PCI DSS Assessment of National Healthcare Agency

Enabling the compliant and secure storage of credit card information.

Our client was instructed by NSW Treasury to conduct a Payment Card Industry Data Security Standard (PCI DSS) assessment across their organisation in just 10 weeks. 

The PCI DSS assessment process was a race against time, as the National Healthcare Agency needed to thoroughly evaluate each entity, merchant facility, and merchant terminal to identify any potential security vulnerabilities or areas of non-compliance. 


The organisation process, manage, and store credit card payment information in different ways across their 22 entities, 300 merchant facilities, and 647 merchant terminals. 

The task at hand involved extensive coordination, collaboration, and meticulous attention to detail. It required assessing the existing processes, policies, and infrastructure within each entity, merchant facility, and merchant terminal to determine the level of adherence to PCI DSS guidelines. Any variations or deviations from the standard needed to be identified, documented, and reported. 


The PCI SAQ-D is a comprehensive survey spanning over 30 pages, designed to evaluate and certify the security measures implemented by an organisation in handling electronic card data processes, storage, and transmission. To carry out this independent assessment of PCI DSS compliance, the Terra Firma team engaged in a combination of on-site visits and virtual meetings with relevant stakeholders. 

Our Approach

During these meetings, the team began by providing attendees with a comprehensive overview of PCI DSS, emphasising the significance of compliance for the National Healthcare Agency, and establishing trusted relationships with key stakeholders. This served as a foundation for the subsequent discussions aimed at understanding and documenting the organisation’s existing business processes. 

In a non-critical manner, the Terra Firma team worked with stakeholders to investigate and identify areas of both compliance and non-compliance with PCI DSS requirements. Through an inclusive approach, they conducted the necessary 22 PCI SAQ-D surveys, addressing each specific requirement thoroughly. 


The Terra Firma team completed the PCI DSS assessment and associated 22 PCI SAQ-D reports on time. Through our neutral and collaborative approach combined with on-site and virtual interactions, the Terra Firma team executed this assessment process diligently. Our consultants promoted a comprehensive understanding of PCI DSS compliance, paving the way for enhanced security measures and trusted relationships within the organisation. 

In addition, Terra Firma provided senior management with a never-before-seen level of detailed credit card business process maps for each health entity and a prioritised (short, medium, and long-term) list of remediation activities. We enabled senior management to gain a holistic understanding of their PCI obligations and the next steps required to remediate while managing the storage and processing of credit card information in a compliant and secure manner. 

More case studies