The Payment Card Industry Data Security Standard (PCI DSS) is a global standard mandated by the leading Card Schemes including Visa and MasterCard. In Australia it is not a legislative requirement- however there can be serious consequences for a data breach.

The aim of the Standard is to protect the integrity of sensitive cardholder data including 15 or 16 digit credit card numbers, three or four digit security codes, and other related card data. All businesses who accept credit and debit card payments should comply with the PCI DSS. Adherence to this standard protects all parties from Card Schemes and Banks who minimise data compromise; to merchants (businesses collecting card payments) minimising the risk of fines and loss of reputation; to cardholders who have their data protected and importantly, won’t take to social media to complain about their card details breached!

Here is a summary of the main players:

PCI Security Standards Council– compromised of major Card Schemes including Visa, MasterCard, JCB, Discover and Amex. It sets the rules for achieving PCI Compliance and publishes all official documentation which is available on their website.

Card Schemes– set the deadlines for businesses to achieve PCI Compliance. These vary globally from market to market. In Australia, the main Schemes to set deadlines are Visa and MasterCard due to transaction volumes. Deadlines often depend on your merchant level (see below) and the Schemes can issue non-compliance fines should merchants fail to meet set deadlines. These go to the Acquirer initially who then can choose to pass this onto merchants.

Acquiring Banks– the ones that ‘acquire’ your transactions ie. Provide your merchant payment facility. They act as the intermediary between merchants and Card Schemes in that they relay deadlines and compliance requirements to merchants, then collect progress data from merchants and report that back to the Card Schemes. They really have a dual role in wanting to work with the Schemes to push merchants into compliance but also represent their hardworking merchants to the Schemes to avoid financial penalties. They can also arbitrarily set compliance deadlines independently of the Card Schemes, particularly for their merchants unwilling to embark upon a PCI program.

Merchants– entities that collect cardholder data in the course of their business, from a local corner shop to Woolworths or Australia Post. They will deal direct with their Acquirer who will inform them of compliance and reporting requirements. Generally, they are required to report every quarter on progress with their PCI program, and being highly experienced in this area, is a service PCI CONSULTING AUSTRALIA can assist with.

Service Providers– third parties who provide services to merchants in relation to storing, processing or transmitting cardholder data. This can be an array of services including payment gateways, network management providers, call centres and other payment processors. Some of these may need to achieve PCI Compliance in their own right.

Merchant Levels

Each of the 5 Card Schemes set merchant levels based on transaction volumes. We’ll just focus on Visa and MasterCard as the 2 largest Card Schemes in Australia.

Numbers relate to either Card Scheme (i.e. If you process 5 million Visa and 5 million MasterCard transaction per annum, you’re a Level 2. Ask your bank to confirm your merchant level- saves your time going through the numbers!)


Merchants processing over 6 million transactions per annum. Require a full Report on Compliance (ROC) assessment. Examples: Insurance Companies, Banks, Telecommunications


Merchants processing between 1-6 million transactions. Banks in Australia are generally accepting a QSA assisted Self Assessment Questionnaires (SAQ) and will guide you on the validation required. Examples: Medium- large Government entities, large charities


Between 20,000 – 1 million ecommerce transactions. Can complete SAQ or ROC if they wish. Examples: Local councils, Water Retailers, mid size online retailers


All others merchants. Can complete SAQ or ROC if they wish. Examples: corner shops, small online shops, medium sized face-to-face transaction businesses

Service Provider Levels

Service providers only have 2 levels. It is perfectly acceptable for a Level 2 Service Provider to complete an SAQ rather than a full audit. Some of your clients may not understand that so we’re happy to represent you on that behalf.


Processing over 300,000 Visa or MasterCard transaction per annum. Require a ROC assessment.


Processing less than 300,000 Visa or MasterCard transactions per annum. Can complete an SAQ, although some clients may contractually impose necessity to complete a ROC at their discretion.