TLS Certificates on Adyen services
June 10, 2025 12:49
Keeping your connection to Adyen secure
Adyen uses Transport Layer Security (TLS) to make sure that when your systems talk to Adyen's systems the connection is secure and you can verify you are talking to our platform. TLS makes use of certificates in order to do this. Adyen regularly updates these TLS certificates for all its online services and follows industry best practices. You can find more specific information about the TLS versions and ciphers we support in our documentation.
Certificate pinning
Certificate pinning is a process where merchants connecting to our platform will only accept a specific, pinned certificate for our platform. If the Adyen platform at any point presents a different certificate during the TLS handshake – even a valid one issued by a trusted Certificate Authority (CA) – their application will refuse to connect to our platform.
Adyen cannot support certificate pinning. Here's why:
Outside our control: Certificate pinning is done on your systems, not Adyen's. Adyen can't see if you're doing it or what specific certificates you're pinning.
Risk of Broken Connections: If Adyen updates its certificates (which we do regularly, following industry best practices), and your system is looking for the old, specific certificate, your connection to Adyen will break. This could happen without warning.
Managing and rotating pinned certificates is a complex and error-prone process. In dynamic cloud environments where servers and certificates can change frequently, maintaining an accurate set of pins becomes a significant operational burden to you. This complexity increases the likelihood of misconfigurations that can inadvertently lock you out of our platform, despite the platform being fully operational.
Certificate Changes
When Adyen updates its certificates, it should not cause any problems for your connection. However, if you are using certificate pinning, you'll likely run into issues and your connections will break.
If You Absolutely Must Pin Certificates:
If your company policy requires you to use certificate pinning:
Pin Only the Root Certificate: Instead of pinning the entire certificate chain or specific parts like the individual "leaf" certificate, make sure to only pin the root certificate. You can find the latest Root CAs that Adyen uses at the DigiCert website.
Be Aware of Root CA Changes: Even the root certificate authority (Root CA) can change. Adyen might switch to a new Root CA at any time, both as regular business practice or in the case of emergencies. As regular business practice we will notify you 30 days in advance through a system message. In the case of emergencies the notification period might be shorter. It is your responsibility to ensure any applications (web, mobile, etc) can handle these changes within those time periods