Reading time: 5 minutes

Many New Zealanders use EFTPOS to pay for their purchases, and your business likely has facilities to allow this. If your online business collects payments through your website, you may use special software (such as a payment gateway) to collect debit or credit card payments. All of these transactions that involve credit or debit cards must comply with a global industry standard, which is the Payment Card Industry Data Security Standard (PCI DSS). This is a standard that prioritises security and customer privacy. Unless your business deals in cash-only transactions, this standard will likely apply to you. Therefore, this article will go through whether your business needs to be PCI compliant.

What is the PCI DSS?

The PCI DSS is a standard made up of extensive requirements for any business that deals with credit and debit card payments. This includes:

  • card processing;
  • storage; and 
  • transferral.

Every business that does so must comply with this standard, regardless of the frequency or value of your transactions.

For example, physical businesses handle credit or debit card payments through EFTPOS machines. These businesses must meet the PCI DSS’s requirements when they process these payments.

What is the Purpose of the PCI DSS?

The world’s most prominent credit card companies, like Mastercard and Visa, collaborated to create this standard. They also sit on the PCI Security Standards Council, the body that manages this regulation. 

The purpose of the PCI DSS is to protect payment card data and impose standards on any entity that deals with it. Payment card data includes the:

  • cardholder’s PIN;
  • card number;
  • expiry date;
  • cardholder’s name;
  • information encoded in the card’s magnetic strip; and
  • validation code.

By setting a minimum security standard for businesses that deal with this data, the PCI DSS aims to reduce the risk of data breaches and lessen their consequences for businesses and consumers. Such consequences can include:

  • credit card fraud;
  • lost revenue due to fraud;
  • legal fines and penalties; and
  • loss of customer trust and brand confidence.

This is true whether you operate online or offline.

Does My Business Need to Be PCI Compliant?

If your business deals with credit cards or other payment card data, you need to be PCI compliant. However, what you need to do to meet your requirements will vary depending on the nature of your business. All of the PCI DSS’s requirements may not apply to your business, as the level of these standards depends on what credit card data you deal with.

For example, suppose you just process customer card details at the time of purchase and do not keep that information. In that case, you do not necessarily need to comply with the PCI DSS’s requirements for storing payment card information securely.

Consequences of Failing to Be PCI Compliant

New Zealand banks are in charge of ensuring that their merchants (such as your business) comply with the PCI DSS and keep up with reporting requirements. They can receive fines if any of their merchants breach their requirements, so they will help you make sure you comply with the standard. If you do fail to meet your obligations under the PCI DSS, you could: 

  • face fines that the payment card industry imposes; and 
  • lose the ability to process card payments.

The law does not regulate this standard, but that does not mean there will not be legal consequences for non-compliance. Failing to meet your PCI requirements could also have privacy implications, as credit and debit card details qualify as personal information. Not meeting this global industry standard would damage your position in any privacy-related court proceedings.

How Can My Business Meet Its Requirements?

Your bank can help you ensure your business is PCI compliant. Many of the payment processing systems you use, such as certified EFTPOS machines and payment gateways, will already be PCI compliant. However, to get these systems, you will likely need to prove to your bank that you have security procedures in place that protect cardholder data in line with the PCI DSS. If you manage these kinds of transactions yourself and deal with credit card details in your own capacity, then you need to get PCI compliance certification for your business.

For example, most of Paypal’s services are already PCI compliant. Some of their customisable options give you more control over the payment process, but you are more responsible for meeting PCI DSS requirements when you use these options.

You will need to complete a self-assessment questionnaire to determine how the PCI DSS applies to your business. You also need to evaluate your systems regularly so that they align with the PCI DSS’s control objectives, which are:

  • building and maintaining a secure network;
  • protecting cardholder data;
  • maintaining a vulnerability management program;
  • implementing strong access control measures;
  • regularly monitoring and testing networks; and
  • maintaining an information security program.

Key Takeaways

The PCI DSS is a global industry standard for all businesses that handle payment card details. If your business processes or deals with credit or debit cards, you need to ensure you are PCI compliant. If you would like more information or help with your business’ PCI compliance, contact LegalVision’s data, privacy and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What does PCI DSS stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard. This is a global standard that sets minimum requirements for businesses when handling credit card details.

Does my business need to be PCI compliant?

If your business processes, stores, or transmits credit or debit card information, you need to be PCI compliant. You can complement a self-assessment questionnaire to determine what aspects of the PCI DSS apply to you.

What is personal information?

Personal information is any information that can identify a living person, whether by itself or in combination with other data. Examples include names, addresses, or credit card details.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards