Help & Support
- Business
- Help and support
- Merchant services
- PCI DSS
- Guide to PCI DSS compliance
Guide to PCI DSS compliance
We understand that Payment Card Industry Data Security Standard (PCI DSS) requirements can be overwhelming at first, so we've created a step-by-step guide to help you.
1. Identify the PCI DSS level of your business
2. Self-assess your compliance or whether you need an onsite review
3. Scoping a PCI DSS assessment
4. Complete the applicable self-assessment questionnaire (SAQ) document
5. Remediate all issues identified in the self-assessment questionnaire (SAQ)
6. Complete and successfully pass a network vulnerability scan
7. Complete the attestation of compliance (AOC)
8. Maintain PCI DSS compliance
1. Identify the PCI DSS level of your business
You must validate your compliance annually with BNZ if you are within level 1, 2 or 3 categories, or if you are a Level 4 merchant and BNZ has requested validation of your compliance.
The PCI DSS level you identify for your business will determine the PCI tools that are required to be completed, as outlined in the table below. If you are unsure of your processing volume, please email pcidss@bnz.co.nz for assistance.
| PCI DSS merchant level | Number of card scheme card transactions | PCI tools required to be completed |
|---|---|---|
| Level 1 | More than 6 million card transactions per annum (any type of transaction) |
|
| Level 2 | More than 1 million but < 6 million transactions per annum (any type of transaction) |
|
| Level 3 | More than 20,000 but < 1 million e-commerce transactions per annum |
|
| Level 4 | All other merchants |
|
2. Self-assess your compliance or whether you need an onsite review
Identify the self-assessment questionnaire (SAQ) you need to complete or whether you need a qualified security assessor (QSA) to conduct an onsite review.
Level 1 Merchants are required to have an on-site review conducted by a QSA. BNZ must approve the QSA you plan to use and the approach to be taken.
Level 2 Merchants are required to use a QSA or a qualified internal security assessor to complete the SAQ.
Level 3-4 Merchants are able to self-assess their compliance and are required to complete an SAQ.
Depending on how you process, transmit, and store card data will determine which self-assessment questionnaire you need to complete.
If you're unsure of your payment processing method(s), please email pcidss@bnz.co.nz for assistance.
Download the applicable SAQ document
| SAQ document |
Description of processing |
|---|---|
|
A |
Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
|
A-EP |
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on a merchant’s systems or premises. |
|
B |
Merchants using only standalone, dial-out terminals with no electronic storage and/or imprint machines with no electronic cardholder data storage. |
|
B-IP |
Merchants using only standalone, PTS-approved payments terminals with an IP connection to the payment processor, with no electronic cardholder data storage. |
|
C-VT |
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. |
|
C |
Merchants with payment application systems connected to the internet, no electronic cardholder data storage. |
|
D |
All merchants not included in descriptions for the above SAQ types. |
3. Scoping a PCI DSS assessment
Once you've defined your merchant level and identified which SAQ is relevant to your business, it's time to begin scoping your assessment. It's easier to remove items from scope later, so try to include everything that's part of your payment lifecycle. Trying to increase scope during the review or remediation stage will cause issues with funding, resource and your compliance timeline.
Handy tips:
- Identify which system components cardholder data flows through and touches. System components are defined as any network component, server or application that's included in or connected to the cardholder data environment. See the table below for further examples.
- Ensure a comprehensive search for all cardholder data touch points is undertaken before any assessment activity begins. There are card data scanning tools to help with this.
- Create a cardholder data matrix to record which systems store, process and / or transmit cardholder data. This could list the system name, what cardholder data is stored, reasons for storage, retention period and any protection mechanism.
- The scope of the PCI DSS assessment can be reduced through network segmentation, e.g. separating cardholder data from the rest of a business network can help to reduce the scope of a PCI DSS assessment.
