• New Zealand Government Web Standards 2.0

• New Zealand Government Web Standards 1.0
  • » 1. Images
  • » 2. Colour
  • » 3. Site Markup
  • » 4. Special Purpose Documents
  • » 5. Writing Content
  • » 6. Site Content
  • » 7. Page Layout
  • » 8. Navigation
  • » 9. Style Sheets
  • » 10. Dynamic Content
  • » 11. Tables
  • » 12. Frames
  • » 13. Scripting and Applets
  • » 14. Page Refreshing
  • » 15. Site Behaviour
  • » 16. Site Layout
  • » 17. Archiving
  • » 18. Quality Assurance
  • » 19. Data Tracking
  • » 20. Authentication
  • » 21. Security
    • 21.1 Security requirements for internet exchange of personal information
    • 21.2 Compliance to PCI DSS for credit card details online
  • » 22. Online Forms
  • » 23. Tendering and Contracting
  • » 30. Site Delivery
  • » 31. Operational
  • » 32. Web Strategy

21.2 Compliance to PCI DSS for credit card details online

The Standard

21.2 Any capture of credit card details online must comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standards (DSS).

Guide to this Standard

Online payments in NZ are via credit card. As of Jan 2007, EFTPOS will also be available.

If your site is to take online payments, all pages relevant to the payments process must be secure, as defined in 21.1 - Security requirements for internet exchange of personal information.

You should contact the bank that your agency utilises for its general banking, for assistance regarding incorporation of online payments facilities in the agency's web site(s).

Full details of customer's credit cards should not be persisted. The agency needs to consider the risk (and the need) of doing so. Generally, the first 4 and last 4 digits of the credit card number are recorded, if there is need to record them at all, such as if there is any post-transaction customer dispute regarding billing.

Any persisting of payment card details should have the details made clear that this is taking place, what specifically is being persisted and why, in a web location pertinent to the payments process and/or in the disclaimer page.

Rationale of this Standard

This standard recognises the importance that government places upon the security of personal information. Agencies are required to comply with standards of non-government organisations when services of those organisations are utilised within NZ government agency web sites.