PCI DSS Compliance Policy¶
| Code | PAY-006 |
| Domain | Payments & Settlement |
| Owner | Head of Payments |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD06 |
| Review date | 2027-03-25 |
Regulations: PCI DSS v4.0 — Payment Card Industry Data Security Standard¶
Purpose¶
Govern the platform's obligations in relation to PCI DSS compliance for the storage, processing, and transmission of cardholder data.
Scope¶
All systems, processes, and staff that store, process, or transmit cardholder data or that could affect the security of the cardholder data environment.
Policy statements¶
The platform SHALL maintain compliance with the current version of the Payment Card Industry Data Security Standard (PCI DSS). The scope of the cardholder data environment (CDE) SHALL be documented and reviewed annually.
Cardholder data SHALL NOT be stored after transaction authorisation unless there is a documented and justified business need. Where storage is necessary, it SHALL be encrypted at rest using algorithms that comply with PCI DSS requirements.
The platform SHALL undergo an annual PCI DSS assessment. Level 1 merchants and service providers SHALL use a Qualified Security Assessor (QSA). The Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) SHALL be submitted to the relevant payment scheme within required timeframes.
Any system or network change that could affect the CDE SHALL be assessed for PCI DSS impact before implementation. Changes that expand the CDE scope SHALL require CTO approval and notification to the QSA.
Cardholder data SHALL be encrypted in transit using TLS 1.2 or later. Unencrypted transmission of cardholder data SHALL be prohibited.
Access to cardholder data SHALL be restricted to staff and systems that have a documented need. Access SHALL be reviewed quarterly and revoked immediately upon role change or departure.
A PCI DSS breach or suspected breach involving cardholder data SHALL be reported to the relevant payment scheme and issuing bank within the timeframe required by scheme rules. The platform SHALL maintain an incident response plan that addresses CDE breaches.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-124 | Physical card issuance and bureau integration | AUTO |
Card personalisation data is transmitted to the bureau using point-to-point encryption; full PANs are never stored in application logs or databases outside of PCI DSS-compliant storage. |
Part of Payments & Settlement · Governance overview
Compiled 2026-05-22 from source/entities/policies/PAY-006.yaml