What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a checklist of security requirements you must comply with if your business processes, transmits, stores or has access to card payment data.

This checklist was developed by the PCI Council whose members include Visa, Mastercard®, UnionPay International and other global credit card schemes.

The purpose of the PCI DSS is to:

  • Protect card payment data
  • Reduce the risk of unauthorised access and use of cardholder information.

What is card payment data?

Card payment data is any information about a scheme credit or debit card such as the cardholder's name, PIN, card verification code (the three-digit code on the back of a card), card number or expiry date.

Why is it important to protect card payment data?

If an unauthorised person gets access to card payment data stored in your business environment and attempts to commit fraud (known as an account data compromise or ADC), you could face financial penalties, the suspension or termination of your merchant facility, damage to your brand and ongoing audits at your own cost.

Making sure your business complies with the PCI DSS requirements greatly reduces the possibility of falling victim to an ADC. Get help to prevent and respond to an ADC.

What are the PCI DSS requirements?

The PCI DSS is a checklist of security requirements that apply to people, processes and technology involved in processing, transmitting, storing or accessing card payment data.

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programmes
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for employees and contractors.

Find out more about the PCI DSS requirements.

What are my PCI DSS obligations as a Westpac merchant?

If you're a Westpac merchant, it is a condition of your merchant agreement with us that your business and any third-party entity that processes, transmits, stores or accesses card payment data on your behalf complies with the PCI DSS requirements.

How the Westpac PCI DSS compliance process works.

If you're a Westpac merchant, our compliance team will review and classify your merchant level based on the nature and volume of your annual transactions. Our merchant levels always take precedence over Visa, Mastercard and UnionPay International PCI DSS levels. We reserve the right to reclassify your level at any time for any reason.

PCI DSS merchant levels & process.

PCI DSS level Annual transaction volumes processed How to validate your compliance What to provide to Westpac
Level 1 merchant

Visa and Mastercard - More than 6 million transactions per annum (any type of transaction)

UnionPay International - More than 1 million transactions per annum (any type of transaction) 

Annual on-site assessment completed by a Qualified Security Assessor (QSA).

  • Report on Compliance (ROC)
  • Attestation of Compliance (AoC)
  • Most recent Approved Scanning Vendor (ASV) report
Level 2 merchant

Visa and Mastercard - Between 1 and 6 million transactions per annum (any type of transaction)

UnionPay International - Between 100,000 and 1 million transactions per annum (any type of transaction)

Annual assessment by a Qualified Security Assessor (QSA).

Quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV).

  • Attestation of Compliance (AoC)
  • Most recent ASV report
Level 3 merchant

Visa and Mastercard - Between 20,000 and 1 million e-commerce transactions per annum

UnionPay International - Between 10,000 and 99,999 e-commerce transactions per annum

Annual Self-Assessment Questionnaire (SAQ) as advised by Westpac.

Quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV).

  • Completed SAQ or Attestation of Compliance (AoC)
  • Most recent ASV report
Level 4 merchant All other merchants

Annual Self-Assessment Questionnaire (SAQ) as advised by Westpac.

Quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV).

  • Completed SAQ or Attestation of Compliance (AoC)
  • Most recent ASV report

FAQs.

What will happen if I don't comply with the PCI DSS?

If you don't adequately protect your business from malicious attacks and your business experiences an account data compromise, you may be liable for financial penalties that could add up to hundreds of thousands of dollars.

Westpac also reserves the right to terminate a merchant facility under the contractable obligations in our MCCFA. That means your business may lose the ability to accept card payments.

I don't store card details. Do I still need to comply with PCI DSS?

Yes. If you process, transmit or have access to card payment data, your business and any third parties that act on your behalf need to comply with the PCI DSS - even if you don't store this data. You can find out about your obligations in section 4.7 of your merchant agreement with Westpac.

I only process a small amount of card transactions. Do I still need to comply with PCI DSS?

Yes. Every business that processes, stores, transmits or has access to card payment data must comply with PCI DSS, regardless of the frequency or value of their transactions. You can find out about your obligations in section 4.7 of your merchant agreement with Westpac.

If I comply with the PCI DSS, is it a guarantee that my business won't be compromised?

No. The PCI DSS is a minimum security standard that helps to maintain a secure payment environment and protect card payment data at a basic level. Complying with PCI DSS greatly reduces the risk of an account data compromise but does not guarantee that your business is completely secure.

What else can I do to protect my business?

You can find more security tips for each type of payment channel on our accepting cards safely page.

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Mastercard® is a registered trade mark and the circles design is a trade mark of Mastercard International Incorporated.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.