PayWay PCI-DSS Guide
All businesses which process credit cards must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
PCI-DSS specifies 12 requirements for protecting account data.
Read more about PCI compliance on the PCI Security Standards Council's website .
To validate you are compliant, you may be required to:
- complete a Self-Assessment Questionnaire (SAQ)
- conduct vulnerability scans by an Approved Scanning Vendor (ASV)
- conduct an on-site assessment by a Qualified Security Assessor (QSA)
Your compliance validation requirements will be determined, at Westpac's discretion, by the number of transactions you process. Most PayWay merchants only need to complete a SAQ.
To determine your compliance level refer to Westpac's Guide to PCIDSS.pdf.
Self assessment questionnaires
If you are not required to undergo an on-site security assessment, you must complete an annual Self Assessment Questionnaire (SAQ).
Approved scanning vendors
An Approved Scanning Vendor (ASV) can conduct external vulnerability scans of your systems.
Qualified security assessors
A Qualified Security Assessor (QSA) can help you choose the right SAQ or conduct an on-site assessment if required.
Which SAQ must I complete?
The SAQ that you are required to complete depends on how you use PayWay.
|Questionnaire||Complete this if...|
| SAQ A
You do not store, process or transmit cardholder data on your systems or premises.
These solutions allow the cardholder to input credit card details directly to PayWay:
If your website has credit card input fields and is not using PayWay Trusted Frame you do not qualify for SAQ A. Upgrade to PayWay Trusted Frame.
You enter payments one at time via a keyboard into PayWay Virtual Terminal.
Besides using PayWay Virtual Terminal, you do not receive or transmit cardholder data electronically. You do not store cardholder data in an electronic format.
Your website does not directly receive cardholder data but can impact the security of the payment transaction. You do not store, process or transmit cardholder data on your systems or premises.
These PayWay solutions allow you to meet these requirements:
Upgrade to PayWay Trusted Frame to meet the requirements for SAQ A.
You do not qualify for any of the above questionnaires.
You store, process or transmit cardholder data on your systems or premises.
If you use these PayWay features you must complete SAQ D:
If you process credit cards outside of PayWay, this may change the SAQ you must complete.
Read more about Assessing the security of your cardholder data .
If you have additional questions about PCI DSS, please refer to:
- the PCI Security Standards website
- your Qualified Security Assessor (QSA)
- Westpac via email firstname.lastname@example.org
For sales, technical help or to report a security vulnerability, contact us.
Qvalent, a wholly owned subsidiary of Westpac Banking Corporation ABN 33 007 457 141 AFSL & Australian credit license 233714 ("Westpac"), is not your Qualified Security Assessor (QSA). These guidelines are general in nature and have been prepared without knowledge of your circumstances or the environment in which your systems operate. Compliance with PCI-DSS does not guarantee your systems are secure. You are responsible for maintaining the security of your systems. These guidelines are current as at 16 Apr 2019, but may be subject to updated industry standards or merchant requirements over time. They should not be forwarded to any other party without Westpac's written consent. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.