The right to disconnect lets employees refuse to monitor, read or respond to work contact outside their working hours unless that refusal is unreasonable. It is Fair Work law, not an IT rule. But the email, Teams and mobile settings your MSP controls are what turn a policy on paper into something that actually holds.
What the right to disconnect actually says
The right to disconnect was added to the Fair Work Act and took effect on 26 August 2024 for medium and larger employers. For small business employers (fewer than 15 employees), it commenced a year later, on 26 August 2025. So as of now, it applies across the board.
The substance is narrow but important. An employee may refuse to monitor, read or respond to contact (or attempted contact) from their employer outside their working hours, unless the refusal is unreasonable. The same applies to contact from a third party — a client, a supplier — if it relates to their work. Whether a refusal is unreasonable depends on factors the legislation spells out: the reason for the contact, how it is made and how disruptive it is, whether the employee is compensated for being available, the employee’s role and level of responsibility, and their personal circumstances including family or caring responsibilities.
Note what it does not say. It is not a ban on after-hours contact. An employer can still send a message at 9pm. What changes is that the employee is generally entitled not to engage with it until they are back on the clock, and they cannot be punished for that. Disputes are meant to be worked out at the workplace first, and if that fails, the Fair Work Commission can deal with them.
This is workplace-relations law, and the genuinely hard questions — what counts as “working hours” for a salaried manager, how an on-call allowance is structured, what your enterprise agreement or award says — are HR and legal questions. Get advice on those. What we deal with as a Melbourne MSP is the layer underneath: the systems that decide whether a notification lands on someone’s phone at all, and whether your roster and monitoring arrangements line up with what you have told staff.
The IT controls that make a policy real
A right to disconnect policy that says “please don’t email after hours” and changes nothing in Microsoft 365 is theatre. Staff still hear the buzz, still feel the pull, and the more conscientious ones still answer. The controls below are the ones that actually shift behaviour, and most of them are already sitting in your tenant waiting to be turned on.
Quiet hours and scheduled send in Outlook and Teams
Microsoft Teams has a built-in quiet hours and quiet days feature in the mobile app, so notifications are silenced outside the hours a user sets. The catch is that it is per-user and opt-in by default — most people never find it. The fix is to make it part of standard onboarding and to actually show people where the setting lives, rather than burying it in a policy PDF.
On the sending side, Outlook’s scheduled send (Delay Delivery) lets a manager who genuinely does their thinking at 10pm queue the email to land at 8am. That one habit removes most of the after-hours pressure without anyone having to ignore anything. We usually pair it with a short signature line on out-of-hours senders — something like “I work flexible hours; I don’t expect a reply outside yours” — which the Fair Work Ombudsman’s own guidance points to as good practice.
If you want notifications properly switched off rather than left to each person, that is configurable through Microsoft 365 administration and device policy. This is part of the day-to-day work in any managed Microsoft 365 environment, and it is the kind of thing worth getting right once across the whole organisation rather than user by user.
Mobile device management and conditional access
The real after-hours leak is the phone. Work email and Teams on a personal mobile means contact follows people into the lounge room. Mobile device management (through Microsoft Intune) and conditional access policies give you proper levers here.
You can enforce app protection so work data stays inside managed apps, and you can use conditional access to shape when and how people connect. For specific roles — not everyone — you can even restrict access to corporate apps to particular hours or locations, so that someone who is genuinely off the roster is not technically able to be pulled back in. Used carefully, this turns a written rule into an enforced boundary. Used clumsily, it locks out the on-call engineer at 2am, so it has to be designed around your actual roster rather than applied with a blunt instrument.
A professional services firm in Hawthorn we work with had the opposite problem to most: their junior staff were answering partner emails at all hours because the Teams app pinged their personal phones and nobody had told them they didn’t have to. The remedy was not a stern memo. It was switching most of the team to managed app access with notifications off outside business hours, leaving a small after-hours group properly resourced, and writing the policy to match what the systems now did.
On-call rosters and the compensation question
The right to disconnect bites hardest where there is no clear on-call arrangement. If you expect certain people to be reachable after hours, that should be a defined roster with an allowance or overtime attached — not a vague cultural expectation that everyone is always on. The legislation explicitly weighs whether the employee is compensated for being available when judging if a refusal is unreasonable.
From the IT side, that means your access controls and notification rules should mirror the roster. The on-call person this week gets the alerts and the access; everyone else doesn’t. We run our own 24/7 NOC out of Tecoma on exactly this model, with a defined roster and the tooling configured so the engineers who are off are genuinely off. The technology and the employment arrangement have to agree with each other, or one of them is lying.
