This page explains the PCI DSS considerations for your Valpay integration and how your choice of integration method affects your compliance scope.
Talk to Valpay first. Before you build any integration that increases your PCI scope, such as API integration or handling raw card data, contact Valpay. We can often offer an alternative that keeps your scope low or removes it, so check with us before committing to that path.
What PCI DSS is
PCI DSS (Payment Card Industry Data Security Standard) is a global set of security standards from the PCI Security Standards Council. It applies to every company that collects, processes, stores, or transmits cardholder data, and it covers the people, processes, and technology that touch that data, known as the Cardholder Data Environment (CDE).
A few baseline facts:
Every merchant that accepts card payments must comply.
Compliance is ongoing, not a one-time event. Each entity validates its compliance annually using an official PCI SSC document.
Adyen is a PCI DSS Level 1 Service Provider, assessed annually by an independent Qualified Security Assessor.
How your integration affects your scope
Your PCI scope depends on how your integration handles card data. Using an Adyen integration does not remove your scope entirely, because you still accept card payments, but the right integration can reduce it significantly.
Hosted Checkout, Drop-in, and Components minimize your scope. The Adyen UI collects and encrypts the card data, so you never see or have access to unencrypted cardholder data. These integrations can qualify for the simplest self-assessment, SAQ A.
API-only / raw card data integrations carry the highest scope, because card data passes through your systems before it reaches Adyen. Before you go down this path, contact Valpay: we may be able to offer an alternative that avoids the added scope.
With Adyen's encrypted solutions, you outsource most PCI DSS responsibilities to Adyen. Adyen is responsible for the data once it reaches the payment interface. You remain responsible for keeping cardholder data secure before it reaches Adyen, and for any storage obligations.
SAQ A eligibility
To attest your compliance through SAQ A under PCI DSS v4.0.1, you must:
Confirm that all payment page elements and forms delivered to the shopper's browser come only and directly from a PCI DSS compliant provider or processor.
Confirm your site is not susceptible to script-based attacks.
Even as a SAQ A merchant, you have responsibilities, for example SAQ A requirement 11.3.2 calls for regular vulnerability scans of your online payments system.
Good practices
Do not store raw card numbers. Let the Adyen UI collect and encrypt card data instead of capturing it yourself.
Use tokenization to reduce how much sensitive data you handle. A token replaces the card details for future payments.
Prefer Hosted Checkout, Drop-in, or Components when you can, to keep your scope at the SAQ A level. See Integration Methods.
If you are considering API Integration or any path that handles raw card data, check with Valpay first. Plan for the higher scope and stricter controls it brings, and let us confirm whether a lower-scope alternative fits your use case.
Talk to Valpay
PCI DSS guidance here is for general orientation and is not legal or compliance advice. Valpay is here to help you choose the lowest-scope option for your needs. Before you commit to any integration that increases your PCI scope, contact Valpay Support: we can advise on your specific obligations, which self-assessment applies, and whether we can offer an alternative.