System components
|
Cardholder data to look out for includes:
Remember: The PCI DSS only applies when PAN data is stored, processed or transmitted. Storage of cardholder data is permitted. |
|
Sensitive authentication data includes:
Storage of sensitive authentication data is not permitted. |
|
Network components include, but are not limited to: Firewalls, switches, routers, wireless access points, network appliances, other security appliances. |
|
Servers include, but are not limited to: Web, database, application, authentication, DNS, Mail, Proxy, FTP, NTP. |
|
Applications include: All purchased, custom software, internal and external applications, e.g. web applications. |
Cardholder data matrix
Here's an example of a matrix to help get you started:
| System name | Cardholder data stored | Reason for storage | Retention period | Protection mechanism |
|---|---|---|---|---|
Cardholder data discovery tools
There are a number of software tools available on the internet to identify card data stored within your cardholder data environment. These tools can be a good way to make sure you've identified everywhere card data is stored within your environment. Nobody likes last-minute nasty surprises!
Network segmentation
If it's possible for your business, segregating your cardholder data environment from other parts of your business network can help you to reduce the scope of your PCI DSS assessment.
Network segmentation can be achieved by correctly configuring internal network firewalls, routers with strong access control lists or by using any other technology that restricts access to a segment of a network.
4. Complete the applicable self-assessment questionnaire (SAQ) document
Now comes the fun part! Completing the SAQ takes time from everyone involved. It may be useful to sit down with the relevant parties to agree who will be responsible for answering which section of the questionnaire.
It's important to answer the SAQ honestly. If in doubt, proceed on the side of caution and assume non-compliance until clarification is sought. Remember to detail any compensating controls or provide information on any requirements answered 'not applicable'.
Handy tips:
- Refer to the SAQ instructions and guidelines and follow the instruction pages at the start of the applicable SAQ document to assist in completing the SAQ.
- If SAQ D is applicable to your business, the prioritized approach tool contains guidance for targeting the higher risk areas of compliance first and overall tracking of your PCI DSS compliance.
- Answer “Yes” if testing has been performed and the requirement has been met. Answer “Yes with CCW” if testing has been performed and the requirement has been met with assistance of a compensating control. Answer “No” if the requirement has not been met. Answer “N/A” if the requirement does not apply to the organisation’s environment. Answer “Not Tested” if the requirement has been excluded from review without any consideration as to whether it could apply.
- If you're unable to answer any questions, you can contact us at pcidss@bnz.co.nz. If there are a large number of requirements you are unsure about, it might be beneficial to contact a qualified security assessor (QSA) to assist. View a list of qualified security assessors.
- If a PCI DSS requirement can't be met due to a legitimate technical or documented business constraint, a compensating control may be considered, providing the control has met the intent and reduced the risk associated with the PCI DSS requirement;
- Submit the completed SAQ to BNZ by emailing pcidss@bnz.co.nz.
Compensating controls
Compensating controls can be used to meet a PCI DSS requirement where technology constraints or business constraints won't allow a requirement to be explicitly met. Compensating controls must meet the intent of the PCI DSS requirements. You must ensure you have undertaken a risk analysis of the control(s). It's essential that you document the control and constraints to achieve compliance.
Compensating controls must meet the following criteria, explained in Appendix B in each of the questionnaires:
- Meet the intent and rigor of the original PCI DSS requirement
- Provide a similar level of defence as the original PCI DSS requirement
- Be 'above and beyond' other PCI DSS requirements (simply being in compliance with other PCI DSS requirements is not a compensating control)
- Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
If you're unsure if a compensating control your business is considering meets the criteria, we recommend validating the control with a QSA. You will need to annually reassess any compensating controls to ensure the control still meets the criteria.
Your business will need to document any compensating controls in Appendix C of the relevant questionnaire by completing the following:
Requirement number and definition
| Information Required | Explanation | |
|---|---|---|
| 1.Constraints | List constraints precluding compliance with the original requirement | |
| 2. Objective | Define the objective of the original control; identify the objective met by the compensating control | |
| 3. Identified risk | Identify any additional risk posed by the lack of the original control | |
| 4. Definition of compensating controls | Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any | |
| 5. Validation of compensation controls | Define how the compensating controls were validated and tested | |
| 6. Maintenance | Define process and controls in place to maintain compensating controls |
5. Remediate all issues identified in the self-assessment questionnaire (SAQ)
Now that you've completed your SAQ, you will need to remediate any non-compliant requirements or implement compensating controls. Remediation timeframes differ from business to business, depending on initial compliance status and the complexity of the cardholder environment. You will need to keep us updated on your compliance progress by completing the 'Action Plan for Non-Compliant Status' when submitting your confirmation of compliance to pcidss@bnz.co.nz and providing quarterly updates.
Handy tips:
- It's beneficial to structure your remediation into similar phases of work, to maximise opportunities and reduce effort.
- A risk-based approach will ensure your efforts are best focussed on the requirements that will help reduce your business risk profile.
- The prioritized approach tool will help ensure you are remediating areas of your business that could be more at risk of an account data compromise or security breach.
- In some cases, it might be easier to outsource certain parts of your business to a PCI DSS compliant provider to help reduce the scope of remediation required.
- If you need assistance to understand potential solutions or need to validate that your solution is compliant, we recommend contacting a QSA.
See a list of PCI SSC approved QSAs.
Disclaimer: QSAs have been accredited by the PCI SSC. Neither the PCI SSC nor BNZ guarantee the performance of these approved QSAs.
6. Complete and successfully pass a network vulnerability scan
Validating compliance with the PCI DSS is not just about completing the SAQ. Your business may also need to complete and pass a quarterly network vulnerability scan. These scans must be by an approved scanning vendor (ASV) to validate compliance.
While quarterly scanning is the minimum requirement if applicable, we strongly encourage you to perform scanning more frequently. These vital scans will alert you to weaknesses within your business environment and provide you with an opportunity to remedy these before somebody else finds them and compromises your data and environment.
Helpful links and information related to scans:
- Some methods of processing that qualify for SAQ A and B may not require a vulnerability scan. Please contact pcidss@bnz.co.nz for more information.
- Contact an ASV to conduct a network vulnerability scan. See a list of ASVs
- If you fail a scan, you will need to fix the issues identified and subsequently pass another scan before you are considered compliant in this area.
- If the issues from the failed scan can't be fixed immediately, you will need to submit a plan to BNZ, which addresses the areas of non-compliance within a timeframe approved by BNZ. Failure to comply within specified timeframes could result in penalties being issued by the card schemes.
- Scans which identify high vulnerabilities must be remediated within 24 hours, moderate vulnerabilities must be remediated within 72 hours and low vulnerabilities that do not result in the scan failing must be remediated by the next quarters scanning.
- Evidence of a passing scan must be provided to BNZ by emailing pcidss@bnz.co.nz
- See a list of approved scanning vendors
7. Complete confirmation of compliance (AOC)
Once you've completed any remediation and your SAQ, you will need to complete the AOC. This will need to be signed by your CEO, CIO or equivalent, such as an Information Security Manager. Please ensure you've completed all relevant pages within the applicable questionnaire.
- Complete the AOC included in the applicable SAQ document.
- If you're not able to immediately remedy the issues identified in the SAQ, you will be required to complete Part 4 of the SAQ 'Action Plan for Non-Compliant Status' when submitting the AOC to pcidss@bnz.co.nz
- Send the completed AOC to BNZ at pcidss@bnz.co.nz.
8. Maintain PCI DSS compliance
Validating your compliance is not the end! PCI DSS requires annual confirmation of compliance. We recommend including applicable requirements in your regular business auditing process to help ensure your business remains compliant. You'll also need to ensure that a business owner is appointed to validate that your business remains compliant. Compliance validation annually is your responsibility. Please remember to diary note when you will need to provide your documentation to BNZ.
Your annual self-assessment, network scan results and AOC can be emailed to pcidss@bnz.co.nz. Please include your merchant name and number in the subject header.
Here's a quick summary of the annual process:
- Every year, complete successfully the applicable SAQ
- Every quarter, complete successfully the network vulnerability scan (if applicable);
- Complete the AOC annually;
- Email copies of the SAQ, network vulnerability scan results and AOC to BNZ at pcidss@bnz.co.nz
Help whenever you need it
If you ever need any assistance, you can contact us at pcidss@bnz.co.nz
Disclaimer: PCI DSS defines a minimum data security standard to help secure sensitive cardholder data. BNZ, the Payment Card Industry Security Standards Council and the Card Schemes do not guarantee that these standards will prevent security breaches or losses.