Guides and reports
PCI DSS compliance: Everything you need to know
Helen Huyton, Merchant Data Security Analyst at Adyen, dives into the not-so-scary world of PCI DSS compliance.
Disclaimer: This article should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification.
As the population increases, so does the amount of data that’s processed every day. In the last few years alone, over 90% of the data in the world was generated. And it’s only going to increase.
According to PCI SSC, the average total cost of a data breach is $3.8 million, which is a compelling reason to avoid one if you possibly can. And, while it can be hard to stay on top of compliance requirements, poor handling of payment card details can have serious implications.
In this article, we’ll explore what we’ve learned over the years in helping businesses stay on the right side of PCI DSS. And we’ll outline the steps you can take to build a sustainable, secure business.
What is PCI DSS compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of Mastercard, Visa, American Express, JCB, and Discover.
PCI DSS has six core principals:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management programme
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
PCI compliance requirements
The PCI DSS requirements applicable to your business will depend on your compliance level (explained below) and your integration type. But, broadly speaking, there are 12 PCI compliance requirements:
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programmes
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
To whom does PCI compliance apply?
Every business accepting credit card payments in Australia has to comply with PCI DSS. Even though PCI DSS is not part of any law in Australia, the standard is applied around the world and enforced by card networks like Mastercard or Visa.
And there are some pretty significant penalties and costs for organisations that don’t comply with the requirements. On top of that, there’s a chance card networks will significantly lower or eliminate PCI fines if you can prove you’ve taken all the necessary steps to be PCI DSS compliant.
PCI compliance levels
The PCI scope will depend on the compliance level to which your business is assigned based on your annual card transaction volume. There are four levels.
Level 1
Description
This is the highest security level and you're here either because of three reasons. You process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express; or you've experienced a data breach in the past; or, a card network has seen fit to categorise you as Level 1.
Level 2
Description
You process between 1 to 6 million transactions each year.
Level 3
Description
You process between 20,000 to 1 million online transactions or less than one million in total each year.
Level 4
Description
You process less than 20,000 online transactions or less than one million in total each year.
How to be PCI compliant
To become PCI compliant, you will have to implement the requirements that are applicable to your compliance level. And fill in a form or two. The most common form is the ‘Self-Assessment Questionnaire A’ or ‘SAQ A’.
The SAQ A is intended as a tool to help you assess which requirements you need to implement. The fundamentals of the assessment consist of three security best practices:
Don’t use preset usernames, passwords, and factory settings
Use strong passwords and unique user IDs – at least 7 character passwords (numeric, alphabetic and special characters)
Stay up to date with new software patches as soon as they’re released
7 steps to becoming PCI DSS compliant
In addition to the basics above, here’s a PCI compliance checklist showing a breakdown of the steps you need to take to ensure that your Australian business is PCI compliant.
1. Map the flow of cardholder data: Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems, and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.
2. Scope your environment: The scope is the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD). More information can be found here.
3. Make an assessment: Assess your current level of PCI compliance according to an SAQ A form. The person completing the assessment should have sufficient knowledge to be able to assess the environment.
4. Make any necessary changes: You may realise your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.
5. Fill out the Self-Assessment Questionnaire (SAQ) A: This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.
6. Submit documents to your Payments Service Provider (PSP): Once you’ve completed your forms, you can submit them to your PSP (such as Adyen).
7. Setup regular monitoring: Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.
Note: Sometimes your payment page may be overlooked
If an attacker gains unauthorised access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker. The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.
PCI DSS 4.0
The latest version of PCI DSS was introduced in March 2022. The 12 core PCI DSS requirements remain fundamentally the same. But 4.0 also includes an expansion of requirements in developing security and technology areas such as mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.
To guide the creation of version 4.0, the PCI Security Standards Council agreed on these four objectives:
To ensure the standard continues to meet the security needs of the payments industry
To add flexibility and support of additional methodologies to achieve security
To encourage businesses to view security as a continuous process
To enhance validation methods and procedures to be more robust
PCI DSS 4.0 is designed to ensure account data is properly protected and that businesses are clear on their responsibilities in making that happen. It will also ensure the standard is aligned with the latest changes in the security landscape, expanding requirements into a few new areas, and providing clearer guidance for businesses to follow.
As always, Adyen is ahead of every update to compliance standards around the world, and work closely with all parties involved to ensure a more secure payments space for everyone.
Still need more information on PCI DSS compliance? Explore Adyen Help for more details.
Frequently asked questions
Is PCI DSS mandatory in Australia?
While PCI compliance is not required by law in Australia, card networks enforce compliance through their contracts to ensure that the standards are met.
What are PCI compliance levels Australia?
PCI compliance levels in Australia are the same as those in any other markets.
Level 1
Description
This is the highest security level and you're here either because of three reasons. You process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express; or you've experienced a data breach in the past; or, a card network has seen fit to categorise you as Level 1.
Level 2
Description
You process between 1 to 6 million transactions each year.
Level 3
Description
You process between 20,000 to 1 million online transactions or less than one million in total each year.
Level 4
Description
You process less than 20,000 online transactions or less than one million in total each year.
How do I become PCI compliant in Australia?
Working towards PCI DSS compliance can be challenging, especially if you don't have an existing framework to protect sensitive information. To help streamline the process of becoming PCI compliant in Australia, Adyen offers integrations that handle most of the PCI DSS requirements. Find out more here.
Additionally, you have to validate your PCI DSS compliance every year. You can validate your compliance by either of the two methods:
Completing a Self-Assessment Questionnaire (SAQ) if you process less than 6 million transactions per acquiring region per year
Engaging a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you
Results of the assessment must be included in an official PCI SSC validation document and then provided to Adyen. More information about validating your PCI DSS compliance here.
About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.
Fresh insights, straight to your inbox
Subscribe to email alerts
By submitting your information you confirm that you have read Adyen's Privacy Policy and agree to the use of your data in all Adyen communications.