registered country/region of the legal entity or entities under review.