That PCI compliance letter from your bank is not a crisis

PCI surprise
The letter is not a new requirement; it is a reminder of an existing one. (Source: Supplied)
By DotSec

Over the past 18 months, a pattern has been forming across Australian retail: Merchants who have been accepting card payments for years are receiving letters from their payment providers asking, for the first time, for a PCI DSS compliance report.

The letter often arrives with little notice, a tight deadline, and language that sounds like something has gone wrong.

Here’s the good news: Nothing has gone wrong. This is routine. But the letter does need a response, and understanding what’s behind it makes the response straightforward.

Why now?

Three things have converged. First, PCI DSS v4.0.1 is now the only active version of the standard. The previous version was retired at the end of 2024, and 51 requirements that had been flagged as future-dated best practices became mandatory on March 31, 2025. Payment providers are updating their compliance programs to match, and for many, that means tightening reporting expectations for their merchant base.

Second, Mastercard’s requirement for Level 2 merchants to engage a Qualified Security Assessor (QSA) when completing certain self-assessment questionnaires is being enforced more consistently in Australia than it has historically. Providers that previously accepted a merchant’s own attestation are now asking for QSA validation.

Third, Australian e-commerce has grown substantially since 2020. More merchants are now transacting at volumes that place them in a higher merchant-level band than when they signed their original agreements. Higher levels carry higher validation obligations.

What your provider is actually asking for

Every business that accepts payment cards under a direct merchant agreement with an acquirer – NAB, CBA, Westpac, ANZ, Tyro, or similar – is bound by the card scheme rules of Visa, Mastercard, and American Express. Those rules require annual validation to confirm that the merchant is handling cardholder data securely.

The mechanism for reporting the validation is often a Self-Assessment Questionnaire (SAQ), a structured set of controls that the merchant works through and attests to. For most mid-market Australian e-commerce merchants, the relevant SAQ is either SAQ A (where cardholder data is fully outsourced to a PCI-compliant payment gateway such as Tyrp or NAB Transact) or SAQ A-EP (where the merchant’s own website has some control over the payment page, for example by delivering scripts to a third-party payment form). You can report under both SAQs if you use both payment flows.

SAQ A is lean. SAQ A-EP is a little more involved because it covers system hardening, vulnerability management, and penetration testing. Both now require quarterly external vulnerability scans. Choosing the right SAQ is crucial and will save work in later years, and the choice depends on how your payment integration works and the eligibility criteria under PCI DSS v4.0.1. Merchants should re-check and not assume or guess which SAQ applies.

How much work is involved?

For a well-scoped SAQ A or SAQ A-EP engagement with a merchant whose controls are reasonably mature, the validation work typically takes about a week of effort spread over two to four weeks of calendar time (depending mostly on Merchant resourcing and availability). If you’ve never completed an SAQ before, then the first year might take more effort because you are building the evidence base from scratch: Documenting policies, confirming technical configurations, and gathering evidence for controls that are probably already in place but have not been formally recorded. After that, subsequent years are lighter.

If a QSA is required (Mastercard Level 2, or at the provider’s discretion, or just because the Merchant wants to be sure), the QSA adds an independent evidence review and formal sign-off, but does not fundamentally change the workload. 

Reducing scope before you validate

The single most valuable step that the QSA can help with is scope reduction. If your payment integration currently puts you in SAQ A-EP territory, moving to a hosted or iframe payment page (for example) can shift you to SAQ A, which has fewer controls, takes less time, and costs less to validate. The savings compound year on year because the simpler SAQ applies every annual cycle (assuming your payment processes remain stable).

For merchants on SAQ A-EP or SAQ D, another option is shifting responsibility for specific control areas to a PCI-compliant service provider. Controls performed by a compliant third party are inherited through a shared responsibility matrix in the attestation, reducing what the merchant must evidence directly.

What to do with the letter?

Read it, but don’t panic. Confirm your merchant level with your payment provider. Check which SAQ applies to your current payment integration. If you’re unsure, a scoping conversation with a QSA Company like DotSec (all companies are listed on the PCI Security Standards Council website) will quickly clarify the position. 

Remember, nothing has gone wrong. The letter is not a new requirement; it is a reminder of an existing one, arriving now because the standard has been updated and enforcement has tightened.

For most Australian merchants, annual PCI DSS validation is a bounded, well-defined task. Once the structure is understood, it stops being alarming and starts being routine.

Recommended By IR

David's Bridal CEO Kelly Cook standing in front of a rack holding several bridal dresses.
Strategy IR Pro

VIDEO: Kelly Cook on connecting with customers on an emotional level

Nicole Kirichanskaya
Walmart store sign
Supermarkets IR Pro

Behind Walmart’s e-commerce win: Logistics, memberships and a tariff storm

Michael Baker
A side-by-side of a product shot next to singer Kim Petras holding a Viva Glam Lipglass Air.
Strategy IR Pro

How retailers can win consumer trust through authentic Pride Month activations

Nicole Kirichanskaya
Ida Sports
Supply chain IR Pro

Founder of Ida Sports on what it takes to create a shoe fit for female athletes

Heather McIlvaine
Image of Anthony Albanese giving a speech.
Regulatory

Retail associations support Albanese government’s productivity focus

Darshana Gupta
A shopping cart is positioned against a digitized supermarket aisle.
Strategy IR Pro

Ten predictions for how retail will play out in Q3 and Q4: Coresight Research

Nicole Kirichanskaya
Are you sure you want to leave?
Yes, leave this page Stay