Monitoring, alerts and overtime creep
System monitoring is where this gets subtle. Automated alerts from a server, a backup job or a security tool are not “the employer contacting you” in the Fair Work sense — they are machines. But if a human is expected to act on those alerts after hours, that expectation is exactly what the right to disconnect is about, and it should be rostered and paid like any other on-call duty.
The practical move is to route after-hours monitoring to whoever is actually on call, not to a whole team’s inboxes. Alert fatigue and silent unpaid overtime usually come from the same root cause: everyone gets every alert, so everyone feels vaguely responsible at all hours. Tightening alert routing is both better security operations and a cleaner employment boundary. This is core to how a managed security operations capability should be run regardless of the legislation.
Writing a policy your systems can back up
The order of operations matters. Plenty of businesses write the policy first, then discover their systems don’t support it. Do it the other way around: decide what the systems will enforce, then write a policy that describes that reality.
A workable right to disconnect policy generally covers:
- Working hours by role — what they are, and who, if anyone, is on a defined after-hours roster.
- Contact expectations — that staff are not expected to respond outside their hours, and won’t be penalised for not doing so.
- The genuine exceptions — emergencies, the on-call roster, and how those people are compensated.
- The tools — quiet hours, scheduled send, managed notifications — and that the business has configured them, not just recommended them.
- How to raise a concern — the internal process before anything goes near the Fair Work Commission.
The wording and the workplace-relations judgement calls belong with your HR adviser or employment lawyer. The Fair Work Ombudsman publishes plain-English guidance on the right to disconnect that is a sensible starting point for that conversation. Our job is the other half: making sure the tenant settings, device policies and alerting genuinely do what the document claims. When we take on a new client we treat this as part of the broader managed IT baseline, alongside the security and identity controls that touch the same systems.
Frequently asked questions
Does the right to disconnect ban after-hours emails?
No. Employers can still send messages outside working hours. What the law changes is that employees are generally entitled not to monitor or respond to them until they are back at work, and they can’t be disadvantaged for that — unless their refusal is unreasonable in the circumstances. Scheduled send is the easy way to avoid the issue entirely.
Does it apply to my small business?
Yes. The right to disconnect commenced on 26 August 2024 for employers with 15 or more employees and on 26 August 2025 for small business employers under 15 staff. Both dates have now passed, so it applies regardless of size.
Can IT settings actually enforce this?
To a large degree, yes. Quiet hours in Teams, managed-app notifications through Intune, and conditional access policies can stop most after-hours pings reaching staff who aren’t on call. They can’t make legal judgements about what’s reasonable, but they remove the temptation and the pressure that cause the problem in the first place.
What about our on-call engineers and after-hours support?
Genuine on-call work is fine — it just needs to be a defined roster with proper compensation, and your access and alert routing should match it so only the on-call person is pinged. The law specifically considers whether someone is paid for being available when deciding if declining contact is reasonable.
Is this a security or a compliance issue?
It is primarily a workplace-relations issue, so the policy and any disputes are HR and legal territory. But the controls that make it work — identity, device management, conditional access, alert routing — are the same ones that underpin your security posture, which is why it tends to land on the IT plate.
Where TechAssist fits
We’re a Melbourne MSP, founded in 2014, with 13 Australian-employed engineers — no offshore call centre — and we run this kind of configuration work across professional services, construction, manufacturing and healthcare clients every week. The right to disconnect is one of those rules where the legal text is short but the implementation lives entirely in settings most businesses have never opened.
If you want your Microsoft 365 tenant, mobile device policies and after-hours alerting set up so they actually back the policy you’re putting in writing, get in touch. We’ll handle the IT half; pair it with your HR adviser for the rest.
SOC 2 is an independent attestation report, produced under American Institute of Certified Public Accountants (AICPA) standards, that tells your customers an external auditor has examined your security controls. It is not a certification you pass. For Australian SaaS firms selling into the US or to enterprise buyers, it has become the price of entry.
If you build software in Melbourne and your sales pipeline runs through US accounts or large Australian enterprises, you have probably hit a security questionnaire that asks one blunt question: “Do you have a SOC 2 report?” The honest answer for most early-stage Australian SaaS companies is no, and that “no” stalls deals. This post explains what SOC 2 actually is, how it differs from ISO 27001, what the audit involves, and what it realistically costs in time and money.
