PCI DSS Compliance for school, sports & pre school photography business's

What is PCI DSS, and Who's Responsible for It?

PCI DSS stands for Payment Card Industry Data Security Standard. It’s not a government regulation, but rather a set of standards imposed by the global credit card companies—Visa, Mastercard, American Express, China UnionPay, and others.

Who’s Responsible for Compliance?

Compliance is primarily managed through the banks. As merchants (school, sports and pre school business's), you have a contractual agreement with your bank, allowing your customers’ credit card transactions to be processed and deposited into your bank account.

Some of the providers supporting this conference are what we call “service providers.” They offer the portals through which these payments flow—from the customer purchasing photographs to your bank—via what’s known as payment gateways. Netlife, for example, is one such portal that facilitates this process.

Annual Compliance Requirements

As a merchant, you’re required to report your PCI DSS compliance status to your bank each year. The bank then reports that information to the global card brands.

• If your business processes over 6 million credit card transactions per year, you must undergo an independent audit and submit a Report on Compliance (ROC).

• However, most of you process far fewer transactions, often well under 100,000 annually. In that case, you're allowed to self-attest by completing a Self-Assessment Questionnaire (SAQ).

The Risk of Self-Attestation

Self-attesting carries risk. You’re signing off on something you may not fully understand. If you incorrectly fill out an SAQ and a data breach occurs, you could be in serious trouble.

There are several SAQ types:

• SAQ D (up to 300+ requirements): For businesses that haven’t segmented their card processing systems.

• SAQ A (around 30 requirements): What we try to get most of our clients down to—minimal scope and risk.

• SAQ EP (around 140–150 requirements): For electronic payment processing.

For service providers like Netlife, the full SAQ D applies—with even more stringent requirements.

Consequences of Non-Compliance

If a data breach happens and you're found non-compliant:

• Immediate fines of USD $10,000 may be issued by Visa and Mastercard, via your acquiring bank.

• While some banks may absorb the fine if they failed in their own due diligence, the bigger threat is reputational damage.

If schools, sporting clubs, or other clients discover that credit card data was compromised, they’ll likely reconsider doing business with you.

Who Are We?

Stratica is a Qualified Security Assessor (QSA). We help clients with audits and also operate as a Payment Fraud Investigator (PFI)—one of only 20 companies globally approved by the card brands, and the only one based in Australia. Unfortunately, this means we often see what goes wrong.

Introducing ST4S: A New Standard for Schools

Now, let’s shift to another important topic: ST4S.

I hadn’t heard of it until Glenn asked us to look into it. After researching, we found that the Federal Department of Education—through NSIP (part of Education Services Australia)—has introduced a new standard, very similar to PCI DSS.

If you want to provide software or tools to schools (government or private) across Australia and New Zealand, you’ll soon need to comply with ST4S. It’s still rolling out, but it's being gradually mandated across all states and territories.

Getting ST4S Compliant

To become compliant:

1. Register with the program.

2. Complete a very detailed and messy spreadsheet outlining your compliance status.

We can assist with this process. It will be particularly challenging for smaller businesses to navigate alone.

Eventually, school principals will likely require proof of ST4S compliance—before awarding photography contracts or allowing your software into their systems.

A Real-World Data Breach Example

Some of you may recall a major breach involving a Queensland-based school photography company about five years ago. While we weren’t involved in that case, we’ve been engaged in several others—including one this year.

In that case:

• 30,000 credit card records were exfiltrated and later appeared on the dark web.

• Ironically, the company self-attested compliance in the middle of the breach—despite being nowhere near compliant.

• They refused to pay a ransom, but although they recovered their systems, sensitive data had already been stolen.

• As a result, attackers retaliated by leaking the data online.

In Summary

I hope I haven’t scared you too much. The truth is, from a business standpoint, we earn more when there's a breach—but we'd much rather help you prevent one.

Our goal is to support clients in achieving and maintaining compliance, so you don’t end up on the wrong end of a fine—or worse, losing the trust of your clients.

You can find us at: 🌐 www.stratica.com.au 🌐 www.stratica.asia

We operate throughout Australia, New Zealand, and parts of Asia.

Thank you for your time, and thanks to Glenn and Harry for inviting me to speak on this important (and admittedly dry) topic!