Help & Support

Account data compromises and non-compliance

Over the past few years there has been a dramatic increase in the number of account data compromises – both globally and here in New Zealand. You've probably heard news stories about card fraud or even been unlucky enough to have your own personal cards compromised and reissued. Data compromises are always undesirable. They can result in bad publicity, customers taking their business elsewhere and additional costs to your business.

The Payment Card Industry Data Security Standard (PCI DSS) has been introduced to reduce your risk and protect the integrity of cardholder information. Compliance with the standard is essential.

Any data compromise or non-compliance fines received by BNZ from card schemes may be passed onto you, as stated in your BNZ Merchant Agreement – General Terms and Conditions section 3.5.

Data compromises

If you suspect your business may have suffered an account data compromise, you must contact us immediately on 0800 737 774 or by emailing

Do not delete or modify any of your systems. Much like a robber that leaves fingerprints after a break in, a hacker will leave important evidence of their activity, which is essential for understanding what's gone wrong and what information is at risk of being compromised.

Fines for data compromise

ReasonVisa assessments
(up to in US$)
MasterCard assessments
(up to in US$)
Account data compromise (ADC) $400,000 $500,000
Additional non-compliance assessments post ADC NA $100,000 per non-compliant requirement (12 PCI DSS requirements)
ADC – operational reimbursement Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud
Failure to report an ADC NA Up to US$25,000 per day of non-compliance

NB: These are subject to change at any time.


Compliance with the PCI DSS is mandatory for all organisations that store, process and/or transmit payment card information. It's essential to ensure your business complies with the PCI DSS. If you have been requested to validate compliance as stated in your card scheme requirements, it's vital that you do validate your compliance.

The card schemes have various financial assessments in relation to non-compliance with the PCI DSS.  If you have been contacted by BNZ to validate compliance with the PCI DSS by a certain date, then fines may be issued by the card schemes if compliance isn't achieved by that date.

Compliance with the PCI DSS is a part of your BNZ Merchant Agreement – section 3.5. We may have no choice but to terminate your merchant facility if PCI DSS compliance isn't achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which will limit your ability to gain a merchant facility from another bank.

Fines for not validating compliance

Fines for not validating compliance
Violations per calendar yearMasterCard
(up to in US $)
L1 & L2 Merchants
(up to in US$)
L3 Merchants
( up to in US $)
L1, L2 & L3 Merchants
First violation 25,000 10,000 500
Second violation 50,000 20,000 5,000
Third violation 100,000 40,000 10,000
Fourth violation 200,000 80,000 25,000
Total of 4 violations per Merchant 375,000 150,000 40,500

NB: These are subject to change at any time.

Small Print

Mastercard is a registered trademark.