What SOC 2 actually is
SOC 2 (System and Organization Controls 2) is a reporting framework owned by the AICPA. A licensed CPA firm examines how you manage customer data and issues a report describing your controls and whether they were designed, and in some cases operating, effectively. The deliverable is a report, not a logo or a certificate. You cannot self-certify, and there is no central registry to check against — your customers read the report under NDA.
The report is built around the Trust Services Criteria. There are five of them, and you choose which apply to your business:
- Security — the only mandatory criterion (often called the “common criteria”). Covers access control, change management, risk assessment, monitoring and incident response.
- Availability — uptime, performance monitoring, disaster recovery. Relevant if you make uptime commitments in SLAs.
- Processing Integrity — data is processed completely, accurately and on time. Matters for payments, payroll or anything that transforms data.
- Confidentiality — protection of information designated as confidential, including encryption and retention controls.
- Privacy — collection, use, retention and disposal of personal information in line with your privacy notice.
Most SaaS companies scope their first report to Security alone, then add Availability and Confidentiality once customers ask. Privacy is the least commonly included because, for Australian companies, the Privacy Act 1988 and the Australian Privacy Principles already govern that ground — and bolting it onto SOC 2 adds work for limited buyer benefit.
Type I versus Type II
This distinction trips people up, so be clear on it before you commission anything.
| Aspect | SOC 2 Type I | SOC 2 Type II |
|---|
| What it tests | Whether controls are designed appropriately | Whether controls operated effectively over time |
| Timing | A single point in time | A monitoring period, typically 3 to 12 months |
| Evidence | Policies and configurations as they stand on the date | Evidence sampled across the whole window |
| Buyer confidence | Modest — proves intent | High — proves you actually do it |
| Typical use | A first step to show momentum | The report enterprise buyers actually want |
A Type I says “on 30 June, these controls were in place and well designed.” A Type II says “across the six months to 30 June, these controls ran and here is the audit evidence.” Serious buyers want Type II. Many Australian SaaS firms do a Type I first to demonstrate progress to a waiting prospect, then run a Type II over the following six to twelve months. That is a sensible path, but do not expect a Type I alone to clear an enterprise security review.
Why Australian SaaS companies pursue it
The driver is almost always commercial, not regulatory. SOC 2 is not law anywhere — it is a market expectation that crystallised in US procurement and has spread to large Australian buyers running mature vendor risk programmes.
If your product touches a customer’s data and you want to sell to a US fintech, a healthcare platform, or any ASX-listed enterprise, their security team will ask for a SOC 2 Type II report early in the process. Without one you get stuck in a back-and-forth of bespoke questionnaires, and procurement treats you as a higher-risk vendor. The report short-circuits all of that: it answers most of the questionnaire in one document and signals that you take security seriously enough to pay an auditor to check.
A logistics-tech startup in Cremorne we work with hit exactly this wall — a US enterprise prospect wouldn’t progress past security review without a Type II, and the deal was large enough that the audit cost was a rounding error against the contract value. That is the usual shape of it: SOC 2 pays for itself the moment it unlocks one enterprise account.
SOC 2 versus ISO 27001
This is the question every founder asks, and the honest answer is that they overlap heavily but serve different audiences.
| SOC 2 | ISO 27001 |
|---|
| Origin | AICPA (United States) | ISO/IEC (international) |
| Output | Attestation report from a CPA firm | Certificate from an accredited certification body |
| Nature | Auditor’s opinion on your controls | Certification of a management system (ISMS) |
| Recognised by | US buyers, North American enterprise | Europe, UK, Australia, global enterprise |
| Renewal | Report covers a period; reissued annually | Three-year cycle with annual surveillance audits |
| Public proof | Private report shared under NDA | Public certificate |
The control sets behind them are largely the same — access management, change control, risk assessment, vendor management, incident response. The difference is the wrapper. SOC 2 is an auditor describing and testing your controls; ISO 27001 certifies that you run a documented Information Security Management System that continuously improves.
Do you need both?
If your buyers are overwhelmingly North American, SOC 2 alone is usually enough. If you sell into Europe, the UK and Australia, ISO 27001 carries more weight and is the more recognised brand. Plenty of Australian SaaS companies end up doing both because their customer base spans regions — and the marginal effort is smaller than it looks, since one set of controls and one evidence library can support both audits. Build the controls once, attest and certify twice. If you are weighing the options, our cybersecurity services team can map your buyer base to the right framework before you spend a cent on auditors.
