© 2020 Content Security Pty Ltd.

Why your business must meet these new standards for accepting credit card payments

  • Retailers and e-commerce businesses that accept credit card payments must move to the new Version 4.0 (V4.0) of the PCI DSS by 31 March 2024.
  • Small and medium-sized enterprises who process less than six million Mastercard transactions or the same number of Visa transactions a year can self-assess annually to verify compliance.
  • Ongoing security controls and checks are crucial to maintaining compliance.

Does your business accept credit card payments? If so, you must move to comply with the latest version 4.0 (V4.0) of the PCI DSS standard by 31 March 2025. The current compliance version is V3.2.1

What is the PCI DSS?

The PCI Security Standards Council sets the Payment Card Industry Data Security Standard – or PCI DSS for short. That standard aims to ensure safe payment processing worldwide. The council issued the latest version, V4.0, in March 2022 and there is a two-year grandfathering overlap from the current version (V3.2.1) through to March 2024, but some of the Version 4.0 changes are initially recommendations that do not become mandatory until March 2025.

The PCI DSS standard is an industry standard and not part of any country’s laws, including Australia.

However, complying with the standard is a contractual requirement for businesses and organisations as part of their merchant agreement with their acquiring bank. This involves activities that store, process and/or transmit the cardholder data of Mastercard, Visa or AMEX credit card holders, plus any activities that may impact the security of that cardholder data such as third-party service providers.

The PCI DSS standard covers 12 domains of security controls depending on which compliance level category a retailer or e-commerce business fits into. The PCI DSS is issued by the PCI Council on behalf of the major card brands.

You can read the details in this 36-page guide from the PCI Security Standards Council. It also summarises the new requirements. Some changes are significant, others are minor. V4.0 emphasises controls to deflect cyber attacks that involve phishing and social engineering.

Some changes need to be enacted immediately upon cyber security assessment. But you won’t need to comply with the bulk of the new requirements until March 2025.

Does the credit card payments standard apply to your business? 

The standard has four compliance levels:

Level 1: Merchants who process more than six million Mastercard or six million VISA card transactions each year.

Level 2: Merchants processing between one million and six million Mastercard or one to six million VISA card transactions annually.

Level 3: Merchants who process 20,000 to one million Mastercard or 20,000 to one million VISA transactions annually.

Level 4: Merchants processing under 20,000 Mastercard or 20,000 VISA transactions each year.

Businesses that have recently suffered a cyber-attack or are deemed an information security risk could be escalated to a higher level.

What’s the risk of PCI DSS non-compliance?

You might think your business is too small to be caught in the PCI DSS compliance net.

However, your merchant agreement with your bank, or financial institution, may spell out your need to follow the standard. For most businesses, they’ll expect you to send them an annual return to verify your compliance.

If you don’t comply, they could withdraw that payment processing service, which would be a major inconvenience for your customers and clients.

Your bank or financial institution could also levy fines on you on behalf of the card providers.

How to meet the standards

March 2025 may seem like a long way away, but it takes time and diligence to be able to tick all the boxes to reach that compliance deadline.

Larger businesses must organise a certified cyber security firm to conduct a PCI DSS compliance audit.

Level 2 businesses that process between one and six million payments a year undertake an annual PCI self-assessment.

Meanwhile, Level 3 businesses (20,000 to one million transactions per card brand annually), should do the same assessment and have a qualified scanning vendor do a quarterly scan.

If you’re a Level 4 business, processing under 20,000 payments annually per card brand, you still must be PCI compliant.

Whichever level your business meets, risk management should be a continuous activity.

How to do a PCI DSS assessment

Be sure to look at the latest Self-Assessment Questionnaire A and Attestation of Compliance, issued in April 2022. The PCI Security Standards Council has set up this helpful resources hub, to answer any of your questions.

It’s not just ‘set and forget’ once you’ve achieved the standard though. While it can be challenging to remain compliant, this is less so than businesses starting from scratch to meet the standards. Remember, as part of your ongoing merchant agreement with a financial institution, you’ll need to pass an assessment annually.

Small and medium-sized enterprises often need help understanding the scope of compliance. That is, how their computing network infrastructure is set up and how their payment processes work. They also might not realise the need for:

  • Security scanning every three months, and
  • PEN testing of response processes, for example.

So, if you fail to meet those ongoing requirements, your business won’t pass the annual assessment.

Once you’ve completed your self-assessment, you’ll need to complete a PCI compliance scan. Those results go to your merchant bank, which then sends them to the payment card industry.

You might be tempted to delegate PCI DSS compliance to your IT team, but it should involve many more parts of your business, including finance, risk management, and legal. It’s recommended you bring in outside expertise to guide you through the process.

Compliance with the PCI DSS is essential for business because it highlights continuous improvement and enhances validation methods for payments.

The Essential 8 dovetail into each other to help create a virtual mesh to protect your business against cyber threats. Do a deep dive into each of the Essential 8 here – there’s quite a lot to them. And, ACSC’s Ransomware Action Checklist is handy to have as part of your arsenal.

For more information please contact our cybersecurity professionals today.

Recent news