14
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy.
What are the benefits of PCI DSS compliance?
PCI DSS compliance assists your business in protecting Payment Card data and minimising
risk of theft of Cardholder information or compromise of your business systems.
Maintaining a PCI DSS compliance program helps your business identify potential
vulnerabilities and may reduce the financial penalties and remediation costs from a data
breach.
Validating PCI DSS Compliance
To validate compliance with PCI DSS, your business must complete the following validation
tasks:
1) Annual PCI DSS Assessment
The Self-Assessment Questionnaire (SAQ) is a free assessment tool used to assess
compliance with the PCI DSS standards. There are 4 different SAQs, covering a variety of
payment processing environments, available to download from the PCI SSC website at:
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
Compliance assessments may also be performed by completing an onsite audit with an
independent PCI approved Qualified Security Assessor (QSA). PCI maintains a list of PCI
approved QSAs at: https://www.pcisecuritystandards.org/approved_companies_
providers/index.php
2) Quarterly Network Vulnerability Scans
If your business accepts payments via the Internet, or has any electronic storage of
Cardholder or transaction information, then Quarterly Network Vulnerability Scanning is
required to ensure compliance with PCI DSS.
An external vulnerability scan enables your business to assess your level of security from
potential external threats.
PCI-Approved scanning tools are used to generate traffic that tests your network
equipment, hosts, and applications for known vulnerabilities; the scan is intended to
identify such vulnerabilities so they can be corrected.
ANZ provides a complimentary PCI DSS Compliance Program to our merchants, including
PCI-approved Network Vulnerability Scanning – please email pcicompliance@anz.com or
contact ANZ on 1800 039 025 to request access to our PCI DSS program.
7.2 Securing Transaction Records
In general, no cardholder data should be stored unless it is strictly for use within the
business and absolutely necessary.
However, if you have authority from ANZ to process mail order / telephone order,
eCommerce, recurring or manual payments you may be required to store cardholder data
and transaction records. Please ensure all paper and electronic records containing