The audit process and the role of a security partner
A SOC 2 engagement has two distinct phases, and conflating them is where budgets blow out.
Readiness
Readiness is everything you do before the auditor arrives. You define scope, write or tidy policies, implement the controls, and stand up the tooling that proves they work — multi-factor authentication everywhere, centralised logging, formal access reviews, change management tied to your code pipeline, vendor risk records and an incident response plan you have actually tested. For most Australian SaaS companies this is the real work, and it is where an MSP or security partner earns its fee. The auditor will not help you fix gaps; their job is to observe, not advise.
This is what a security partner does in readiness: run the gap assessment against the Trust Services Criteria, prioritise the controls that matter, deploy the technical guardrails, and set up evidence collection so you are not scrambling at audit time. Much of the Security criterion overlaps with hardening work we already do for clients — the Essential Eight mitigation strategies map cleanly onto SOC 2’s access control, patching and application hardening expectations, so if you are already Essential Eight aligned you are further down the road than you think.
Evidence collection and continuous controls
Type II is won or lost on evidence. The auditor samples across the monitoring period and asks for proof that each control operated every time it should have — access reviews completed each quarter, every code change approved, every alert triaged, every offboarding done within policy. If those records do not exist, the control fails for the period regardless of how good your intentions were.
This is why continuous controls monitoring matters. Compliance automation platforms such as Vanta, Drata or Secureframe connect to your cloud, identity provider and code repositories and collect evidence automatically, flagging drift the moment a control slips. They do not make you compliant — they make the evidence trail survivable. A partner who already runs your SIEM and managed detection stack is well placed to wire these tools into your environment and keep the controls green between audit windows. TechAssist runs a 24/7 NOC out of Tecoma and our engineers are Australian-employed, so the monitoring that underpins your evidence is staffed locally, not handed to an offshore queue.
Realistic timeline and cost
Be wary of anyone promising SOC 2 in a few weeks. Here is the honest shape of it for an Australian SaaS company starting from a reasonable baseline.
- Readiness: two to four months for an early-stage company with decent foundations; longer if your access controls and logging are immature.
- Type I report: issued shortly after readiness, reflecting a point in time.
- Type II monitoring window: three months at minimum, but six to twelve months is what enterprise buyers expect to see.
- Annual reissue: SOC 2 is not one-and-done. A Type II report covers a stated period, so you run a fresh audit each year to keep a current report on hand.
On cost, the auditor’s fee for a Type II from a reputable CPA firm typically runs into the tens of thousands of dollars (AUD), and that is before tooling and the internal or partner effort to get ready. Compliance automation platforms add an annual subscription. The readiness work — the controls, the policies, the engineering — is usually the larger line item, especially the first time through. Budget for the whole programme, not just the audit invoice, and treat year one as the expensive one.
Frequently asked questions
Is SOC 2 a certification?
No. It is an attestation report issued by a CPA firm under AICPA standards. There is no certificate and no public registry — you receive a report describing your controls and the auditor’s opinion, which you share with customers under NDA. Calling it a “certification” is common shorthand, but technically wrong.
Should an Australian company do SOC 2 or ISO 27001?
It depends on who buys from you. North American buyers expect SOC 2; European, UK and Australian buyers lean on ISO 27001. If your customer base spans both, doing both is common and the underlying controls are largely shared, so the second framework costs far less effort than the first.
Does SOC 2 satisfy Australian privacy law?
Not on its own. The Privacy Act 1988 and the Australian Privacy Principles still apply to your handling of personal information regardless of any SOC 2 report. SOC 2 can include a Privacy criterion, but it is a US framework — it is not a substitute for meeting your obligations under Australian law.
Can an MSP get us SOC 2 ready?
A security partner can run the gap assessment, implement and harden the controls, stand up evidence collection and keep controls monitored continuously between audits. The CPA auditor must remain independent, so the same firm cannot both prepare you and issue the report — but the readiness work is exactly where an MSP adds value.
Where TechAssist fits
We are a Melbourne MSP, founded in 2014, with thirteen Australian-employed engineers. We do not issue SOC 2 reports — that is the auditor’s job, and it has to stay independent — but we do the readiness and the continuous controls work that gets you there and keeps you there. That means hardening your Microsoft 365 and cloud environment, standing up logging and detection, wiring in compliance automation, and making sure the evidence trail your auditor samples actually exists every time. If a SOC 2 report is gating your next enterprise deal, get in touch and we will map the gap before you commit to an audit timeline.
