Scam and card fraud losses totalled $194 million New Zealand dollars (NZD) in 2024 and are continuing to accelerate. While not required by New Zealand law, businesses that accept card payments in the country are expected to comply with the Payment Card Industry Data Security Standard (PCI DSS). Card networks enforce compliance through merchant agreements. Failing to comply can result in fines, higher transaction costs, or even losing the ability to accept card payments.
Below, we’ll cover PCI DSS requirements, the most common compliance challenges New Zealand businesses face, and how to successfully achieve compliance.
Key takeaways
PCI DSS compliance is enforced through merchant agreements with card networks and acquiring banks rather than New Zealand law. However, the financial and operational consequences of noncompliance are substantial.
The scope of your compliance obligations depends on how much cardholder data your systems handle. You can simplify the compliance process by reducing your exposure.
Choosing the right self-assessment questionnaire (SAQ) and assigning clear internal ownership are two of the most important decisions that impact a New Zealand business’s compliance success.
What is PCI compliance in NZ?
PCI compliance means meeting the global PCI DSS requirements around a secure network, cardholder data, and access control and information security. These measures must be followed by all businesses handling cardholder data—from a café taking tap payments to a software company billing subscribers globally.
Why does PCI compliance matter for New Zealand businesses?
Card fraud losses in New Zealand amount to hundreds of millions of dollars annually. Compliance helps protect cardholder data and reduce the risk of fraud.
The consequences of non-compliance fall into a few categories:
Fines: Payment networks and acquiring banks can levy fines. These can range from hundreds to hundreds of thousands of dollars depending on the severity of the violation.
Increased transaction costs: Acquiring banks can move non-compliant businesses to higher interchange tiers.
Liability for fraud losses: If a breach occurs and you weren’t compliant at the time, you could be held liable by your insurance and acquiring bank for the cost of fraudulent transactions, card replacement, and forensic investigation.
Termination of card acceptance: In serious cases, acquiring banks or processors can revoke your ability to accept card payments.
There’s also reputational damage. New Zealand’s Privacy Act 2020 requires businesses to notify affected individuals and the Privacy Commissioner after a privacy breach that causes serious harm.
How does PCI compliance work?
PCI DSS organises its requirements around the cardholder data environment (CDE), which is the systems, people, and processes that store, process, or transmit cardholder data. The scope of your compliance obligations depends largely on the size and shape of your CDE.
The current standard is PCI DSS 4.x, which the Security Standards Council released in March 2022 with a transition deadline that made it the sole active version as of March 2024. Version 4.0 introduced bigger changes that provide more flexibility in how businesses can meet certain requirements. Minor updates have been released since then, but the main tenets remain the same. Compliance is validated through SAQs or formal audits by a qualified security assessor (QSA). It also depends on your transaction volume and how you handle card data:
SAQ A: Generally the simplest path, this applies to businesses that have fully outsourced card processing and don’t touch cardholder data themselves.
SAQ A-EP: Typically applies if you use a third-party payment page but your own website handles the redirect.
SAQ D: The most comprehensive path, SAQ D applies to businesses that store cardholder data or process it in ways that don’t fit a simpler category.
Level 1 merchants: Level 1 merchants, such as those that process over 6 million Visa or Mastercard transactions annually, must submit a Report on Compliance (ROC) by a QSA.
Many small to midsized New Zealand businesses will qualify for one of the SAQ paths. Which one depends largely on your payment integration model.
What are the PCI compliance requirements for New Zealand businesses?
PCI DSS contains 12 core requirements. These requirements are grouped under six control objectives:
1. Build and maintain a secure network
Install and maintain network security controls. This is the foundation of successful compliance.
2. Protect account data
Use strong cryptography to protect stored cardholder data. Never store the card verification code after authorisation, and ensure the transmission of cardholder data is encrypted across open, public networks.
3. Maintain a vulnerability management programme
Protect systems against malware and develop secure systems and software. This includes patching schedules, vulnerability scanning, and application security testing.
4. Implement strong access control measures
Cardholder data should be restricted to a need-to-know basis. Identify and authenticate every user with unique credentials, and physically restrict access to systems that store or process cardholder data.
5. Monitor and test networks
Monitor and log all access to network resources and cardholder data. Test security systems and processes regularly. Conduct vulnerability scans and penetration testing across many environments.
6. Maintain an information security policy
Maintain a policy that covers information security for all personnel and includes training and clear accountability.
Some of these requirements can become the provider’s responsibility, provided the New Zealand business has properly integrated its online or in-person payment solution.
What challenges do New Zealand businesses face with PCI compliance?
Becoming PCI compliant can trip up New Zealand businesses in predictable ways. Once you have visibility into where things go wrong, compliance becomes manageable.
Bigger scope than expected
A common compliance problem is underestimating the scope of the CDE. Any system connected to your CDE—whether you’re aware of it or not—falls under PCI DSS requirements. Businesses might discover that their CDE is far larger than they assumed once they start mapping data flows.
Legacy infrastructure
Many businesses in New Zealand might be running older point-of-sale (POS) hardware and on-premises software that wasn’t designed for PCI DSS 4.0. Upgrading can be expensive and disruptive. Maintaining compliance with legacy systems can mean added complexity.
Misunderstanding what outsourcing covers
Using a PCI-compliant payments provider doesn’t automatically make your business compliant. For example, your website might have a vulnerability that allows an attacker to intercept card data before it reaches the provider’s payment form, and that breach becomes your problem. The boundary between your responsibility and your provider’s responsibility needs to be clearly defined.
Staff turnover and training gaps
PCI DSS requires security awareness training for all personnel who interact with cardholder data. It can be difficult to keep training current in industries with high turnover.
The SAQ selection problem
Make sure you’re choosing the right SAQ. A business that thinks it qualifies for SAQ A but has actually retained some involvement in cardholder data processing might be substantially underreporting its compliance obligations.
How can New Zealand businesses ensure PCI compliance?
A good way to reduce your compliance burden is to reduce your cardholder data environment.
Consider the following approaches:
Use a payments provider that keeps card data off your systems
Payments providers such as Stripe that use tokenisation and hosted payment fields collect card data directly into their environment so that your servers don’t receive raw card numbers. Combined with PCI Service Provider Level 1 certification, this can simplify many businesses’ compliance paths.
Map your data flows first
You can’t scope a PCI assessment without knowing where cardholder data goes. Rigorously map every system that might touch card data. Then, any time you add a new integration, update your checkout flow, or change your customer relationship management (CRM) system, update the map as well.
Get the right SAQ
Talk to your acquiring bank or a QSA before selecting your SAQ. The card networks publish SAQ eligibility criteria, and the right decision isn’t always obvious. If you choose incorrectly early on, every subsequent compliance decision compounds the error.
Treat penetration testing seriously
Penetration testing has a substantial impact on your compliance success. A genuine test of your CDE, including your payment pages, authentication mechanisms, and internal network segmentation, can surface vulnerabilities that automated scanning misses.
Assign clear internal ownership
PCI compliance can fall through the gaps when it’s assumed that someone is taking care of it, such as IT, your CFO or whoever originally set up the payment system. Each requirement needs to be assigned to a designated person.
Build evidence collection into your operations
Assessors require evidence. Vulnerability scans, access logs, training completion records, and patch histories need to exist and be retrievable. Building that documentation into your regular operations is far less painful than reconstructing it before an assessment.
How Stripe Connect can help
Stripe Connect orchestrates money movement across multiple parties for software platforms and marketplaces. It offers quick onboarding, embedded components, global payouts and more.
Connect can help you:
Launch in weeks: Use Stripe-hosted or embedded functionality to go live faster and avoid the up-front costs and development time usually required for payment facilitation.
Manage payments at scale: Use tooling and services from Stripe so you don't have to dedicate extra resources to margin reporting, tax forms, risk, global payment methods or onboarding compliance.
Grow globally: Help your users reach more customers worldwide with local payment methods and the ability to easily calculate sales tax, VAT and GST.
Build new lines of revenue: Optimise payment revenue by collecting fees on each transaction. Monetise Stripe's capabilities by enabling in-person payments, instant payouts, sales tax collection, financing, expense cards and more on your platform.
Learn more about Stripe Connect or get started today.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.