Credit card fraud costs the Australian economy upwards of $600 million per year. Credit card information was the most commonly sold product on the darknet in 2010, accounting for 22 percent of sales. More specifically, fraud costs credit card schemes. The PCI DSS were developed separately over the course of the 90s by different credit card schemes (such as Visa and MasterCard) and finally amalgamated into one standard in 2004, as a means to limit fraud. The PCI DSS must be complied with by every organisation which stores or collects credit card information.

What is the PCI DSS?

The PCI DSS were developed by major credit card schemes Amex, Visa, MasterCard, Discover and JCB to limit credit card fraud. Early movers on the web often stored valuable credit card information in unsecure ways; low-hanging fruit for hackers incentivised to pilfer card details. The PCI DSS provide self-regulating guidelines for any entity which stores or collects credit card information. There are 12 standards which comprise the PCI DSS, divided into six categories.

Briefly, the categories are; building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy. The full list of 12 standards can be found here.

Why Do Organisations Comply and How is Compliance Checked?

Payment brands (Visa, MasterCard etc) enforce compliance through contracts. For example if the Commonwealth banks wants to use the MasterCard payments system for its cards, it needs to agree to MasterCard’s terms. MasterCard’s terms contain the PCI DSS so even though the PCC DSS isn’t a law, every financial institution (Westpac, Commbank etc) will be bound to them if they want to offer their clients/customers credit cards or any type of payments card.

An organisation which stores credit card information needs to set up the systems required by the PCI DSS in order to comply. There are two ways for an organisation to check compliance:

  1. an annual on-site security audit and a quarterly network scan; or
  2. completing a self assessment questionnaire.

Penalties for Breach

The PCI Security Standards Council (which administers the PCI DSS) does not administer or impose penalties. However, each payment brand has its own contractual methods of enforcing compliance.

For example, if the Commonwealth Bank is found to be non-compliant with the PCI DSS at any time, or fraud occurred and Commbank was found not to be compliant with PCI DSS at the time, then the payments system may impose a fine. If an entity which uses Commbank to take payment does not comply with the PCI DSS, then Commbank may impose a penalty pursuant to the merchant contract it would have in force with the entity.

In conclusion, the PCI DSS are a set of standards designed to give guidance on safe storage of credit card details, in order to limit credit card fraud. The PCI DSS are not law, however penalties may be imposed for their breach because they are incorporated into contracts between major financial institutions and payments schemes or entities which use a financial institution’s payment system. If you have any questions about PCI DSS, get in touch with LegalVision’s business lawyers.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Chloe Sevil

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy