Customer Success Story: Village Roadshow Simplifies PCI DSS 4.0.1 Compliance with Reflectiz

You may recall the Village Roadshow logo from the opening credits of Hollywood films. Founded in 1954 by Roc Kirby with a humble drive-in cinema in Melbourne, Village Roadshow has grown into a powerhouse of Australian entertainment. Today, the business remains a proud family legacy, led by Executive Chairman Robert Kirby and CEO Clark Kirby.

With the southern hemisphere heading into winter, we received a warm reception from Keyur Lavingia, Head of Security at Village Roadshow, as he shared how Reflectiz played a pivotal role in Village Roadshow’s seamless PCI DSS 4.0.1 audit – and how it was truly a collaborative effort across teams.

Australia’s Entertainment Giant

Village Roadshow operates some of the country’s most iconic brands:

• Village Roadshow Theme Parks, Australia’s largest theme park operator, home to Warner Bros. Movie World, Sea World, Wet’n’Wild, Paradise Country, Topgolf, the Australian Outback Spectacular, Sea World Resort, and Village Roadshow Studios – the largest film and television production lot in the Southern Hemisphere.
• Village Entertainment, encompassing Village Cinemas and Intencity, with leading cinema formats like Gold Class and VMax, and joint ventures across 58 sites and 600 screens nationwide.
• Roadshow Films, Australia’s leading independent film distributor, with over 50 years of production and distribution excellence. 

Behind these operations is a central corporate team providing support across HR, finance, legal, and technology services. The group employs around 1200-1300 full-time staff and around 3500 casuals in the theme parks and cinemas. The theme parks division has been performing especially well, with a significant portion of revenue generated through online sales. As Keyur pointed out, “People tend to plan their visits to our theme parks around their vacations and buy ahead.”

Staying Ahead of Evolving Compliance

While Village Roadshow has maintained PCI DSS compliance for several years, the introduction of PCI DSS v4.0.1 brought new challenges, particularly around new requirements 6.4.3 and 11.6.1, which relate to monitoring of client-side web scripts.

“Our existing setup didn’t allow us to demonstrate compliance with these requirements in a streamlined way,” said Keyur Lavingia. “We needed a solution that would give us visibility over all scripts running on our websites, particularly third-party ones, without placing a heavy burden on our already lean security operations team.”

The audit itself was led by Kylie Siljama, Cyber Security & Enterprise GRC Lead, who coordinated preparation activities across the organisation and was instrumental in ensuring audit readiness and evidence capture. 

Why Reflectiz?

Village Roadshow evaluated multiple tools and ultimately selected Reflectiz for its ease of deployment, visibility, and automation.

“What I like is that we haven’t had to change anything on our websites. No code deployments. No new accounts. We simply provided the URLs, and within two days the platform was scanning and monitoring our assets. That was the magical part,” said Keyur.

Reflectiz mapped four key websites and immediately began tracking all client-side scripts, enabling Village Roadshow to identify, approve, and continuously monitor script activity, critical to demonstrating compliance with the new requirements.

Smart Approvals, Zero Observations

The SecOps team led the deployment and onboarding of Reflectiz, but the real lift came from a cross-functional effort. Script validation and approval were handled by the Digital Experience team, led by Scott Allan, Head of Digital Experience. Scott and his team were responsible for manually reviewing and validating every script identified by Reflectiz, over 700 in total.

“Our job in SecOps was to get the tooling in place and ensure we had visibility,” Keyur explained. “But the heavy lifting, reviewing and verifying scripts, was done by Scott’s team. Their diligence played a huge role in our success.” Reflectiz’s smart approvals helped ease the burden by automatically detecting behaviour changes, allowing the Digital Experience team to focus on the scripts that mattered most.

When audit day came, the result was clear: not a single observation raised by the assessor. It was a textbook example of how collaboration between governance, security, and application teams leads to audit success.

Continuous Monitoring and Confidence

Even beyond audit season, Reflectiz has become an essential part of Village Roadshow’s ongoing security toolkit. With a variety of third-party integrations used across platforms, for marketing, ticketing, analytics, and more, the need for visibility and behavioural tracking is critical. 

“Reflectiz gives us the visibility we lacked. If a Facebook pixel suddenly starts doing something different, we know. That kind of behaviour protection is what really sets it apart from the other tools we evaluated,” said Keyur. He added, “If you’re struggling with how to meet the new PCI DSS v4.0.1 on-page script monitoring requirements, Reflectiz is the answer. It removes the blind spots without disrupting your platforms or teams.”

A Foundation for Future Security

With Reflectiz in place, Village Roadshow has not only achieved compliance, it has strengthened its foundations for digital trust and script-based threat detection.

“Achieving PCI compliance isn’t about ticking a box, it’s about building repeatable, resilient processes. Reflectiz gives us confidence that we’re not just compliant, but continuously protected,” Keyur concluded.