PCI DSS - Protecting payment card information

Protecting credit card data such as card numbers and other sensitive information is an important part of running your business. The Payment Card Industry Security Standards Council aims to enhance credit card payment security through the mandatory adoption of the PCI Data Security Standard (PCI DSS) by all businesses that store, process and/or transmit credit card data.

What is PCI DSS?

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a standard concerning security of payment card data. Visa, MasterCard and American Express have collaborated to create this single set of industry standards.

What does PCI DSS mean?

Simply put, PCI DSS details the minimum standards required of anyone who stores, processes or transfers payment card data. Not all the standards are applicable to every business - it depends on what a given business does with payment card data, and how.

How do you define 'payment card data'?

Payment card data includes any of the information printed on a credit or debit card, or encoded on a magnetic stripe or microchip.

Examples of payment card data include:

  • Data stored in the magnetic strip on the back of the card
  • The three digit card validation code
  • The cardholder's PIN
  • Card number (also known as the Primary Account Number or PAN)
  • Expiry date
  • Cardholder's name

Why is data security so important?

Security is one of the biggest concerns that cardholders have about using their credit or debit card. The objective for PCI DSS is to protect card data from threats and to minimise data breach risks to merchants of all sizes. When payment card data or customer data is stolen or compromised it can lead to brand damage, litigation or fraud.

All of these outcomes can be extremely damaging to consumer confidence, making it harder to attract and keep customers - even if it wasn't your business at fault.

For this reason ASB strongly recommends that you do not store, process or transfer payment card data unless absolutely necessary.

How did PCI DSS come about?

Years ago, when most credit card transactions took place using paper vouchers, security was straightforward - you could 'store' cardholder data in a safe, and destroy it by shredding and burning all copies.

In the modern era, most card transactions are processed electronically. The focus has shifted to ensuring that all systems that 'touch' cardholder data (for example, EFTPOS terminals, web-hosting providers, shopping carts and ERP systems) keep it secure. Visa, MasterCard and American Express (as leaders in the payment card industry) took the lead to help ensure the industry understands its obligations.

Is my business responsible?

What could potentially happen if my business is responsible for a compromise of payment card data?

Because the potential consequences resulting from a data compromise are so severe, Visa and MasterCard have set out reporting requirements for merchants and have announced their intention to fine any bank whose merchant is responsible for compromise. ASB reserves the right to pass on part or all of any such fine or any related costs (such as consultancy and investigation costs) to the merchant concerned.

PCI DSS Compliancy

What does PCI DSS compliance mean?

To be PCI DSS compliant, you first need to understand exactly where and how your business stores, transmits or processes payment card data. Once you understand that, you can then assess whether your business meets the required security standards.

If your business doesn't store, process or transfer payment card data, then becoming PCI DSS compliant is relatively easy.

What is my first step?

To assess the level of compliance of your specific business and ensure it becomes (then stays) compliant, you need to complete a self-assessment questionnaire once each year.

The self-assessment questionnaire (SAQ) is a free and confidential tool. This website contains detailed information on which specific self-assessment questionnaire applies to your business. If you can't decide which SAQ to use, please consult your businesses IT advisor or contractor.

What else do I have to do?

You need to ensure your computer network remains secure. Part of maintaining a secure environment for payment card data is maintaining a secure computer network - particularly where your network 'touches' the internet.

To help you maintain a secure network, you need to ensure that any internet connections (modem, DSL or dial-up), internet servers or routers, Websites, E-mail systems, Firewalls or Data transmission points (including FTP and DNS) are scanned for potential vulnerabilities every three months or less by an approved scanning vendor.

If you monitor or report on PCI Compliance, ASB recommend keeping a copy of each completed scanning report and self-assessment questionnaire that you complete.

ASB may be able to provide you access to an easy-to-use PCI Compliance portal to assist you with your PCI Compliance and reporting requirements. Please contact the ASB Merchant Sales team to find out whether your business is eligible for access.

Next steps

Enquire online

Tell us about your business and how we can help, and one of our team will get back to you.

Enquire now

Find out more

The Official PCI Security Standards Council website has new updates and more info.

Find out more

Read more

Refer to ASB Merchant Operating Guide.

Read our guide

Business banking PCI DSS - Protecting payment card information