Security at Adyen

We are committed to securing your personal data and have implemented measures to do so effectively. In order to prevent unauthorized people or parties from being able to access your data, we have put in place a range of technical and organizational measures to safeguard and secure the information we process about you. These include:

1. Security Program, Policies, and Personnel: 

We maintain an Information Security Program to identify risks and implement appropriate controls. This program is reviewed on a regular basis to ensure continued effectiveness and accuracy. We have a full-time information security team responsible for monitoring, maintaining, and continually improving our security. We have suitable and effective information security policies and procedures that are essential to complying with relevant regulations. 

2. Audits and Certifications:

We undergo independent verification of our security and compliance controls to help meet regulatory and policy objectives. Adyen’s current information security third-party independent audits include:

1. The Payment Card Information Data Security Standard (PCI-DSS) PCI DSS is a set of information security and business best-practice guidelines to establish a “minimum security standard” to protect customers’ payment card information. Adyen undergoes at least an annual third-party audit to certify our product  and payment platform with the PCI-DSS. 

2. Systems and Organization Controls 2 (SOC 2) Type 2 The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate Adyen’s information systems relevant to security, availability, confidentiality, and privacy. Adyen undergoes at least an annual third-party audit to report on the suitability of the design and the operating effectiveness of our controls.

3. Access Control and Privilege Management:

We restrict administrative access of our production systems to approved personnel. When hired, our approved personnel are assigned unique IDs and credentials. Upon termination of approved personnel, or where compromise of such credentials is suspected, administrative access is revoked. Access rights and levels are based on our employees’ job function and role, and are based on the security concepts of ‘least-privilege’ and ‘need-to-know’, to ensure access privileges are matched with defined responsibilities.

4. Data Encryption: 

We encrypt data, and in transmission with our user interfaces or APIs (using TLS or similar technologies) over the internet.

5.Security Monitoring and Incident Response: 

We have an incident management process for security events that may impact the confidentiality, integrity, or availability of our systems or data. This process includes  defined response times for Adyen to notify relevant parties. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to security incidents. 

6. Physical Security: 

At our physical locations, such as data centers, there are controls in place to prevent unauthorized physical access. These include: Security checkpoints, badged (or biometric) authentication, mandatory visitor sign-in, and video surveillance.

7. Network Management and Security:

We uphold industry-standard, and secure network architecture, supported by reasonably sufficient bandwidth and redundant network infrastructure to mitigate the impact of any individual component failure. Our security team utilizes industry-standard utilities to defend against known common unauthorized network activity, monitor security advisory lists for vulnerabilities, and undertake regular external vulnerability scans and audits.

8. Security in our Development Process

Our products and our payment platform are designed and developed with industry-defined security and privacy practices in mind. We maintain a documented product development lifecycle, known as a Secure Software Development Lifecycle (SSDLC), with formal development principles.