PayWay PCI-DSS Guide
All businesses which process credit cards must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
PCI-DSS specifies 12 requirements for protecting account data.
Read more about PCI compliance on the PCI Security Standards Council's website .
Compliance Validation
To validate you are compliant, you may be required to:
- complete a Self-Assessment Questionnaire (SAQ)
- conduct vulnerability scans by an Approved Scanning Vendor (ASV)
- conduct an on-site assessment by a Qualified Security Assessor (QSA)
Your compliance validation requirements will be determined, at the bank's discretion, by the number of transactions you process. Most PayWay merchants only need to complete a SAQ.
Westpac customers
To determine your compliance level refer to Your guide to the Payment Card Industry Data Security Standard (PCI DSS), available at westpac.com.au/merchant-termsSt. George customers
To determine your compliance level refer to Your guide to the Payment Card Industry Data Security Standard (PCI DSS), available at stgeorge.com.au/merchant-termsSelf assessment questionnaires
If you are not required to undergo an on-site security assessment, you must complete an annual Self Assessment Questionnaire (SAQ).
Approved scanning vendors
An Approved Scanning Vendor (ASV) can conduct external vulnerability scans of your systems.
Qualified security assessors
A Qualified Security Assessor (QSA) can help you choose the right SAQ or conduct an on-site assessment if required.
Which SAQ must I complete?
The SAQ that you are required to complete depends on how you use PayWay.
| Questionnaire | Complete this if... |
|---|---|
| SAQ A (22 questions) |
You do not store, process or transmit cardholder data on your systems or premises. These solutions allow the cardholder to input credit card details directly to PayWay:
If your website has credit card input fields and is not using PayWay Trusted Frame you do not qualify for SAQ A. Upgrade to PayWay Trusted Frame. Self-Assessment Questionnaire A and Attestation of Compliance |
| SAQ C-VT (80 questions) |
You enter payments one at time via a keyboard into PayWay Virtual Terminal. Besides using PayWay Virtual Terminal, you do not receive or transmit cardholder data electronically. You do not store cardholder data in an electronic format. Self-Assessment Questionnaire C-VT and Attestation of Compliance |
| SAQ A-EP (193 questions) |
Your website does not directly receive cardholder data but can impact the security of the payment transaction. You do not store, process or transmit cardholder data on your systems or premises. These PayWay solutions allow you to meet these requirements:
Upgrade to PayWay Trusted Frame to meet the requirements for SAQ A. Self-Assessment Questionnaire A-EP and Attestation of Compliance |
| SAQ D (331 questions) |
You do not qualify for any of the above questionnaires. You store, process or transmit cardholder data on your systems or premises. If you use these PayWay features you must complete SAQ D:
Self-Assessment Questionnaire D and Attestation of Compliance for Merchants Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers |
If you process credit cards outside PayWay, this may change the SAQ you must complete.
Read more about Assessing the security of your cardholder data .
More information
If you have additional questions about PCI DSS, please refer to:
- the PCI Security Standards website
- your Qualified Security Assessor (QSA)
- For Westpac customers via email pci@westpac.com.au
- For St. George customers via email pci@stgeorge.com.au
For sales, technical help or to report a security vulnerability, contact us.
Disclaimer
Qvalent, a wholly owned subsidiary of Westpac Banking Corporation ABN 33 007 457 141 AFSL & Australian credit license 233714 ("Westpac"), is not your Qualified Security Assessor (QSA). These guidelines are general in nature and have been prepared without knowledge of your circumstances or the environment in which your systems operate. Compliance with PCI-DSS does not guarantee your systems are secure. You are responsible for maintaining the security of your systems. These guidelines are current as at 16 Apr 2019, but may be subject to updated industry standards or merchant requirements over time. They should not be forwarded to any other party without Westpac's written consent. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.