If your business gets hit by a data breach that’s likely to seriously harm the people whose data you hold, the law gives you a tight window: assess it fast, then notify the regulator and the affected individuals as soon as practicable. Get the timing wrong and the penalties now run into the millions.
That’s the short version of the notifiable data breaches scheme, and it catches far more Melbourne SMEs than most directors realise. Here’s what it actually requires, who it covers, and the incident-handling steps you should have ready before anything goes wrong.
What the NDB scheme actually is
The notifiable data breaches scheme sits under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since February 2018. It’s administered by the Office of the Australian Information Commissioner (OAIC). The core obligation is simple to state and harder to live by: if you experience an eligible data breach, you must notify both the OAIC and every affected individual.
It isn’t a “tell us if you feel like it” arrangement. Notification is mandatory once the threshold is met, and the clock starts the moment you have reason to suspect something has gone wrong. The scheme exists so people can take protective steps — change passwords, watch their bank accounts, put a credit ban in place — before stolen data is used against them.
Who the Privacy Act covers
The Act applies to “APP entities” — organisations bound by the Australian Privacy Principles. The headline test is annual turnover. If your business turns over more than $3 million a year, you’re almost certainly covered. Plenty of directors stop reading there and assume they’re exempt. That’s a mistake, because the exceptions sweep in a lot of smaller operators.
You’re covered regardless of turnover if you:
- Are a health service provider that holds health information — this includes GPs, allied health, dentists, physios, psychologists and pharmacies, no matter how small the practice.
- Trade in personal information (buying or selling it).
- Are a credit reporting body or provide credit.
- Are a contractor delivering services under a Commonwealth contract.
- Are a tax file number recipient (most employers handle TFNs).
A three-chair dental practice in Camberwell with $1.2 million turnover is covered because it holds health information. A logistics broker handling TFNs and credit checks gets pulled in through those activities. The $3 million line is a floor for ordinary businesses, not a free pass for everyone under it. If you handle health data specifically, our write-up on healthcare IT support and OAIC obligations goes deeper on the sector rules.
What counts as an “eligible data breach”
Not every lost laptop or misdirected email triggers notification. An eligible data breach has three ingredients:
- There’s unauthorised access to, or unauthorised disclosure of, personal information you hold — or that information is lost in circumstances where unauthorised access or disclosure is likely.
- A reasonable person would conclude the breach is likely to result in serious harm to one or more affected individuals.
- You haven’t been able to prevent that likely serious harm through remedial action.
That third point matters. If you act quickly enough that serious harm is no longer likely — say, you remotely wipe a stolen, encrypted laptop before anyone could read it — the breach may not be notifiable at all. Remediation is a genuine off-ramp, but only if it’s fast and effective.
The “serious harm” test
“Likely to result in serious harm” is the pivot the whole scheme turns on, and there’s no fixed checklist. The OAIC asks you to weigh factors including the kind of information involved (health records and financial details rank high; a publicly listed business name does not), its sensitivity, whether it was encrypted or otherwise protected, who is now likely to have it, and what they could do with it.
Serious harm can be physical, psychological, emotional, financial or reputational. A breach exposing identity documents and bank details is far more likely to clear the bar than one exposing a marketing mailing list. The judgement is yours to make, but you have to be able to defend it — the OAIC can and does ask to see your reasoning.
The timeframes you have to hit
This is where SMEs get caught out, so be precise about the two clocks.
The assessment clock. If you only suspect an eligible data breach has occurred — you’re not yet sure it clears the serious-harm threshold — you must carry out a reasonable and expeditious assessment. The word “expeditious” means you start straight away, not when it’s convenient. The Act sets an outer limit of 30 calendar days from when you became aware of the grounds for suspicion. Thirty days is a ceiling, not a target. If you can resolve it in three, do it in three.
The notification clock. Once you’ve decided you have an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable. There’s no fixed day count here — “as soon as practicable” is judged on your circumstances — but it is not weeks of internal deliberation. You prepare a statement, lodge it with the Commissioner through the OAIC’s online form, and notify individuals by whatever method you normally use to contact them.
People often talk about a “72-hour rule” for data breaches. That figure comes from the EU’s GDPR, not the Australian Privacy Act. Australia’s standard is the “as soon as practicable” test, with the 30-day assessment ceiling sitting behind it. Treating 72 hours as your internal working deadline is sensible discipline — just don’t mistake it for the letter of Australian law.
The 2024 reforms and the new penalty regime
The penalties for getting this wrong are no longer trivial. Reforms that began with the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and continued through the Privacy and Other Legislation Amendment Act 2024 sharpened the OAIC’s teeth considerably.
For serious or repeated interferences with privacy, the maximum penalty for a body corporate is now the greater of $50 million, three times the value of any benefit obtained from the misuse of information, or 30 per cent of the entity’s adjusted turnover for the relevant period. That’s a dramatic jump from the old cap and it’s aimed squarely at organisations that treat privacy as optional.
The 2024 reforms also introduced a statutory tort for serious invasions of privacy, gave the Commissioner new mid-tier and low-tier civil penalty powers for less severe contraventions, and added powers to issue infringement notices. The practical effect for an SME: there is now a graduated enforcement ladder, so even a moderate compliance failure can attract a penalty rather than just a stern letter. Australia’s privacy framework is being progressively tightened, and the direction of travel is more obligations, not fewer.
What an SME should have ready before a breach
The businesses that handle a breach well aren’t the ones that read the Privacy Act after the fact — they’re the ones who decided in advance who does what. A data breach response plan doesn’t need to be a 40-page document. It needs to answer a handful of questions before the pressure is on.
| Element | What good looks like |
|---|
| Response lead | One named person who owns the assessment and can convene the team within the hour. |
| Detection | Logging and alerting that actually tells you when data is accessed or exfiltrated — not a customer phoning to ask why their details are on a forum. |
| Assessment template | A repeatable way to record what was breached, who’s affected, and your serious-harm reasoning, dated and saved. |
| Containment runbook | Steps to isolate systems, revoke credentials and preserve evidence without destroying it. |
| Notification drafts | Pre-drafted OAIC statement and individual notice you only have to fill in, not write from scratch at 11pm. |
| Contact list | OAIC, your insurer, your lawyer, your MSP and the ACSC’s ReportCyber — current numbers, not guesswork. |
A construction firm in Box Hill we work with discovered a compromised mailbox after a finance staffer’s credentials were phished. Because the logging was already in place, we could see exactly which messages and attachments the attacker had opened, scope the affected individuals within a day, and confirm that the exposed data did clear the serious-harm threshold. The notification went out fast and clean — not because they panicked well, but because the plan already existed. That kind of visibility is exactly what our cybersecurity services and managed detection and response are built to deliver.
Where most breaches actually start
In practice, the overwhelming majority of breaches we see trace back to compromised credentials and email — phishing, business email compromise, reused passwords. The single highest-value control for an SME is strong identity protection: multi-factor authentication everywhere, conditional access on Microsoft 365, and monitoring that flags anomalous sign-ins. Tightening identity is cheaper than any post-breach notification exercise, and it’s the foundation the Essential Eight is built on.
How TechAssist helps
TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. Our 24/7 NOC operates out of Tecoma in the eastern suburbs, with a second office in the Melbourne CBD at 575 Bourke Street. When a breach is unfolding, response time is everything: we target sub-15-minute response on critical incidents, which is the difference between containing a compromise and explaining it to the OAIC.
The realistic goal isn’t never having an incident — it’s detecting fast, containing faster, and being able to make a defensible serious-harm decision inside your timeframes. If you’re not confident you could do that today, that’s the gap worth closing. Have a look at our broader managed IT services, or get in touch and we’ll pressure-test your breach readiness before something forces the issue.
Frequently asked questions
Does the NDB scheme apply to my business if I turn over under $3 million?
Possibly. The $3 million turnover threshold is the general rule, but exceptions bring in any size of business that provides health services, handles credit information, trades in personal information, or operates under a Commonwealth contract. Most healthcare providers are covered regardless of turnover.
Is there really a 72-hour deadline to report a data breach in Australia?
No — the 72-hour figure is a GDPR (European) rule. Under the Australian Privacy Act you must notify the OAIC and affected individuals “as soon as practicable” after deciding you have an eligible data breach, and you have up to 30 days to assess a suspected breach. Acting within 72 hours is good practice, not the legal test.
What if I fix the breach quickly — do I still have to notify?
Not necessarily. If you take remedial action fast enough that serious harm is no longer likely, the breach may not be “eligible” and notification isn’t required. The catch is that the remediation has to genuinely remove the risk, and you need to document why it did.
Who do I actually notify, and how?
You notify the OAIC by lodging a statement through its online Notifiable Data Breach form, and you notify affected individuals directly using your usual contact method. If you can’t reasonably contact individuals one by one, you publish the statement and take steps to publicise it.
