Payment Card Industry Data Security Standards (PCI DSS)

If you’re a merchant that accepts credit and debit card transactions, it’s your responsibility to store and process cardholder data securely in accordance with the PCI DSS.

The PCI DSS outlines requirements for prevention, detection, and actions for cardholder data security breaches. The way it should be implemented will depend on:

  • the nature and size of your business
  • the configuration of your card acceptance system the service providers you work with.

To view resources and guidelines from the PCI Security Standards Council, please visit their website.

What are the security standards?

If you accept and process card transactions, there are 12 basic requirements which apply to you:

  1. install and maintain a firewall configuration to protect cardholder data
  2. don’t use vendor-supplied defaults for system passwords and other security parameters
  3. protect stored cardholder data
  4. encrypt transmission of cardholder data across open public networks.
  5. use and regularly update anti-virus software or programs
  6. develop and maintain secure systems and applications 
  7. restrict access to cardholder data by business need-to-know
  8. assign a unique ID to each person with computer access
  9. restrict physical access to cardholder data
  10. track and monitor all access to network resources and cardholder data.
  11. regularly test security systems and processes
  12. maintain a policy that addresses information security for employees and contractors.

You can read more about the basic standards on the PCI DSS website.

Meeting PCI DSS requirements

To see if you meet PCI DSS requirements, you may need to complete one or more of the following validation tasks:

  1. complete the PCI DSS self-assessment questionnaire (SAQ)
  2. complete a vulnerability scan via an approved scanning vendor (ASV)
  3. perform an on-site assessment.

The number of validations tasks you are required to complete depends on your merchant level. Merchant levels as defined by Mastercard and Visa as captured in the below table:

LevelVisa/MasterCardValidation requirements
1Merchants processing over six million transactions annually (all channels), or global merchants identified as level one by any card scheme
  • Annual on-site assessment by QSA
  • Quarterly network scans by ASV
  • Attestation of compliance
2Merchants processing one million to six million transactions annually (all channels)
  • Annual SAQ
  • Quarterly network scans by ASV
  • Attestation of compliance
3Merchants processing 20,000 to one million e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scans by ASV
4Merchants processing less than 20,000 e-commerce transactions annually, and all other merchants processing up to one million transactions annually
  • Annual SAQ
  • Quarterly network scans by ASV

Once you have completed the validation requirements, keep a copy of the PCI assessment/certificates in a secure location. We may reach out for evidence at various times as a condition of you holding a merchant terminal from us.

For more information on how to maximise the security of cardholder data, please visit the PCI DSS website.

Other resources

Visa and Mastercard have published resources on how to keep up to date with security standards and best practices. We recommend reviewing these resources to help with PCI DSS compliance and implementation:

Mastercard website

Visa website

Additional information

The information on this page has been prepared by Macquarie Business Banking, a division of Macquarie Bank Limited AFSL & Australian Credit Licence 237502 ("Macquarie") for general information purposes only, without taking into account your personal objectives, financial situation or needs. Before acting on this general information, you must consider its appropriateness having regard to your own objectives, financial situation and needs. The information provided is not intended to replace or serve as a substitute for any accounting, tax or other professional advice, consultation or service.

As this advice has been prepared without considering your cardholder data environment, you should consider its appropriateness to your circumstances and understand your ongoing obligations to maintain compliance with the PCI DSS.