Protect your business from rising costs. Switch to zero-cost EFTPOS.

Protect your business from rising costs. Switch to zero-cost EFTPOS. Learn more

How to Prove PCI Compliance


10.05.2021 Security

How to Prove PCI Compliance

If your business accepts card payments, you must comply with this global standard to protect cardholder data.

No matter your business’s size or structure, if you accept electronic transactions, you have a duty to comply with the latest Payment Card Industry Data Security Standard (PCI DSS) rules and regulations — the global standard for accept, store, process, and transmit cardholder data.

Keep reading to understand what PCI compliance is, your compliance obligations as an Australian business owner, the easiest way to be PCI compliant, and what can happen if you can’t prove compliance during an audit.

What is PCI compliance?

PCI DSS is a global security standard designed to make sure all parties involved in the processing of card payments (including the issuer, acquirer, payment processor, and merchant) do so safely and securely, to prevent potential data breaches. The standard is administered and managed by an independent body called the PCI Security Standards Council (PCI SSC).

There are 12 requirements to follow, from encrypting data transmitted to scanning and testing for vulnerabilities. Annual audits are conducted to ensure businesses are PCI DSS compliant.

When did PCI compliance start?

As the internet became more widely accessible, data theft and payment fraud became a risk for businesses and consumers alike. So, in 2004, the world’s five largest credit card brands — Visa, MasterCard, American Express, JCB International, and Discover Financial Services — put their heads together to develop a common set of security standards for payment processing. PCI DSS 1.0 was introduced in December of the same year. 

Two years later, those same brands forged the PCI DSS council as a means to oversee and improve upon these standards. PCI DSS 1.1 was released in 2006, and since then we’ve seen a number of updated versions. The current standard today is PCI DSS 3.2.1. However, PCI DSS 4.0 is expected to be released sometime this year — and commentators expect the changes to be significant. 

Is PCI compliance mandatory? 

In the past, PCI compliance was reserved for those businesses processing in excess of 6 million credit card transactions per year. Now, the requirements apply more broadly. Chances are, if you run a business, you are required to be PCI compliant.

PCI compliance is mandatory in Australia for all businesses that store, process, or transmit cardholder information.

Complying with the standards means you’ll have a strong, up-to-date security plan in place — which is not only good for your customers and your business, but also for your peace of mind.

PCI compliance audit requirements

To become (and remain) PCI compliant, your business must keep up-to-date with all new policies and procedures surrounding data security. You must continue to meet all the standard requirements in order to pass the PCI compliance audit. That’s why it’s recommended that you regularly check your systems for compliance, rather than waiting until you’re audited. 

The 12 requirements you need to achieve and maintain in order to be PCI compliant for your annual audit can be categorised under six broader goals. 

Build and maintain a secure network 

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Keep cardholder data secure 

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Manage any vulnerabilities

  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications

Implement and maintain strong access control measures

  1. Restrict access to cardholder data by business need-to-know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Monitor and test your network 

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Abide by your information security policy

  1. Maintain a policy that addresses information security for all personnel

Who is responsible for a merchant’s PCI compliance?

Every entity that stores, processes, and transmits card payments needs PCI DSS compliance certification. This includes financial institutions, service providers, and merchants. Certification is important to not only avoid fraud, but also to show your customers that your business is safe to transact with.

In saying that, acquirers and issuers are responsible for making sure that all of their service providers, merchants, and merchants’ service providers are in compliance with the PCI DSS regulations. 

What are the PCI DSS compliance levels? 

PCI compliance is prioritised by a tier system of four different levels, determined by the number of debit or credit transactions an entity processes across a twelve-month period. The level classifies exactly what a business needs to do in order to stay compliant. 

There are four levels of compliance, which look relatively straightforward at first glance.   

Level 1

Level 1 is the highest PCI DSS compliance level. It typically applies to merchants processing six million or more credit and debit transactions annually, as well as merchants who have experienced an attack or data breach that compromised their account data. 

Businesses operating at this level must submit to an Annual Report on Compliance (ROC), conducted by a Qualified Security Assessor (QSA). Additionally, each quarter there is a network scan performed by an Approved Scanning Vendor (ASV).

Level 2

Applies to merchants that process between one million and six million credit and debit transactions annually. The PCI requirement is that they complete an assessment once a year using the Self Assessment Questionnaire (SAQ), and provide evidence of a passing scan.

Level 3

Level 3 typically applies to mid-size merchants that process 20,000 to one million transactions annually. They must complete an assessment once every year using the SAQ tool, and provide evidence of a passing scan.

Level 4

The lowest level, Level 4, applies to merchants processing fewer than 20,000 e-commerce transactions annually, as well as merchants that process up to one million in-person card transactions per year — so long as that merchant has not suffered a data breach or attack, compromising cardholder data. Merchants that fall into either of these categories must typically complete an assessment using the SAQ tool, and have an approved scanning vendor conduct quarterly scans.

However, card issuers each define their own merchant levels differently — making it difficult to know where your business truly sits. Read more about the PCI DSS merchant levels.

How to fill out PCI compliance questionnaire 

The PCI DSS Self-Assessment Questionnaire is an extensive checklist merchants use to self-validate their compliance with PCI requirements. All Zeller products are PCI Level 1 compliant — we make sure your business is compliant, on your behalf. 

However, if you are not using Zeller and need to fill out the SAQ, you can download the form here. Before you begin, ensure you have identified your merchant level, and the PCI compliance requirements for your level.

What if I can’t prove PCI compliance?

If you are not PCI compliant you run the risk of data breaches, PCI non-compliance fines, card replacement costs, and potentially the expense of forensic audits and investigations into your company. If you’re having trouble figuring out how to become PCI compliant, consider seeking the guidance of a professional.

Zeller takes care of PCI compliance on your behalf

Zeller is PCI-DSS certified. When you process your payments through Zeller Terminal, you don’t need to worry about maintaining and updating your own compliance. It’s just one way our team of security experts keeps you, your business, and your customers safe.

However, you do still need to safeguard your terminal by putting in place policies and procedures around terminal PINs, where your terminal lives when not in use, staff training and more. Visit the Zeller Support Centre for more guidance on protecting your terminal from fraudsters.