Your guide to the Payment Card Industry Data Security Standard

If your business has access to or stores card details in any format or uses a service provider that does, you must protect your customers' card payment data. The Payment Card Industry Data Security Standards (PCI DSS) outline the minimum data security and compliance validation requirements to store, process and transmit card payment data.

Failure to have adequate data security controls and experiencing a data breach can damage your business, including reputational harm and financial fines or penalties. If you suspect any data breach within your business, it is essential to notify us immediately.

You can find more information on PCI DSS and helpful merchant resources by visiting pcisecuritystandards.org.

What is PCI DSS?

PCI DSS is a set of standards created by the Payment Card Industry Data Security Standards Council to encourage and enhance card payment data security. The PCI DSS consists of six primary principles to secure networks, data, access, vulnerabilities, and information security policies.

Why is PCI DSS important for my business?

PCI DSS is essential for businesses of all sizes to help prevent card payment data breaches and maintain customer trust. Fraudsters use increasingly sophisticated techniques to find weaknesses and gain access to sensitive information and card payment data.

In addition to financial losses, a data breach can severely harm your business's reputation, leading to long-term consequences such as customer harm, class-action lawsuits, and penalties.

All merchants must be PCI DSS compliant as part of the terms and conditions of your merchant facility that form part of your merchant agreement with us. If you use a third-party service provider other than Westpac, you must also ensure they are PCI DSS compliant.

What are my compliance requirements?

To ensure that card payment data is handled safely, you may need to undertake certain activities to ensure that your business meets the requirements of PCI DSS. The validation requirements for each PCI compliance level depend on the number of transactions processed each year and whether you take payments online. The table below outlines the validation requirements that you may need to complete.

PCI compliance level	Number of Visa or Mastercard transactions processed each year	Validation requirements:
Level 1	More than 6 million transactions	Annual Report on Compliance (RoC) assessment completed by a PCI-approved Qualified Security Assessor (QSA) company. Quarterly vulnerability scans completed by a PCI-approved scanning vendor.
Level 2	Between 1 to 6 million transactions	Annual Self-Assessment Questionnaire (SAQ). You may also need to engage a PCI-qualified security assessor or company to assess and validate compliance, depending on how your business handles card data. Quarterly vulnerability scans by a PCI-approved scanning vendor.
Level 3	eCommerce merchants processing more than 20,000 transactions up to 1 million transactions	Annual SAQ Quarterly vulnerability scans by a PCI-approved scanning vendor.
Level 4	All other merchants	You should complete the annual SAQ and quarterly vulnerability scans by a PCI-approved scanning vendor.

What should I do if I'm non-compliant with the PCI DSS?

Once you've completed these activities, you may discover that some deficiencies in your business environment don't meet the PCI DSS. It is critical to develop a plan outlining actions for each non-compliant element and estimating timeframes for completing each task.

If you are a non-compliant level 1, 2, or 3 merchant, then you must complete and provide us with an updated 'Prioritised Approach (PA) Tool' quarterly, which tracks your progress towards compliance. You can find validation documents and the PA on the PCI SSC website, pcisecuritystandards.org.

Our PCI DSS specialists can assist you throughout this process and will then manage your annual re-validations once you meet full compliance.

What do I do if I suspect a data breach has happened?

If you suspect or have confirmation of a data breach, you must contact us immediately. You can contact us by:

Calling your Relationship Manager or our 24/7 Helpdesk on 1800 029 749.
Emailing our Merchant Risk Team on pci@westpac.com.au

We may require you to engage a PCI-approved company to conduct a forensic investigation to determine when the data breach occurred, how it happened, and whether any card payment information was at risk. You must avoid attempting to change or remove evidence that may impact the ability to conduct the forensic investigation.

Helpful resources:

PCI Security Standards Council: pcisecuritystandards.org
Visa: visa.com.au
Mastercard: mastercard.com.au
If you have any questions, please email us at pci@westpac.com.au

Things you should know:

This information is current as of June 2024.