One of the questions we get asked a lot is “Where it says that someone has to be PCI compliant?”
To understand the answer to this, first we have to understand how the responsibilities are set out.
Who Sets the Rules?
First, the PCI Security Standards Council (or PCI SSC) sets out the rules. They are made up of the five major card issuing brands (American Express, Discover, JCB, MasterCard, and Visa). They set the standards, and define what makes someone a service provider or a merchant. And that’s the first place where we see who PCI DSS applies to:
“PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)”
Who Enforces the Rules?
The card brands themselves are responsible for enforcing PCI compliance and any fines and/or penalties are levied through them. The banks report your compliance as a merchant or service provider back to the card brands (which is why your bank cares so much about whether or not you are PCI compliant).
What am I Responsible For?
Second, having understood who sets and enforces the rules, you need to then go through the fine print of the Agreement you have with your bank.
To save you time, we’ve gone through the main merchant agreements that are available from each of the main acquiring banks in New Zealand to find the relevant parts of the agreements where you are required to be PCI compliant. If you haven’t read through them in depth, this might be the time to do so as there are other responsibilities including taking careful note of the penalties and/or fines you may incur if you breach the Agreement. We have only extracted the parts related to PCI compliance.
ANZ
Section 14.2(i)
- ANZ requires a “Compliance Action” plan for PCI compliance within 90 days of receiving a request.
- ANZ requires compliance with “all Nominated Card Scheme Regulations… including any obligations regarding compliance with the PCI DSS”
ASB
Section 4.1(c)
- Merchants will “implement and comply with PCI Security Standards, as applicable”
Section 4.1(h)
- Merchants will “keep all systems and media containing transaction information (physical or otherwise, including but not limited to card imprints and sales vouchers) in a secure manner in line with industry best practice and as specified in the PCI Security Standards and any Card Scheme data security program or requirement…”
BNZ
BNZ uses the term “Data Security Standards” to refer to the Payment Card Industry Data SecurityStandards (PCI DSS).
Section 3.7(a)
- “Unless otherwise advised by [BNZ], you must comply with the data security standards, which among other things, means that you must complete the protocols for the data security standards within the time frame stipulated by [BNZ] or the card schemes.
Section 3.7(b)(i)
- “You have processes and procedures in place that meet the data security standards and you follow those processes and procedures”
Section 3.7(b)(iii)
- “If you use a third party who is involved in the processing, transmission, or storage of your transactions, then you must ensure that the third party confirms to you on an ongoing basis that it meets the data security standards”
Westpac
Section 4.8
- “If your business or any Agent operating on your behalf, stores, processes, transmits or has access to Cardholder Information, you must ensure that it is maintained in a secure manner with access restricted to authorised personnel, and you must also ensure that you, your business and your Agents fully comply with the Payment Card Industry Standards, including, without limitation, Payment Card Industry Data Security Standard (“PCIDSS”).”