Skip to content

How to Comply with the PCI DSS

Credit card fraud costs the Australian economy upwards of $600 million per year. Credit card information was the most commonly sold product on the darknet in 2010, accounting for 22 percent of sales. More specifically, fraud costs credit card schemes. The PCI DSS were developed separately over the course of the 90s by different credit card schemes (such as Visa and MasterCard) and finally amalgamated into one standard in 2004, as a means to limit fraud. The PCI DSS must be complied with by every organisation which stores or collects credit card information.

What is the PCI DSS?

The PCI DSS were developed by major credit card schemes Amex, Visa, MasterCard, Discover and JCB to limit credit card fraud. Early movers on the web often stored valuable credit card information in unsecure ways; low-hanging fruit for hackers incentivised to pilfer card details. The PCI DSS provide self-regulating guidelines for any entity which stores or collects credit card information. There are 12 standards which comprise the PCI DSS, divided into six categories.

Briefly, the categories are; building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy. The full list of 12 standards can be found here.

Why Do Organisations Comply and How is Compliance Checked?

Payment brands (Visa, MasterCard etc) enforce compliance through contracts. For example if the Commonwealth banks wants to use the MasterCard payments system for its cards, it needs to agree to MasterCard’s terms. MasterCard’s terms contain the PCI DSS so even though the PCC DSS isn’t a law, every financial institution (Westpac, Commbank etc) will be bound to them if they want to offer their clients/customers credit cards or any type of payments card.

An organisation which stores credit card information needs to set up the systems required by the PCI DSS in order to comply. There are two ways for an organisation to check compliance:

  1. an annual on-site security audit and a quarterly network scan; or
  2. completing a self assessment questionnaire.
Continue reading this article below the form
Loading form

Penalties for Breach

The PCI Security Standards Council (which administers the PCI DSS) does not administer or impose penalties. However, each payment brand has its own contractual methods of enforcing compliance.

For example, if the Commonwealth Bank is found to be non-compliant with the PCI DSS at any time, or fraud occurred and Commbank was found not to be compliant with PCI DSS at the time, then the payments system may impose a fine. If an entity which uses Commbank to take payment does not comply with the PCI DSS, then Commbank may impose a penalty pursuant to the merchant contract it would have in force with the entity.

In conclusion, the PCI DSS are a set of standards designed to give guidance on safe storage of credit card details, in order to limit credit card fraud. The PCI DSS are not law, however penalties may be imposed for their breach because they are incorporated into contracts between major financial institutions and payments schemes or entities which use a financial institution’s payment system.

LegalVision cannot provide legal assistance with the PCI DSS. We recommend you contact your local law society.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Chloe Sevil

Chloe Sevil

Read all articles by Chloe

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards