a desk with several monitors

New Zealand PCI Compliance

by

New Zealand PCI Compliance

You’ve just received an email from your payment processor with “PCI Compliance Questionnaire” in the subject line. Your heart sinks. It sounds technical, expensive, and frankly intimidating. Here’s the good news: for most New Zealand businesses, PCI compliance is simpler than you think. In fact, if you’re using modern payment terminals or hosted checkout pages, you’re already doing most of what’s required. This guide will walk you through exactly what you need to do, in plain English, without the jargon or scare tactics.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as the minimum security standards for handling customer payment information — like having locks on your doors and an alarm system for your business, but for credit card data.

The major card brands (Visa, Mastercard, American Express, Discover) created these standards through an organization called the PCI Security Standards Council. While the card brands set the rules, it’s actually your acquirer (the bank or payment processor that handles your card transactions) who enforces them. That’s why they’re the ones sending you compliance questionnaires.

Why Should You Care?

Non-compliance has real consequences:

  • Fines from your payment processor (typically $5,000-$100,000 per month)
  • Liability for any fraudulent transactions if there’s a breach
  • Loss of card processing privileges — you literally can’t accept cards anymore
  • Breach costs including forensic investigation, customer notification, and reputation damage

But here’s what most compliance companies won’t tell you: most small businesses qualify for the simplest compliance requirements. If you’re using Square terminals or have a Shopify store, you’re not in the same category as a major retailer storing millions of card numbers.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit or debit cards in any form, yes. It doesn’t matter if you’re a corner dairy in Auckland or an online store shipping throughout New Zealand — if customers can pay with plastic, PCI compliance applies to you.

Your Merchant Level

Your compliance requirements depend on your merchant level, which is based on annual transaction volume:

  • Level 4: Under 20,000 Visa transactions or under 1 million total transactions annually (most small businesses)
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 1: Over 6 million transactions annually

Most New Zealand small businesses are Level 4, which means you complete a Self-Assessment Questionnaire (SAQ) rather than hiring an external assessor. This is good news — it’s simpler and much less expensive.

What Your Payment Processor Expects

When your acquirer or payment processor sends that compliance questionnaire, they’re asking you to:
1. Complete the appropriate SAQ for your business
2. Run quarterly vulnerability scans if you have any systems connected to the internet
3. Submit your Attestation of Compliance (AOC) — basically your signature saying you’ve done the work
4. Maintain compliance year-round (it’s not a one-time thing)

Which SAQ Do You Need?

The SAQ you need depends entirely on how you accept and process card payments. Think of it as choosing the right form — using the wrong one wastes everyone’s time.

Here’s the decision tree in plain language:

How You Accept Payments Your SAQ Type Questions Complexity
Redirect to payment gateway (PayPal, Stripe Checkout) SAQ A 22 Simplest
E-commerce with payment fields on your site SAQ A-EP 139 Moderate
Standalone terminals only (no connected systems) SAQ B 41 Simple
Standalone terminals connected to internet SAQ B-IP 82 Simple
Phone/mail orders, no electronic storage SAQ C-VT 160 Moderate
Anything else (storing cards, integrated POS) SAQ D 329 Complex

Common New Zealand Scenarios

If you run a café with a Square terminal: You’re likely SAQ B or SAQ B-IP depending on whether the terminal connects to the internet.

If you have a WooCommerce site using Stripe: If customers enter card details on your site, you’re SAQ A-EP. If you redirect to Stripe’s hosted checkout, you’re SAQ A.

If you’re a tradie taking payments over the phone: You’re SAQ C-VT if you’re typing those numbers into a virtual terminal.

If you’re storing card numbers in QuickBooks: Stop immediately and switch to tokenization — otherwise you’re stuck with SAQ D and its 329 requirements.

Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.

How to Complete Your SAQ

Once you know which SAQ applies, completing it is straightforward. The questionnaire is a series of yes/no questions about your security practices. Here’s what to expect:

What the Questions Look Like

Each question asks about a specific security control. For example:

  • “Do you have a firewall protecting your payment systems?”
  • “Do you change default passwords on all devices?”
  • “Is antivirus software installed and updated regularly?”

Important: “Yes” means you’re actually doing it, not that you plan to. Be honest — false attestation can result in bigger fines than non-compliance.

Documentation You’ll Need

Gather these before you start:

  • Network diagram (even a simple sketch works for small businesses)
  • List of payment devices (terminals, POS systems)
  • Security policies (can be simple one-pagers for small businesses)
  • Vendor compliance certificates (your payment processor should provide these)

The Quarterly ASV Scan

If your SAQ type requires it (most do except SAQ B), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks your internet-facing systems for security vulnerabilities.

