PCI DSS Compliance and Auditing Services

We'll work with your team to assess your PCI DSS compliance in New Zealand, establish a baseline against the required standard and work towards PCI DSS accreditation where required.

What is PCI DSS?

Payment Card Industry Data Security Standard in New Zealand (PCI DSS) sets the requirements for organisations and merchants to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches. If your business carries out transactions with customers and suppliers that use payment cards, then compliance with PCI DSS is critical.

PCI DSS was established through collaboration between major card brands including American Express, Discover, JCB, Mastercard and Visa. Transaction processes are monitored by the Payment Card Industry Security Standards Council (PCI SSC).

It is incumbent on organisations that accept card payments to either follow the obligations set out in the PCI DSS or otherwise ensure they are processing payments through a compliant partner.

The primary goals of PCI DSS

The PCI DSS regime contains 12 requirements across 6 primary data security goals to be considered in relation to the building and operation of Card Data Environments (CDEs). These include the following:

  • Build and Maintain a Secure Network and Systems (Req. 1 & 2),

  • Protect Cardholder Data (Req. 3 & 4),

  • Maintain a Vulnerability Management Program (Req. 5 & 6),

  • Implement Strong Access Control Measures (Req. 7, 8 & 9),

  • Regularly Monitor and Test Networks (Req. 10 & 11),

  • Maintain an Information Security Policy (Req. 12).

What are the PCI DSS assessments?

PCI DSS has a number of different types of assessments dependent upon the use, management and operation of the CDE, some of which can be performed as Self Assessments, and others that require a formal Report on Compliance (RoC) performed by a Qualified Security Assessor (QSA). Merchants are rated on the number of transactions performed among other criteria. Tesserent’s team of cybersecurity QSAs can provide these services and advice. We work with our clients to determine the appropriate requirements based on the CDE, transaction-level and other criteria.

Why is PCI DSS compliance important?

Complying with PCI DSS may seem onerous but there are major benefits. When your organisation is compliant, it tells customers, both current and prospective, that you see their card data as important and are taking steps to mitigate the risk of those valuable details being lost in a data breach.

As well as enhancing your reputation with customers, it sends a message to banks and card providers that you are serious about data protection and are taking active steps to mitigate the risk of a breach, and that you have processes in place to minimise the risk of a security incident.

Card issuers can penalise organisations that suffer a breach and are found to have not been PCI DSS compliant. Those penalties can come in the form of fines or higher card fees. And there can be significant reputational damage should a breach occur and your organisation was found to be non-compliant. It can also put you at a competitive disadvantage if other participants in your market are compliant.

PCI DSS compliance is expected by companies offering cyber insurance and is critical for ensuring you are taking the right steps to protect your customer's payment information.

How can Tesserent help New Zealand organisations?

Tesserent has significant experience in the assessment, review and implementation of PCI DSS in New Zealand based on years of experience in the professional services, banking, insurance and telecommunications sectors. This assessment is vital for any organisation holding credit card and card holder information or data. During any PCI DSS assessment, we conduct necessary artefact reviews, interviews with stakeholders, and on-site inspections.

As PCI DSS v3.2.1 is being superseded following the release of v4.0, organisations need to get ahead of the change. Tesserent can partner with you on a range of PCI DSS related services including:

  • Assessment of the PCI DSS compliant controls and practices

  • PCI DSS Advisory Services (QSA)

  • PCI DSS Compliance Assessments (Report on Controls)

  • Validation of Self-Assessment Questionnaires (SAQ-X)

Tesserent’s PCI DSS services in New Zealand are comprehensive:

Initial PCI DSS Review

  • Determine the current state of operations and the extent of any remediation works required across the systems.

PCI DSS Advisory Services

  • Tesserent has extensive experience with PCI DSS and can advise you on the best way forward in your journey to ongoing compliance.

Preparation and performance of Self-Assessment Questionnaires

  • Working alongside you, Tesserent can support your organisation in the preparation of self-assessment questionnaires and ensure they are completed accurately.

Performance of Report on Compliance Audits

  • Organisations requiring a formal compliance report (Level 1 Merchants) against PCI DSS must undertake independent assessment. Tesserent has extensive experience and can partner with you to ensure you follow these processes thoroughly.

PCI DSS Audits

  • Tesserent will work with you on the specific protocols for all aspects of your PCI DSS audit to ensure compliance.

Frequently Asked Questions

Who needs to comply with PCI DSS?

Any organisation that accepts credit card payments must comply with PCI DSS.

What are the requirements of PCI DSS?

The PCI DSS requirements include maintaining secure networks, protecting cardholder data, maintaining vulnerability management programs, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies.

How can I become compliant with PCI DSS?

Organisations can become compliant with PCI DSS by following the standard's requirements, conducting regular assessments, and submitting compliance reports to the appropriate credit card companies.

What are the consequences of non-compliance with PCI DSS?

Non-compliance with PCI DSS can result in fines, increased transaction fees, and even the loss of the ability to accept credit card payments.

What are some best practices for maintaining PCI DSS compliance?

Some best practices for maintaining PCI DSS compliance include conducting regular security assessments, implementing strong access controls, educating employees on security best practices, and staying up-to-date with the latest security threats and technologies.

How often do I need to conduct PCI DSS assessments?

The frequency of PCI DSS assessments depends on the organisation's level of compliance. Generally, organisations must conduct annual assessments, but some may need to conduct more frequent assessments.

What is the difference between PCI DSS compliance and PCI compliance?

There is no difference between PCI DSS compliance and PCI compliance. The terms are interchangeable and refer to compliance with the Payment Card Industry Data Security Standard.

What is a PCI DSS scope?

A PCI DSS scope refers to the areas of an organisation's systems and processes that are subject to the standard's requirements.

What is a PCI DSS self-assessment questionnaire (SAQ)?

A PCI DSS self-assessment questionnaire (SAQ) is a tool that helps organisations assess their compliance with the standard's requirements. There are several types of SAQs, each tailored to different types of businesses and levels of compliance.

Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 10 min