Help & Support

  1. Business
  2. Help and support
  3. Merchant services
  4. PCI DSS
  5. Account data compromises and non-compliance

Account data compromises and non-compliance

Over the past few years there has been a dramatic increase in the number of account data compromises – both globally and here in New Zealand. You've probably heard news stories about card fraud or even been unlucky enough to have your own personal cards compromised and reissued. Data compromises are always undesirable. They can result in bad publicity, customers taking their business elsewhere and additional costs to your business.

The Payment Card Industry Data Security Standard (PCI DSS) has been introduced to reduce your risk and protect the integrity of cardholder information. Compliance with the standard is essential.

Any data compromise or non-compliance fines received by BNZ from card schemes may be passed onto you, as stated in your BNZ Merchant Agreement – General Terms and Conditions section 3.7.

Data compromises

If you suspect your business may have suffered an account data compromise, you must contact us immediately on 0800 737 774 or by emailing pcidss@bnz.co.nz.

Do not delete or modify any of your systems. Much like a robber that leaves fingerprints after a break in, a hacker will leave important evidence of their activity, which is essential for understanding what's gone wrong and what information is at risk of being compromised.

Fines for data compromise

Reason Visa assessments
(up to in US$)		 MasterCard assessments
(up to in US$)
Account data compromise (ADC)

L1 Merchant 25,000
L2 Merchant 10,000
L3 Merchant 5,000
L4 Merchant 5,000

 100,000 per non-compliant requirement (12 PCI DSS requirements)
Additional non-compliance assessments post ADC

L1 Merchant 25,000 per month
L2 Merchant 10,000 per month
L3 Merchant 5,000 per month
L4 Merchant 5,000 per month

 Up to 25,000 per day of non-compliance
ADC – operational reimbursement Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud Dependent upon number of accounts at risk/type of data at risk/number of accounts reported with confirmed fraud

NB: These are subject to change at any time.

Non-compliance

Compliance with the PCI DSS is mandatory for all organisations that store, process and/or transmit payment card information. It's essential to ensure your business complies with the PCI DSS. If you have been requested to validate compliance as stated in your card scheme requirements, it's vital that you do validate your compliance.

The card schemes have various financial assessments in relation to non-compliance with the PCI DSS.  If you have been contacted by BNZ to validate compliance with the PCI DSS by a certain date, then fines may be issued by the card schemes if compliance isn't achieved by that date.

Compliance with the PCI DSS is a part of your BNZ Merchant Agreement – section 3.7. We may have no choice but to terminate your merchant facility if PCI DSS compliance isn't achieved by any date communicated to you. If your merchant facility is terminated, a record will be created with the card schemes, which will limit your ability to gain a merchant facility from another bank.

Fines for not validating compliance

Fines for not validating compliance
Violations per calendar year MasterCard
(up to in US$)
L1 & L2 Merchants		 MasterCard
(up to in US$)
L3 Merchants		 Visa
( up to in US$)
L1, L2 & L3 Merchants
First violation 25,000 10,000 50,000
Second violation 50,000 20,000 100,000
Third violation 100,000 40,000 200,000
Fourth violation 200,000 80,000  N/A
Total of 4 violations per Merchant 375,000 150,000 350,000

NB: These are subject to change at any time.