What is the PCI DSS?

All businesses who accept credit and debit card payments should comply with the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard mandated by the leading Card Schemes including Visa and MasterCard to reduce the risk of card data breach.

Our PCI DSS methodology

Industry summary

PCI DSS industry summary

“Am I a service provider or a merchant?”

We maintain a retail environment of 120 stores plus a website. We bank with ANZ

You are a merchant. You should validate compliance to the level your bank instructs you to do so. Normally this is either a full audit or assisted self-assessment.

We offer an application to business customers and integrate with the payment gateway of their choice

You are a service provider. You are much more likely to require a full audit as service providers only have 2 levels to choose from.

We offer an application to business customers where payments go through to our Acquiring Bank NAB

You are both a merchant and a service provider. Being both is actually quite common and often misunderstood. You would require 2 x Attestations of Compliance

We provide managed services but never see card data

PCI compliance may not be strictly enforced on you but you would likely be heavily involved in any of your customers’ audits if you can affect the security of card data based on the service you provide. Having full compliance means you are not constantly dragged into external audits and is also a selling point.

Merchant levels

Numbers below reflect Visa and MasterCard levels, who run their programs via Acquirers. Amex numbers are lower and they run their own program in the Australian market.

Level 1

Merchants processing over 6 million transactions per annum. Require a full Report on Compliance (ROC) assessment.

Level 2

Merchants processing between 1-6 million transactions. Banks in Australia are generally accepting a QSA assisted Self Assessment Questionnaires (SAQ) and will guide you on the validation required.

Level 3

Between 20,000 - 1 million ecommerce transactions. Can complete SAQ or ROC if they wish.

Level 4

All others merchants. Can complete SAQ or ROC if they wish.

Service Provider Levels

Service providers only have 2 levels. It is perfectly acceptable for a Level 2 Service Provider to complete an SAQ rather than a full audit.

Level 1

Processing over 300,000 Visa or MasterCard transaction per annum. Require a ROC assessment.

Level 2

Processing less than 300,000 Visa or MasterCard transactions per annum. Can complete an SAQ, although some clients may contractually impose necessity to complete a ROC at their discretion.