Help & Support


Common questions about PCI DSS

Do I have to validate my compliance status with BNZ?

You must validate PCI DSS compliance if your organisation is identified as being within Level 1-3 categories or if you are a Level 4 merchant and BNZ has requested validation of your compliance. All merchants must be compliant with the PCI DSS at all times, as per your Merchant Terms and Conditions – Section 3.7 Data security standards.

I've been a BNZ merchant for twenty years, why is BNZ asking me to comply with PCI DSS suddenly?

The card schemes require us to monitor and manage PCI DSS compliance of BNZ merchants. As data theft and security breaches are on the increase, the card schemes are mandating a higher number of PCI DSS compliance validations.

Does PCI DSS compliance guarantee that I will not suffer data theft or a security breach?

PCI DSS defines a minimum data security standard to help secure sensitive cardholder data.  BNZ, the Payment Card Industry Security Standards Council and the card schemes do not guarantee that these standards will prevent data theft, security breaches or losses.

Does the PCI DSS scope only include credit cards or debit cards as well?

Any debit, credit and pre-paid card that is branded by a card scheme which participates in the  Payment Card Industry Security Standards Council is included in the scope. E.g. Any Mastercard, Visa, American Express, China UnionPay, Discover or JCB card.

What are the responsibilities of BNZ as my Acquiring Bank?

BNZ must ensure compliance of their acquired merchants and all service providers that store, process and/or transmit cardholder data.   Under section 3.7 of Your Merchant Agreement - General Terms and Conditions you will be liable for fines imposed on BNZ by the card schemes as a result of your organisations not being compliant.

How long does it take to become PCI DSS compliant?

There is no set length of time it takes to become PCI DSS compliant.  Factors such as what existing security standards are in place, the size and complexity of the network and the amount of work needed to gain PCI DSS compliance will influence the timeframe. You are required to validate your compliance by such date as may be advised by BNZ and annually on an ongoing basis.

Once I am compliant, am I finished with PCI DSS?

PCI DSS compliance is an on-going process and should be standard practice for all entities that store, process and/or transmit cardholder data.

What will happen if I don't validate PCI DSS compliance by the date requested?

The card schemes can issue various fines for non compliance with PCI DSS You will be liable to reimburse us for any fines and BNZ may have no choice but to terminate your merchant facility if PCI DSS compliance is not achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which will limit your ability to gain a merchant facility from another bank.

As PCI DSS compliance is validated annually, will BNZ remind me when my next validation is due?

It is each merchant's responsibility to ensure they keep track of all PCI DSS validation dates and requirements.

How do I know which PCI DSS level my organisation is?

The level of PCI DSS your organisation fits into is determined by the number of transactions you process per year and also takes into account the method of processing in some instances. Further detailed information can be found by viewing the BNZ Guide to PCI DSS compliance.

What happens if my PCI DSS compliance level changes and how will I know?

BNZ reviews the volumes of payment card transactions for its merchants and will contact you if your applicable PCI DSS level changes and you are required to revalidate your compliance according to the requirements that apply to the new level

How do I determine which Self Assessment Questionnaire (SAQ) to complete?

For information and help with selecting the correct SAQ, refer to the BNZ Guide to PCI DSS compliance.

We have several business locations throughout New Zealand; do we need to complete an SAQ for each location?

One SAQ will apply if the locations all share identical operating policies and procedures.  You may need to complete separate SAQ documents where operating policy and procedures differ between locations, dependent on the variances in how you store, process and / or transmit cardholder data.

Where can I obtain a copy of the SAQ or information on scan or audit procedures?

You can download the latest versions of the PCI DSS SAQs, scan & audit procedures from the PCI Security Council.

I have not passed the SAQ or Vulnerability Scan, what do I need to do to pass?

To pass the SAQ you will need to make any changes necessary to satisfy the failed PCI DSS requirement and be able to answer "Yes" to all applicable questions.   If a vulnerability scan is failed, you will need to fix the issues identified and subsequently pass another scan before you are considered compliant in this area.

How do I know which Approved Scanning Vendor or Qualified Security Assessor to use?

All PCI DSS Approved Scanning Vendors and Qualified Security Assessors are listed on the PCI Security Council website.

Disclaimer: ASVs and QSAs have been accredited by the PCI SSC. Neither the PCI SSC nor BNZ guarantee the performance of these approved ASVs and QSAs.

Where do I send my completed PCI DSS documents?

Please email your completed documents to pcidss@bnz.co.nz

I run a home based business using my home computer, am I likely to suffer data theft or a security breach?

Home based businesses can be highly vulnerable due to poor data security standards.  Fraudsters often target 'always on' broadband connections, chat applications, online games and file sharing applications. Having a separate work computer is recommended if possible.

My E-Commerce website has a secure socket layer (SSL) or Transport Layer Security (TLS) certificate; does this make me compliant?

SSL and early versions of Transport Layer Security (TLS) are not considered strong cryptography and cannot be used as a security control after 30 June 2016. The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2. A TLS certificate is only one aspect of PCI DSS Requirement 4 (if applicable to your organisation) and does not secure a web server from attacks or breaches. PCI DSS is a minimum international security standard and consists of a number of requirements.

I use someone else to process my credit card transactions. Do they have to be PCI DSS compliant?

Yes, if you are using a bureau / third party, you must ensure that they are PCI DSS compliant. You should request an Attestation of Compliance certificate from your chosen bureau. BNZ also recommends you include full and continuous compliance with PCI DSS as a condition of your contract with that third party.

What do I do if I think my business has suffered an Account Data Compromise?

Contact and inform the BNZ Fraud team immediately on 0800 240 000 or +64 4 801 2400 from Overseas (international toll charges apply), email pcidss@bnz.co.nz or contact your relationship manager. For website breaches, it is advisable not to delete any logs or alter the website environment to assist with any investigation after the breach.

After suffering a security breach and being classified as a Level 1 Merchant as a result, how long will it take to return to my normal PCI DSS level?

Reverting back to your original PCI DSS level generally takes one year, however an application can be submitted by BNZ to the card schemes on your behalf to apply for early reclassification.  Level 1 merchants require an onsite review by a Qualified Security Assessor annually.

Glossary

Account Data Compromise

Refers to unauthorised access, theft or loss of sensitive card account data.

Acquirer

Also referred to as acquiring financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.

Approved Scanning Vendor ("ASV")

Company approved by the PCI SSC to conduct external vulnerability scanning services.

Attestation of Compliance ("AOC")

Declaration of a merchant’s compliance status with the PCI DSS requirements and security assessment procedures.

Bureau

Refers to a third party used by you to transmit information between you and BNZ on your behalf.

Card Schemes

Card Schemes means Visa, Mastercard, American Express and China UnionPay or any other card scheme with whose card scheme rules we are obliged to comply with.

Card Validation Code

This code or value is the rightmost three-digit value printed in the signature panel area on the back of a scheme card.

PCI DSS

Acronym for Payment Card Industry Data Security Standard.  The PCI DSS is an information security standard for all organisations which store, process and / or transmit scheme card transactions.

PCI SSC

Acronym for Payment Card Industry Security Standards Council. The PCI SSC was created in 2006 by Visa International, Mastercard Worldwide, American Express, JCB International and Discover Financial Services to manage the PCI DSS.

Qualified Security Assessor ("QSA")

Company approved by the PCI SSC to conduct PCI DSS on-site assessments.

Self Assessment Questionnaire ("SAQ")

Tool used by any entity to validate its own compliance with PCI DSS.

Web Server

Refers to a computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses (usually web pages).