What are the Payment Card Industry Data Security Standards?

The Payment Card Industry Data Security Standards (PCI DSS) are requirements to help you process card payments securely. 

As a business owner, it’s important that you understand and apply these standards. 

Meeting these standards will help you protect your data and customers’ information from breaches and theft. These standards include how you:

  • take a payment online
  • take a payment through an electronic payment terminal
  • handle a card number read to you over the phone
  • handle a card number received in a letter or email.

The PCI Security Standards Council

The PCI Security Standards Council is a global forum. Industries come together to develop, enhance, share and assist with the understanding of security standards for payment account security.

The Council members include:

  • American Express
  • Discover Financial Services
  • JCB International
  • MasterCard
  • Visa Inc.

Read the Payment Card Industry Data Security Standards.

Who do the standards apply to?

All Australian businesses that accept card payments need to comply with the PCI DSS regardless of your business size. You can’t partially comply. Your level of compliance will depend on your business situation.

Assess your business compliance

Check your PCI DSS compliance with the PCI Security Standards Council's assessment questionnaires.  
  • Select the self-assessment questionnaire that applies to your business to complete. 
  • If you have a larger business you may need an independent assessment.

Why it’s important to be PCI compliant

Having a strong, up-to-date security plan in place is not only good for your business, but also for your peace of mind.

Following the PCI DSS in your business will:

  • reassure your customers that their card details are secure when they pay you
  • maintain customer trust in your business, which is good for your reputation
  • show your commitment to improving the shopping experience for your customers and protecting their data
  • prevent others from accessing your payment system networks and stealing cardholder data.

Each payment card brand (for example, Visa or MasterCard) has its own compliance program. Check with your financial institution for compliance information.

12 key requirements of the standards

The PCI DSS includes 6 goals with 12 requirements.

Build and maintain a secure network

1. Use a firewall on your network and PCs to protect cardholder data.

2. Change default passwords on hardware and software. Make sure you choose secure passwords for all your business systems.

Protect cardholder data

3. Protect any cardholder data you store.

4. Encrypt cardholder data if it’s being transmitted across open, public networks.

Maintain a vulnerability management program

5. Use and regularly update software, including your anti-virus software.

6. Develop and maintain secure systems and applications.

Implement strong access control measures

7. Only allow access to cardholder data when it’s required.

8. Assign employees their own unique login (user name and password) to computer systems.

9. Restrict physical access to cardholder data. Do not store any sensitive cardholder data on your computer or on paper.

Regularly monitor and test networks

10. Track and monitor all access to your network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security for your employees access IT and payment systems.

Read next

Learn how you can protect your customer information.

Read how to keep your business cyber safe.

Find out about payment methods.