PCI DSS compliance for Australian organisations

Payment card information remains one of the most targeted forms of data. For Australian organisations that store, process or transmit cardholder data, PCI DSS compliance is essential — not simply as an annual requirement, but as a way to reduce risk and improve the security of systems that support payment operations.

DotSec has more than 25 years of experience securing payment environments for government, APRA-regulated entities, financial institutions, utilities and national retail organisations. We focus on what PCI DSS was designed to achieve: practical, risk-driven improvements that reduce the likelihood and impact of compromise, not superficial checkbox activity.

What Is PCI DSS compliance?

PCI DSS (the Payment Card Industry Data Security Standard) is a set of technical and operational requirements designed to protect cardholder data. Compliance means implementing, operating and maintaining a comprehensive set of controls relating to:

Network segmentation and security
Access control and authentication
Logging, monitoring and incident response
Secure software development
Vulnerability management
Physical security and hosted environments
Supplier and service-provider oversight

PCI DSS compliance applies to any organisation that touches payment card data, even indirectly. That includes retailers, e-commerce sites, service providers, franchise networks, billing platforms, hospitality groups and SaaS platforms that integrate payment processing.

Do I need PCI DSS compliance?

You (well, really, your business) will almost certainly need to be PCI DSS compliant if you:

Accept credit or debit cards (online or in-store)
Use a payment gateway or merchant provider
Store or transmit cardholder data (even temporarily)
Develop or host systems involved in payment processing
Are a managed service provider to organisations who themselves process cardholder data

PCI DSS compliance is not optional in Australia, and it is often expected by banks, acquirers, insurers and partners, as well as sometimes being required by due-diligence processes.

PCI DSS reporting options

Generally speaking, all merchants have reporting requirements, irrespective of their level. However, the specific requirements differ: Most merchants, except for the highest level (Level 1), are typically required to complete a Self-Assessment Questionnaire (SAQ). Level 1 merchants, on the other hand, usually need to undergo an annual assessment by a Qualified Security Assessor (QSA).

Option 1: SAQ and AOC

For the bulk of merchants, the key to PCI DSS compliance is the Self-Assessment Questionnaire (SAQ).

Different SAQs exist, each tailored to different types of payment processing environments. The specific SAQ a merchant needs to complete depends on how they process card payments.

SAQ A (Self-Assessment Questionnaire A) is the leanest of the PCI DSS reporting paths, meaning that it can be used (in general) with very little effort or time.

Merchants prefer SAQ A because there are only 26 controls (and some of those might be non-applicable) and it’s often possible for the merchant to offload many of it’s PCI DSS responsibilities to third-party providers such as payment gateways or security service providers, as long as those third parties are themselves PCI DSS compliant.

To be eligible for SAQ A, all cardholder data functions must be fully outsourced to PCI DSS-compliant TSPs, and merchants must:

Not store, process, or transmit cardholder data on their systems.
Use only redirects, iframes, or hosted payment pages.
Confirm their ecommerce site is not susceptible to script-based attacks

Option 2: AOC and ROC

Tier 1 merchants and service providers, or those merchants/service-providers who have particular acquirer requirements, will need to report using a Report On Compliance (ROC).

In this scenario, DotSec’s Qualified Security Assessor (QSA) will formally assess how effectively client meets the applicable requirements from the PCI DSS.

In contrast to the collaborative nature of a scoping or gap-analysis project, the QSA-led PCI DSS assessment will be a formal assessment process, the outcomes of which are documented in a formal Report on Compliance (ROC):

If DotSec’s QSA finds that the reporting entity is compliant with the requirements of the PCI DSS, then we’ll complete and deliver a RoC and an Attestation of Compliance (AoC).
If DotSec’s QSA finds that the entity does not comply with the requirements of the PCI DSS, then those findings will be documented in the RoC which will be delivered to the client, and a non-compliant AoC will be issued.

It is important to note that the formal QSA-led assessment must be conducted in a timely manner. As a QSA Company, dotSec would ensure that the client remains aware of the assessment timetable, impending deadlines and project completion date.

We stand out from other PCI DSS companies in Australia

dotSec stands out among other PCI DSS companies in Australia for a couple of important reasons:

We’re a PCI DSS-compliant service provider and we have an AOC to prove it! We don’t just talk the PCI DSS talk, we’ve walked the compliance walk, so we know what it takes to implement and maintain a compliant PCI DSS service.
Our PCI DSS professionals have a wide range of certifications including QSA, ISO 27001, CISA, CISM and more. We’re not just a one-shot, tick-the-box QSA assessor company.
PCI DSS compliance recommendations are practical, based on our actual, boots-on-the ground implementation and compliance experience. We’ve picked up after less experienced QSAs who have confused the client with mistaken controls, incorrect SAQ selection and impractical compliance recommendations; no one needs those kinds of problems on top of an already-demanding compliance program of work.

What next?

If you need to report under the PCI DSS, either using a SAQ or as part of a QSA-led assessment, DotSec is here to help. Our team of experienced professionals can guide you through the entire process, helping you to reduce scope and reporting costs wherever possible. Doesn’t saving you cost reduce our income? Why yes, for one job it does! But if we can cut the costs you’ve been paying to your incumbent QSA company, you’ll be happier and that’s the recipe for the kind of long-term relationship that we value above all else.

Ensuring compliance with the PCI DSS has the potential to be risky, painful and expensive experience, but with a dotSec QSA by your side, your journey becomes a lot easier.

OUR CYBER SERVICES

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

DotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical for protecting web applications and services, by inspecting and filtering out malicious requests before they reach your web servers

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. And we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

DotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

DotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.