What happens during a scan:
1. You provide your public IP addresses or website URLs
2. The ASV runs automated security tests
3. You receive a report showing any vulnerabilities
4. You fix any critical issues and rescan
5. Once you pass, you get a compliance certificate

Submitting Your Compliance

After completing your SAQ and passing your scans:
1. Sign the Attestation of Compliance (AOC)
2. Submit both documents to your payment processor
3. Save copies for your records
4. Set calendar reminders for next year

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you do it yourself or need help:

Typical Annual Costs

DIY Approach:

  • SAQ platform/tools: $0-300/year
  • Quarterly ASV scans: $200-500/year
  • Total: $200-800/year

With Compliance Support:

  • Managed compliance platform: $500-2,000/year
  • Includes ASV scans, SAQ tools, and support
  • Remediation guidance when scans fail

If You Need a QSA (only for complex environments):

  • Level 1 merchants or SAQ D: $15,000-50,000
  • Most small businesses never need this

The Cost of Non-Compliance

Your payment processor’s monthly non-compliance fees typically start at $20-50 but can escalate to thousands. More importantly, if you have a breach while non-compliant:

  • Forensic investigation: $10,000-100,000
  • Card replacement costs: $3-5 per compromised card
  • Fines: $5,000-100,000 per month
  • Lost business and reputation damage: priceless

Reality check: Annual compliance for most small merchants costs less than a single month’s non-compliance fine.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with quarterly checkpoints. Here’s how to stay on track:

Set Up Your Compliance Calendar

  • Quarterly: ASV scans (if required)
  • Annually: Complete SAQ and submit AOC
  • Ongoing: Maintain security controls you attested to
  • As needed: Update assessment if payment methods change

What Triggers a New Assessment

You’ll need to reassess your compliance if you:

  • Change payment processors or methods
  • Add new payment channels (like adding e-commerce to retail)
  • Significantly change your payment environment
  • Have a security incident

Making It Manageable

The easiest way to maintain compliance is with a platform that tracks everything for you. PCICompliance.com’s compliance dashboard shows your current status, upcoming deadlines, and exactly what needs attention. No spreadsheets, no guessing whether you’re compliant.

FAQ

Do I really need to do this if I’m a small business?

Yes, but it’s likely simpler than you think. Your payment processor requires compliance regardless of size. The good news is that small businesses usually qualify for the easiest SAQ types with fewer requirements.

What happens if I just ignore the compliance questionnaire?

Your payment processor will start charging monthly non-compliance fees (usually $20-100). Eventually, they may terminate your merchant account, meaning you can’t accept cards at all.

Can I just check “yes” to everything and submit it?

This is called false attestation and it’s worse than non-compliance. If there’s a breach, you’ll be liable for all fraud losses plus face additional fines for the false statements.

Do I need to hire a QSA (Qualified Security Assessor)?

Most small businesses don’t. QSAs are required for Level 1 merchants and service providers. If you’re doing under 6 million transactions annually, you self-assess using an SAQ.

How often do I need to do ASV scans?

Quarterly (every three months) if your SAQ type requires it. SAQ A, A-EP, C-VT, and D require scans. SAQ B and B-IP don’t require external scans because you’re not connecting payment systems to the internet.

What if my scan fails?

This is normal on the first attempt. The scan report tells you exactly what vulnerabilities to fix. Address the critical issues, rescan, and repeat until you pass. Most failures are simple fixes like updating software or closing unnecessary ports.

Is PCI compliance the same as being secure?

PCI DSS represents minimum security standards. Compliance doesn’t guarantee you won’t have a breach, but it significantly reduces your risk and limits your liability if something does happen.

Can my payment processor help with compliance?

Some offer basic tools or partner with compliance providers. However, ultimately compliance is your responsibility as the merchant. Your processor can’t complete your SAQ for you.

Conclusion

PCI compliance might seem overwhelming when that first questionnaire arrives, but for most New Zealand businesses, it’s a manageable process. If you’re using modern payment methods — hosted checkout pages, standalone terminals, or major payment gateways — you’re already doing most of what’s required. The key is identifying your correct SAQ type, completing it honestly, and maintaining those security basics year-round.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling spreadsheets and calendar reminders, you get a clear view of your compliance status and automatic alerts when action is needed. Start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team about a managed solution that takes PCI off your plate entirely.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP