PayWay PCI-DSS Guide

All businesses which process credit cards must comply with the Payment Card Industry Data Security Standard (PCI-DSS).

PCI-DSS specifies 12 requirements for protecting account data.

Reduce your compliance burden by outsourcing storage, processing and transmission of cardholder data to PayWay.

Read more about PCI compliance on the PCI Security Standards Council's website .

Compliance Validation

To validate you are compliant, you may be required to:

  • complete a Self-Assessment Questionnaire (SAQ)
  • conduct vulnerability scans by an Approved Scanning Vendor (ASV)
  • conduct an on-site assessment by a Qualified Security Assessor (QSA)

Your compliance validation requirements will be determined, at Westpac's discretion, by the number of transactions you process. Most PayWay merchants only need to complete a SAQ.

To determine your compliance level refer to Westpac's Guide to PCIDSS.pdf.

Self assessment questionnaires

If you are not required to undergo an on-site security assessment, you must complete an annual Self Assessment Questionnaire (SAQ).

Approved scanning vendors

An Approved Scanning Vendor (ASV) can conduct external vulnerability scans of your systems.

Qualified security assessors

A Qualified Security Assessor (QSA) can help you choose the right SAQ or conduct an on-site assessment if required.

Which SAQ must I complete?

The SAQ that you are required to complete depends on how you use PayWay.

Questionnaire Complete this if...
(22 questions)

You do not store, process or transmit cardholder data on your systems or premises.

These solutions allow the cardholder to input credit card details directly to PayWay:

  • PayWay Trusted Frame and REST API
  • PayWay Net Hosted Payment Page (No Website or Simple Link options)
  • Recurring Billing Internet Sign-Up
  • PayWay Phone

If your website has credit card input fields and is not using PayWay Trusted Frame you do not qualify for SAQ A. Upgrade to PayWay Trusted Frame.

(80 questions)

You enter payments one at time via a keyboard into PayWay Virtual Terminal.

Besides using PayWay Virtual Terminal, you do not receive or transmit cardholder data electronically. You do not store cardholder data in an electronic format.

(193 questions)

Your website does not directly receive cardholder data but can impact the security of the payment transaction. You do not store, process or transmit cardholder data on your systems or premises.

These PayWay solutions allow you to meet these requirements:

  • PayWay Net (direct post of credit card details to /MakePayment)
  • PayWay REST API (direct post of credit card details to /rest/v1/single-use-tokens-redirect)

Upgrade to PayWay Trusted Frame to meet the requirements for SAQ A.

(331 questions)

You do not qualify for any of the above questionnaires.

You store, process or transmit cardholder data on your systems or premises.

If you use these PayWay features you must complete SAQ D:

  • PayWay Classic Credit Card API
  • PayWay Batch

If you process credit cards outside of PayWay, this may change the SAQ you must complete.

Read more about Assessing the security of your cardholder data .

More information

If you have additional questions about PCI DSS, please refer to:

For sales, technical help or to report a security vulnerability, contact us.


Qvalent, a wholly owned subsidiary of Westpac Banking Corporation ABN 33 007 457 141 AFSL & Australian credit license 233714 ("Westpac"), is not your Qualified Security Assessor (QSA). These guidelines are general in nature and have been prepared without knowledge of your circumstances or the environment in which your systems operate. Compliance with PCI-DSS does not guarantee your systems are secure. You are responsible for maintaining the security of your systems. These guidelines are current as at 16 Apr 2019, but may be subject to updated industry standards or merchant requirements over time. They should not be forwarded to any other party without Westpac's written consent. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.