How to comply with the PCI DSS.
Merchants who process card transactions must comply with Payment Card Industry Data Security Standard (PCI DSS). Find out how to help your business become compliant.
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a checklist of security requirements you must comply with if your business processes, transmits, stores or has access to card payment data.
This checklist was developed by the PCI Council whose members include Visa, Mastercard®, UnionPay and other global credit card schemes.
The purpose of the PCI DSS is to:
- Protect card payment data
- Reduce the risk of unauthorised access and use of cardholder information.
What is card payment data?
Card payment data is any information about a scheme credit or debit card such as the cardholder's name, PIN, CVV (the three-digit code on the back of a card), card number or expiry date.
Why is it important to protect card payment data?
If an unauthorised person gets access to card payment data stored in your business environment and attempts to commit fraud (known as an account data compromise or ADC), you could face financial penalties, the suspension or termination of your merchant facility, damage to your brand and ongoing audits at your own cost.
Making sure your business complies with the PCI DSS requirements greatly reduces the possibility of falling victim to an ADC. Get help to prevent and respond to an ADC.
What are the PCI DSS requirements?
The PCI DSS is a checklist of security requirements that apply to people, processes and technology involved in processing, transmitting, storing or accessing card payment data.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programmes
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors.
What are my PCI DSS obligations as a Westpac merchant?
If you're a Westpac merchant, it is a condition of your merchant agreement with us that your business and any third-party entity that processes, transmits, stores or accesses card payment data on your behalf complies with the PCI DSS requirements.
What will happen if I don't comply with the PCI DSS?
If you don't adequately protect your business from malicious attacks and your business experiences an account data compromise, you may be liable for financial penalties that could add up to hundreds of thousands of dollars.
Westpac also reserves the right to terminate a merchant facility under the contractable obligations in our MCCFA. That means your business may lose the ability to accept card payments.
I don't store card details. Do I still need to comply with PCI DSS?
Yes. If you process, transmit or have access to card payment data, your business and any third parties that act on your behalf need to comply with the PCI DSS - even if you don't store this data. You can find out about your obligations in section 4.7 of your merchant agreement with Westpac.
I only process a small amount of card transactions. Do I still need to comply with PCI DSS?
Yes. Every business that processes, stores, transmits or has access to card payment data must comply with PCI DSS, regardless of the frequency or value of their transactions. You can find out about your obligations in section 4.7 of your merchant agreement with Westpac.
If I comply with the PCI DSS, is it a guarantee that my business won't be compromised?
No. The PCI DSS is a minimum security standard that helps to maintain a secure payment environment and protect card payment data at a basic level. Complying with PCI DSS greatly reduces the risk of an account data compromise but does not guarantee that your business is completely secure.
What else can I do to protect my business?
You can find more security tips for each type of payment channel on our accepting cards safely page.
Ways of accepting payments.
Things you should know.
The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.
Mastercard® is a registered trade mark and the circles design is a trade mark of Mastercard International Incorporated.
Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.