Security is our number one priority

We are the security experts so it’s our responsibility — not our customers’ — to keep payments safe and data encrypted. Tyro was the first and only Australian EFTPOS provider who was successfully validated against the Payment Card Industry Data Security Standard (PCI-DSS). These standards define security practices to enhance payment card security. The PCI Council also manage two other major security standards.

PIN Transaction Security Standards

These standards ensure the security of a cardholder’s PIN entered via an EFTPOS terminal.

Payment Application Data Security Standards

These standards define how software vendors write secure applications that handle card data.

How we keep payments secure

At Tyro, we believe it’s our responsibility to ensure payment security. Therefore:

  • All Tyro terminals are PCI-PTS compliant.
  • Tyro payment application on our terminals has been validated against PCI PA-DSS.
  • We never share any cardholder data with the Point of Sale (POS), so the POS is also out of scope for PCI PA-DSS.
  • We never share any cardholder data with the merchant.
  • All cardholder data is encrypted on the Tyro terminal and the merchant has no way of decrypting this data.
  • Tyro terminal PIN pads are protected with a unique key entry shield to increase privacy.

PCI-DSS compliance for Tyro customers

If you process face-to-face credit and debit card transactions exclusively using Tyro’s payment solution and you follow the Mail Order/Telephone Order (MOTO) transaction guidelines for Tyro customers, you’ll be PCI-DSS compliant. The Tyro payment application on our terminals has been validated against PCI PA-DSS.

You should also use the current self-assessment form to see how you compare against the PCI-DSS recommendations.

A MOTO transaction is one where the payment doesn’t involve the use of a card. This may occur when you take a mail order or a phone order, or if you process an online transaction.

  • If you use any sort of electronic mail-order forms as part of your MOTO transaction process, these forms should not contain fields for card numbers, expiry dates, or Card Verification Codes (CVV or CVC). These details should only be obtained over the phone.
  • If you are using a fax machine, actively monitor the fax on which orders are received. Make sure that:
    • Only staff with the right to process MOTO transactions have access to it.
    • Never install the fax in a publicly accessible location.
  • Never request the CVV on a mail-order form. Only request the CVV directly from the cardholder when completing the transaction via telephone.
  • Never store any card numbers electronically, i.e. do not store card numbers in an electronic address book.
  • Render all card numbers and expiry dates unreadable on the order form after you have processed the
    transaction. Instead, you can store the merchant copy of the transaction with the order form.
  • Train staff, who process transactions on card security and reiterate these guidelines, at least yearly.

For more information on MOTO transactions, go to our Fraud prevention section.

For PCI-DSS compliance when using only Tyro terminals

VISA and MasterCard require that Tyro ensures all their merchants who accept Visa or MasterCard are PCI-DSS compliant.

  • For merchants processing less than one million VISA transactions and less than one million MasterCard transactions, Tyro requests that you adhere to the MOTO transaction guidelines for Tyro merchants. There is no need for any other compliance reporting.
  • For merchants processing more than one million VISA transactions or more than one million MasterCard transactions, Tyro will contact you to discuss compliance verification and reporting requirements. VISA and MasterCard reserve the right to request that Tyro performs a full PCI-DSS assessment of individual merchants. In the event of a VISA or MasterCard request, you will be contacted by Tyro to discuss compliance verification and
    reporting requirements.

For multi-acquiring solutions (online payments or terminals from another bank)

A multi-acquiring solution means that you have an online payment solution or that you are using payment terminals from another bank. The other bank may request you to perform a PCI-DSS compliance assessment. If so, you will be required to report your Tyro terminal/s to your other bank. If you have any questions that relate to your Tyro EFTPOS during this assessment, contact

When accepting American Express and Diners

American Express and Diners have direct contact with merchants who process Amex and Diners’ cards. They may contact you for PCI-DSS compliance verification and reporting. If you have any questions that relate to your Tyro EFTPOS during this verification and reporting process, contact

How to protect yourself

In addition to compliance, these are additional precautions to protect your business from security threats.

Data theft prevention

Data theft prevention

Protecting cardholder data is vital. If fraudsters get their hands on the PIN and other authentication data, they can impersonate the cardholder, use the card, and steal the cardholder’s identity.


Use firewalls

Put a wall between you and online hackers with an effective firewall.
Make sure your operations are in line with security best practices by visiting Stay Smart Online.


Use anti-virus software

Your POS system and any mobile devices that connect to the same network as your EFTPOS terminals should have anti-virus and anti-malware software installed.