What happens if I don’t comply?
Failing to comply is an interference with privacy and can attract enforcement by the OAIC. Following the 2024 reforms, penalties for serious or repeated breaches reach the greater of $50 million, three times any benefit gained, or 30 per cent of adjusted turnover — alongside new mid- and low-tier penalty powers for lesser failures.
If your business stores, processes or transmits card payment data, PCI DSS compliance applies to you. It’s the security standard the card brands enforce on every merchant that touches cardholder data. The good news for most Australian SMEs: with the right payment setup, your obligations are smaller than you’d think.
What PCI DSS actually is
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s not Australian law or a government regulation. It’s a contractual standard maintained by the PCI Security Standards Council, owned by the major card brands: Visa, Mastercard, American Express, Discover and JCB. When you signed your merchant agreement, you agreed to comply with it.
The current version is PCI DSS 4.0.1, a minor revision of version 4.0. The old v3.2.1 standard was retired in March 2024, and the future-dated v4 requirements that were optional during the transition became mandatory from 31 March 2025. So if you ticked “best practice, not yet required” against those controls at your last assessment, that grace period is over. The v4 requirements push harder on multi-factor authentication for all access into the cardholder environment, tighter password rules, anti-phishing controls and scripts on payment pages.
Who has to comply
The rule is blunt: any business that stores, processes or transmits cardholder data must comply, whether you take ten transactions a year or ten thousand. A florist in Camberwell on an EFTPOS terminal is in scope, just as a national retailer is. The standard scales, but never switches off.
Cardholder data means the primary account number (the long number on the front of the card) plus cardholder name and expiry date. A stricter category, sensitive authentication data, covers the full magnetic stripe, the CVV/CVC code and the PIN. That must never be stored after a transaction is authorised, full stop. A surprising number of Australian SMEs breach this by keeping card details in an email, spreadsheet or CRM note.
The four merchant levels
Merchants are sorted into four levels by annual card transaction volume. The level decides how you validate, from a heavyweight external audit at the top to a self-assessment at the bottom. The Visa and Mastercard tiers below are the ones almost everyone uses.
| Level | Annual transaction volume (per card brand) | How you typically validate |
|---|
| Level 1 | Over 6 million transactions | Annual on-site audit by a Qualified Security Assessor (QSA), plus quarterly network scans |
| Level 2 | 1 million to 6 million | Annual Self-Assessment Questionnaire (SAQ), often QSA-reviewed, plus quarterly scans |
| Level 3 | 20,000 to 1 million (e-commerce) | Annual SAQ plus quarterly scans |
| Level 4 | Under 20,000 e-commerce, or up to 1 million total | Annual SAQ; scans where applicable |
The overwhelming majority of Melbourne SMEs are Level 4: no auditor turns up at your door. You validate by completing the correct Self-Assessment Questionnaire and, depending on your setup, running quarterly external vulnerability scans through an Approved Scanning Vendor.
Self-Assessment Questionnaires in plain English
The SAQ is a checklist you fill in to attest that you meet the relevant controls. There are several types, and using the wrong one means answering hundreds of irrelevant questions or, worse, under-scoping your risk.
- SAQ A — for merchants who have fully outsourced all cardholder data handling to a compliant third party and never see the card number: the e-commerce shop that redirects customers to Stripe, Square or a hosted payment page. The shortest questionnaire, and where you want to be.
- SAQ A-EP — for e-commerce merchants whose site doesn’t receive card data directly but controls how the payment page is delivered, for example loading the payment fields via JavaScript from a provider. Your site can affect transaction security, so you carry more responsibility.
- SAQ B — for merchants using standalone dial-out or IP EFTPOS terminals, or imprint machines, with no electronic card data storage. Common for cafes, trades and small retail.
- SAQ C — for merchants with an internet-connected payment application, where card data is processed through your own network but not stored. More controls apply because your environment is exposed.
- SAQ D — the full questionnaire, for everyone who doesn’t fit the simpler categories, including any merchant that stores cardholder data. It covers all applicable requirements and is the most demanding.
The practical goal is to engineer your way down to SAQ A or SAQ B. The further down you sit, the fewer controls you have to build, evidence and maintain.
How compliant providers and tokenisation shrink your scope
“Scope” is the most important word in PCI DSS. It covers every system, person and process that touches cardholder data, or connects to systems that do. So the smartest strategy isn’t building more controls, it’s keeping card data out of your environment entirely.
