Encryption Requirements for PCI Compliance in 2025
Complete guide to implementing encryption for PCI Compliance in 2025. Understand must-haves and some practical strategies to maintain compliance.
Recent changes to Australia’s Privacy Act have significantly increased regulators’ powers, granting them the ability to issue some of the largest data breach fines in the world. This guide teaches you everything you need to know about the Act and what actions you may need to take to ensure you are compliant.
Australia Privacy Act Changes in Summary:
The Privacy Act in Australia is designed to protect an individual’s privacy and personal information, regardless of where it is processed.
Its scope covers the following types of organisations:
Organisations processing data of Australian nationals will be subject to the Act even where information is processed in a different country, similar to the extraterritorial scope of the EU’s GDPR. Recent amendments to the Australian Privacy Act mean those in breach of the Act may be liable for fines of up to AU $50m, or 30% of adjusted quarterly turnover, depending on the severity of the breach (for comparison, the penalty for a GDPR breach can be the greater of up to 4% of global turnover or €20m.)
There are 13 Australian Privacy Principles (APPs):
While all APPs are important to be compliant, this paper focuses on APP 11 - Security of Personal Information, which says that:
“An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.”
Before we deep dive into APP-11, it is important to understand that not all information is equally important when it comes to privacy and the potential impact an unwanted disclosure of information may have on an individual. As such, the OAIC determined different classifications of personal information. Sensitive Information is the most critical and covers information or an opinion about an individual’s:
App 11 - Security Of Personal Information states that organizations must take reasonable steps to prevent unauthorized disclosure of Personal Information. The phrase “reasonable steps” is key here as organizations vary widely by sector, size, complexity, revenue, technical capability, volume, and types of information processed.
It is expected that every organization understands their context considering the Privacy Act and further understands the risk they pose to the individual based on the information they store, process, or transmit, particularly when the information is deemed Sensitive.
Controls employed to protect sensitive information are layered and include:
There is often a belief that implementing encryption and key management is complex, time-consuming, difficult to maintain and firmly in the realm of specialist security teams. At Evervault, we have developed a platform to make field-level encryption accessible and simple for developer and engineering teams to implement and manage.
Evervault has developed this guide on preparing for an encryption implementation, highlighting the key steps required. At the end of the guide, an organization will be in a strong position to understand how to implement encryption, address key data security and privacy requirements, and reduce the impact of a data breach should it occur.
The Office for Australia’s Information Commissioner has published a set of guides to help companies work toward privacy compliance obligations. You can check them out here to see which one is the most relevant to you.
The one constant across the vast majority of regulations is that the application of encryption is key to protecting sensitive information and the rights and freedoms of the individuals whose data you are protecting. But, implementing encryption is not a silver bullet to achieving compliance with privacy regulations. There are often several other procedural and technical controls that need to be addressed, which typically have to be derived for several jurisdictions.
We’ve written a guide to the best practices for preparing your data for encryption to help you through the steps. You can also sign up for your free Evervault account to encrypt data today.
Head of Compliance