PCI QSA Company · PCI DSS-compliant service provider · 12+ years · Fixed pricing available
Payment card information remains one of the most targeted forms of data. For Australian organisations that store, process or transmit cardholder data, PCI DSS compliance is a practical risk management requirement as much as a contractual one.
We focus on what PCI DSS was designed to achieve: practical, risk-driven improvements that reduce the likelihood and impact of compromise, not superficial checkbox activity.
PCI DSS (the Payment Card Industry Data Security Standard) is a set of technical and operational requirements designed to protect cardholder data. Compliance means implementing, operating and maintaining a comprehensive set of controls relating to:
Network segmentation and security
Access control and authentication
Logging, monitoring and incident response
Secure software development
Vulnerability management
Physical security and hosted environments
Supplier and service-provider oversight
PCI DSS compliance applies to any organisation that touches payment card data, even indirectly. That includes retailers, e-commerce sites, service providers, franchise networks, billing platforms, hospitality groups and SaaS platforms that integrate payment processing.
DotSec has more than 12 years of experience securing payment environments for government, APRA-regulated entities, financial institutions, utilities and national retail organisations. The PCI DSS was designed to achieve practical, risk-driven improvements that reduce the likelihood and impact of compromise, and that’s what dotSec delivers!
Your business will almost certainly need to be PCI DSS compliant if you:
Accept credit or debit cards (online or in-store)
Use a payment gateway or merchant provider
Store or transmit cardholder data (even temporarily)
Develop or host systems involved in payment processing
Are a managed service provider to organisations who themselves process cardholder data
PCI DSS compliance is not optional in Australia. It is expected by banks, acquirers, insurers, and partners, and is frequently required as part of due-diligence processes.
PCI DSS applies in Australia the same way it does globally. The standard is set by the PCI Security Standards Council, not by Australian regulators, and the technical requirements are identical regardless of jurisdiction. What differs is the local enforcement and regulatory context: your acquiring bank determines your validation requirements and merchant level; organisations regulated by APRA need to consider how PCI DSS controls align with their CPS 234 information security obligations; and where cardholder data constitutes personal information under the Privacy Act 1988, the Australian Privacy Principles apply independently.
For Australian merchants, this means PCI DSS compliance is rarely a standalone exercise. DotSec’s PCI engagements are scoped to fit alongside ISO 27001, Essential Eight, and APRA CPS 234 obligations where they apply, so you’re not duplicating control work across frameworks.
The compliance requirements varies significantly depending on how your organisation handles card data. For example, merchants using fully hosted payment pages may qualify for a minimal SAQ A self-assessment, while those with broader card data environments face more extensive requirements.
In either case, non-compliance leaves your organisation exposed to card scheme fines, increased transaction fees, and potential loss of the ability to process card payments. Generally speaking, all merchants have reporting requirements, irrespective of their level.
However, the specific requirements differ: Most merchants, except for the highest level (Level 1), are typically required to complete a Self-Assessment Questionnaire (SAQ). Level 1 merchants, on the other hand, usually need to undergo an annual assessment by a Qualified Security Assessor (QSA).
For the bulk of merchants, the key to PCI DSS compliance is the Self-Assessment Questionnaire (SAQ).
Different SAQs exist, each tailored to different types of payment processing environments. The specific SAQ a merchant needs to complete depends on how they process card payments.
SAQ A (Self-Assessment Questionnaire A) is the leanest of the PCI DSS reporting paths, meaning that it can be used (in general) with very little effort or time.
Merchants prefer SAQ A because there are only 26 controls (and some of those might be non-applicable) and it’s often possible for the merchant to offload many of its PCI DSS responsibilities to third-party providers such as payment gateways or security service providers, as long as those third parties are themselves PCI DSS compliant.
To be eligible for SAQ A, all cardholder data functions must be fully outsourced to PCI DSS-compliant TSPs, and merchants must:
Tier 1 merchants and service providers, or those merchants/service-providers who have particular acquirer requirements, will need to report using a Report On Compliance (ROC).
In this scenario, DotSec’s Qualified Security Assessor (QSA) will formally assess how effectively the client meets the applicable requirements from the PCI DSS.
In contrast to the collaborative nature of a scoping or gap-analysis project, the QSA-led PCI DSS assessment will be a formal assessment process, the outcomes of which are documented in a formal Report on Compliance (ROC):
It is important to note that the formal QSA-led assessment must be conducted in a timely manner. As a QSA Company, dotSec would ensure that the client remains aware of the assessment timetable, impending deadlines and project completion date.
DotSec sells PCI DSS work in three clearly-defined modes. Most engagements fall cleanly into one; some span two as scope evolves.
Across all three modes, our PCI work is built on senior practitioners, not box-tickers.
dotSec’s PCI DSS work is priced in one of two ways:
While we won’t quote indicative numbers without first understanding scope, we will happily work through a scope with you. Engage us for a no-obligation scoping conversation.
dotSec stands out among other PCI DSS companies in Australia for a couple of important reasons:
Answer: PCI DSS v4.0.1 is the current and only active version of the standard. PCI DSS v3.2.1 was retired on 31 March 2024, and the interim v4.0 was retired on 31 December 2024, leaving v4.0.1 as the sole active version from January 2025. A further milestone came on 31 March 2025, when the 51 future-dated requirements within v4.0.1 became fully mandatory, including expanded requirements for web-facing application security (script management), stronger multi-factor authentication, and targeted risk analysis. If your organisation last completed a PCI DSS assessment under v3.2.1, a gap analysis against v4.0.1 is worth undertaking.
Reference: PCI security blog
Answer: SAQ selection depends primarily on how your organisation processes card payments whether you use a hosted payment page, a direct integration, card-present terminals, or a combination. Selecting the wrong SAQ is a common and consequential error; it can create a false sense of compliance or impose unnecessary controls. dotSec can determine the appropriate SAQ for your environment as part of a scoping engagement.
Reference: What’s new blog post
Answer: It depends on which reporting path applies. A gap analysis engagement, covering SAQ determination, gap analysis, and SAQ completion and reporting, typically requires around one week of work. A QSA-led assessment leading to a Report on Compliance is not something we can estimate without a scoping conversation. The time required depends on how mature your organisation’s current controls are, whether you have completed a previous AOC and ROC, and the nature and extent of any compliance gaps. Contact dotSec to arrange a scoping discussion before committing to a timeline.
Answer: Scope defines which systems, people, and processes are subject to PCI DSS requirements. The broader the scope, the more controls must be implemented and evidenced. Scope reduction can be done using network segmentation, tokenisation, or outsourcing cardholder data functions to compliant third parties; which ever technique you choose, scope reduction is one of the most cost-effective ways to simplify compliance. dotSec’s scoping work routinely identifies opportunities to reduce scope before an assessment begins.
Reference: Segmentation and scoping guidance
Answer: A QSA (Qualified Security Assessor) is an individual certified by the PCI Security Standards Council to assess PCI DSS compliance and to issue Reports on Compliance (ROCs).
The PCI SSC also certifies the firms employing them as QSA Companies. DotSec is a registered PCI QSA Company.
Answer: It depends on transaction volume and payment-flow architecture.
Level 1 merchants (broadly, 6M+ Visa/Mastercard transactions per year, or any merchant compromised in a cardholder-data breach) generally need a QSA-led ROC. Most other merchants can self-assess via the appropriate SAQ. Service providers have their own threshold (300K+ transactions/year for Visa).
Acquirer requirements can override these defaults.
DotSec’s scoping conversation determines the right path.
Answer: Annually.
The Attestation of Compliance (AOC), whether produced via QSA-led ROC or merchant-completed SAQ, has a one-year validity.
Quarterly internal vulnerability scanning (Requirement 11.3.1) and ASV external scans (Requirement 11.3.2) run on their own cadences inside the year.
If you need to report under the PCI DSS, whether through a SAQ or a QSA-led assessment, dotSec can help you find the most direct, cost-effective path to compliance.
We take scope reduction seriously. Where there is a legitimate opportunity to narrow the compliance boundary through segmentation, tokenisation, or the use of compliant third-party services, we will identify it. A well-scoped engagement costs less, takes less time, and produces a more defensible result. That is good for you, and it is the basis of the kind of long-term working relationship we aim to build.
Contact us to discuss your PCI DSS requirements.
We’ve been helping organisations with their PCI DSS compliance and reporting requirements for over 12 years, and we’re also PCI DSS-compliant ourselves. We’ve learned a thing or two over the years, and our PCI DSS articles and case studies cover the practical questions that come up most often in scoping conversations:
