PCI-DSS compliance

Fact sheet

Final | March 2018 | v1.0.0 | OFFICIAL - PUBLIC | Queensland Treasury

Queensland Treasury assists and coordinates the Queensland Government’s PCI-DSS processes; however it is the responsibility of each department to ensure it complies with PCI-DSS.

Most Queensland Government departments receive payments from their customers which typically involve the acceptance of credit, debit and prepaid cards issued by Visa and Mastercard. These payments are vulnerable to fraud when Cardholder Data (CHD) which includes the card number, expiry date and cardholder name is stored by the merchant.

The incidence of fraud is significantly increased if the merchant also stores Sensitive Authentication Data (SAD) like the Card Validation Value (CVV) which is the three-digit number embossed on the back of the card.

PCI-DSS compliance obligations

To minimise the level of fraud, an information standard was introduced by Visa and Mastercard (in addition to three other card schemes) in 2004 known as the Payment Card Industry Data Security Standard (PCI-DSS).

Merchants around the world (including government departments) are required to comply with approximately 320 requirements set out in the PCI-DSS. The Standard places an obligation on merchants to safeguard their customers’ CHD, whenever they transmit, process or store this data. While the PCI-DSS permits the transmission and processing of SAD, it specifically prohibits it from being stored.

Non-compliance with the PCI-DSS can result in fines being imposed and major breaches can result in a card scheme stopping its customers from paying the merchant with its card. Affected customers can also bring legal action (typically in a Class Action) which can involve millions (and sometimes billions) of dollars being paid by the merchant in damages.

Departments also have a contractual requirement to comply with PCI-DSS under the Queensland Whole of Government Transactional Banking and Payment Services Deed which was put in place with the Commonwealth Bank of Australia in June 2014.

Department responsibilities

Queensland Treasury assists and coordinates the Queensland Government’s PCI-DSS processes; however it is the responsibility of each department to ensure it complies with PCI-DSS. This usually involves joint action undertaken by the Information Technology and Finance areas of the department to monitor card payments received from its customers.

Formal compliance is normally demonstrated by filling in the relevant PCI-DSS Self-Assessment Questionnaire (SAQ) and, if applicable, arranging a quarterly scan to be performed by an Approved Scanning Vendor (ASV) of the department’s relevant websites.

For further information

If you have any queries about your compliance with the PCI-DSS, these should be addressed to the Government Banking Unit within Queensland Treasury by sending an email to (Govbank@treasury.qld.gov.au).


Last Reviewed: 25 October 2019