Two levers do most of the work. The first is a compliant payment provider. If you take payments through a PCI-certified gateway like Stripe, Square, Tyro or Eway, and your systems never see the raw card number, you’ve handed the hardest parts of the standard to a provider built to meet them. That’s the gap between a 20-question SAQ A and a 300-question SAQ D.
The second lever is tokenisation. Instead of storing a customer’s card number for repeat billing, the provider stores it and hands you back a meaningless token. You charge the card by sending the token, never the real number. Because the token is worthless to an attacker, the systems holding it generally fall out of scope. For any business doing subscriptions, retainers or saved-card checkouts, it’s the cleanest way to keep recurring payments running.
Where Australian SMEs trip up
We see the same handful of mistakes again and again across Melbourne, and nearly all are avoidable.
- Storing card details in email, spreadsheets or CRM notes. A customer phones through a card number and a staff member jots it into an Outlook draft “to process later”. That single act pulls your mail platform and CRM into scope and often breaches the rule against storing the CVV.
- Assuming the payment provider’s compliance covers you. Stripe being compliant doesn’t make you compliant; you still complete your own SAQ. Outsourcing reduces your obligations; it doesn’t delete them.
- Treating it as a once-a-year form. PCI DSS 4.0.1 expects controls to operate continuously, not just on assessment day.
- Conflating it with the Privacy Act. Your obligations to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme are separate. A card data breach can trigger both; meeting one doesn’t satisfy the other.
A professional services firm in Hawthorn we work with had been emailing client card numbers internally for years to process annual retainer invoices. We moved them to tokenised, saved-card billing through their gateway and wiped the historical card data out of their mail and accounting systems, dropping them from SAQ D to a short SAQ A.
How an MSP handles the technical side
For businesses that can’t fully outsource card handling, real engineering work is involved, and that’s where an MSP earns its keep.
Network segmentation
The fastest way to cut scope where card data does flow is segmentation: isolating the cardholder data environment from the rest of your network with firewalls and VLANs, so a compromise of the office Wi-Fi can’t reach the payment systems. Done correctly, it takes dozens of machines out of scope. Done badly, your entire flat network is in scope. This is core to our cybersecurity services and overlaps with the controls we deploy under our Essential Eight compliance work.
Logging and monitoring
Version 4 is strict about logging. You need to capture access to cardholder systems, retain those logs, and actually review them, not just generate them. For most SMEs that means feeding logs into a SIEM with alerting, which is what our security operations team runs. When a bank or assessor asks for six months of access logs, having them already searchable is the difference between a quick answer and a panic.
The everyday technical controls
The rest is the disciplined IT hygiene that underpins the whole standard: MFA on every account that can reach the cardholder environment, prompt patching, hardened firewall rules, anti-malware, encrypted transmission of card data and tightly controlled access. None of it is glamorous; all of it is the work, and the controls slip the moment no one owns them. As a Melbourne managed IT services provider founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, TechAssist keeps them running year-round, not just at audit time.
Frequently asked questions
Is PCI DSS a legal requirement in Australia?
Not directly. There’s no Australian statute that says “thou shalt be PCI compliant”. It’s a contractual obligation you accepted in your merchant agreement. Non-compliance can mean fines passed on by your acquirer, higher transaction fees, or in serious cases losing the ability to take card payments. A breach can also trigger separate obligations under the OAIC’s Notifiable Data Breaches scheme.
We only take payments through Square. Are we still in scope?
Yes, but your scope is small. If card data never lands in your own systems, you’ll typically complete the short SAQ A and confirm you don’t store card details anywhere. The risk is staff quietly creating shadow records, a card number in an email or spreadsheet, which drags other systems back into scope.
How often do we have to validate, and what’s the easiest way to stay compliant?
Validation is annual for most merchants: you complete the relevant SAQ each year, plus quarterly external vulnerability scans through an Approved Scanning Vendor if your setup requires them. The underlying controls are expected to operate year-round under PCI DSS 4.0.1. The single biggest thing you can do to make it easier is get card data out of your environment, using a compliant gateway and tokenisation so you never handle the raw card number.
Getting it sorted
For most Melbourne SMEs, PCI DSS compliance is far more achievable than the standard’s bulk suggests, provided you keep card data out of your hands and lock down whatever’s left. If you’re not sure which SAQ applies, or you suspect card numbers are lurking in your email and CRM, that’s worth fixing before an incident forces the issue. Get in touch with our team and we’ll map your scope and the controls you need.