The Payment Card Industry Data Security Standard (PCI DSS) is a security checklist that you must follow if your company processes, transmits, saves or has access to card payment data.
The PCI Council, whose members include Visa, Mastercard®, UnionPay International and other global credit card scheme systems, created this checklist.
The PCI DSS was created to protect card payment data and reduce the possibility of unauthorised access and use of cardholder data.
What is card payment data?
Any information about a scheme credit or debit card, such as the cardholder’s name, PIN, card verification code (the three-digit code on the back of a card), card number or expiry date, is considered card payment data.
Suppose an unauthorised person gains access to card payment data stored in your business environment and attempts to commit fraud (known as account data compromise or ADC). In that case, you may face financial penalties, suspension or termination of your merchant facility, brand damage and ongoing audits at your expense.
Making sure the business conforms with the PCI DSS criteria considerably minimises the likelihood of being a victim of an ADC. Seek assistance in preventing and responding to an ADC.
What are the PCI DSS requirements?
The PCI DSS is a security requirement checklist that applies to people, processes and technology involved in processing, transmitting, storing or accessing card payment data.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programmes
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
If you need more information and industry resources around how to protect your business, please visit this site.
What are my PCI DSS obligations as a Smartpay customer?
If you’re a Smartpay customer (also known as a Smartpay merchant), it is a condition of your merchant agreement with us that your business and any third-party entity that processes, transmits, stores or accesses card payment data on your behalf complies with the PCI DSS requirements.
How does the Smartypay PCI DSS compliance process work?
Our compliance team will periodically contact you to review and classify your merchant level based on the nature and volume of your annual transactions. Our merchant levels always precede Visa, Mastercard and UnionPay International PCI DSS levels. We reserve the right to reclassify your level anytime for any reason.
| PCI DSS level | Annual transaction volumes processed | How to validate your compliance | What to provide to Smartpay |
|---|---|---|---|
| Level 1 merchant | Visa and Mastercard – More than 6 million transactions per annum (any type of transaction) | Annual on-site assessment completed by a Qualified Security Assessor (QSA). | Report on Compliance (ROC)Attestation of Compliance (AoC)The most recent Approved Scanning Vendor (ASV) report |
| Level 2 merchant | Visa and Mastercard – Between 1 and 6 million transactions per annum (any type of transaction) | Annual assessment by a Qualified Security Assessor (QSA).Quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV). | Attestation of Compliance (AoC)The most recent ASV report |
| Level 3 merchant | Visa and Mastercard – Between 20,000 and 1 million e-commerce transactions per annum | Annual Self-Assessment Questionnaire (SAQ) as advised by SmartpayQuarterly vulnerability scan performed by an Approved Scanning Vendor (ASV). | Completed SAQ or Attestation of Compliance (AoC)The most recent ASV report |
| Level 4 merchant | All other merchants | Annual Self-Assessment Questionnaire (SAQ) as advised by Smartpay. | Completed SAQ or Attestation of Compliance (AoC). Level 4 merchants should also conduct quarterly network scans — but reporting isn’t required. |
PCI DSS FAQ
What will happen if I don’t comply with the PCI DSS?
If you don’t adequately protect your business from malicious attacks and your business experiences card data compromise, you may be liable for financial penalties.
Smartpay reserves the right to terminate a merchant facility under the contractable obligations in our contract. That means your business may lose the ability to accept card payments.
Do I still need to comply with PCI DSS if I do a small amount of transactions per month?
Yes. Regardless of the number of transactions, if you process, transmit or have access to card payment data, your business and any third parties that act on your behalf must comply with the PCI DSS – even if you don’t store this data.
If I comply with the PCI DSS, is it a guarantee that my business won’t be compromised?
No. The PCI DSS is the security standard that helps to maintain a secure payment environment and protect card payment data at a basic level. Complying with PCI DSS greatly reduces the risk of an account data compromise but does not guarantee that your business is completely secure. It is good business and security practices to ensure your business can securely trade.
What else can I do to protect my business?
See the security tips for card present and card not present (MOTO) transactions.
Card Present Transactions
| What to do | When to do it | Who is responsible |
|---|---|---|
| Have PCI DSS compliant terminal | At set up, and annually thereafter. | Merchant/Smartpay |
| Change the default password of your EFTPOS terminal. | At set up. | Merchant. |
| Create a plan for when you detect unauthorised access. | At set up, and annually after that. | Merchant. |
| Keep your terminal secure outside of normal business hours by switching it off and locking it away in a safe place. | Daily. | Merchant. |
| Ensure only authorised people within your business know how to operate the terminal and have access to it. | Daily. | Merchant. |
| Inspect your terminal for signs of damage or tampering. Check cabling hasn’t been tampered with, stickers haven’t been removed or replaced and that there are no additional/unknown items or electronic equipment connected to the terminal. | Daily. | Merchant. |
| Ensure your EFTPOS terminal is up to date with the latest software and firmware. | When notification is received or within a month of release. | Smartpay |
| Establish inventory control of your terminals. Keep a record of how many terminals your business uses, their physical locations, software and firmware versions, serial numbers, model numbers and the details of your terminal provider. | Annually. | Merchant. |
| Conduct staff background check. | At the start of employment. | Merchant. |
| Create an incident response plan if issues arise. | Annually. | Merchant. |
Card Not Present (MOTO) Transactions
| What to do | When to do it | Who is responsible |
|---|---|---|
| Have PCI DSS compliant terminal | At set up, and annually thereafter. | Merchant / Smartpay. |
| Ensure controls are in place to identify who has accessed your payment system and create a plan for when you detect unauthorised access. | At set up, and annually thereafter. | Merchant. |
| Create a unique user ID and password for each staff member with access to your system. | At set up. | Merchant. |
| Change the default password to system, application and devices. | At set up. | Merchant. |
| Don’t store card information such as the cardholder PIN or card verification code (three digits on the back of the card). | Daily. | Merchant. |
| Only allow authorised staff to process MOTO payments. | Daily. | Merchant. |
| Create an incident response plan if issues arise. | Annually. | Merchant. |
| Conduct staff background checks. | At the start of employment. | Merchant. |
| Create an incident response plan if issues arise. | At set up and annually thereafter. | Merchant. |