Processing electronic card payments securely

Setting up online payments can be a fast, easy way for your business to collect payment from customers and make payments to suppliers.

If your business processes, transmits or stores cardholder data, then you need to comply with the Payment Card Industry Data Security Standards (PCI DSS). Meeting these standards will help you protect your data and customers’ information from breaches and theft.

What is the Payment Card Industry Data Security Standards?

PCI DSS are a set of requirements that make it easier for you to ensure your customers’ card information is always secure.

These standards include how you:

  • take a payment online
  • take a payment through an electronic payment terminal
  • handle a card number read to you over the phone
  • handle a card number received in a letter or email.

As a business owner, it is important to understand these standards and apply security controls in your business to prevent a security breach.

Who must comply?

All Australian businesses that accept card payments need to be PCI compliant, regardless of business size. You can’t be partially compliant. The level of compliance your business needs to show will depend on your business situation.

Benefits of being PCI compliant

Having a strong, up-to-date security plan in place is not only good for your business, but also for your peace of mind.

Ensuring you follow the PCI DSS in your business will:

  • reassure your potential customers that their card details are secure when they make card payments to you
  • maintain customers’ trust in your business, which enhances your business’ reputation
  • show your ongoing commitment to improve the shopping experience for your customers and a genuine desire to protect their data
  • prevent others from accessing your payment system networks and stealing cardholder data.

Having customers confident that their personal details are secure when doing business with you, could potentially increase customer loyalty and drive repeat sales!

Payment Card Industry Data Security Standards - 12 key requirements

The PCI DSS are broken up into six groups that represent security best practices:

Build and maintain a secure network

  1. Use a firewall on your network and PCs to protect cardholder data.
  2. Change default passwords on hardware and software. Make sure you choose secure passwords for all your business systems.

Protect cardholder data

  1. Put together strategies to protect any cardholder data you store.
  2. Make sure the data is encrypted if it’s being transmitted across open, public networks, or being used for authentication.

Maintain a vulnerability management program

  1. Make sure that all software you are using is up-to-date, including your anti-virus software. Ensure new versions or updates of the software are installed to address vulnerabilities.
  2. Develop and maintain secure connections and secure systems. 

Implement strong access control measures

  1. Only allow access to cardholder data when it’s required.
  2. Always provide employees with their own unique login credentials (user name and password) to core systems.
  3. Restrict physical access to cardholder data. Do not store any sensitive cardholder data on your computer or on paper.

Regularly monitor and test networks

  1. Track and monitor all access to your network resources and cardholder data.
  2. Regularly test security systems and processes. 

Maintain an Information Security Policy

  1. Maintain an information security policy that addresses information security and how your employees access IT and payment systems. 
  2. Make sure you have a process that involves the correct management of customer information.

Find out more


Thanks for your feedback. If you have any ideas on how we can improve, we'd love to hear them.

Please provide your comments in the feedback form.

You might also be interested in