PCI Compliance Checklist: How to Achieve Compliance in 2022

PCI Compliance Checklist: How to Achieve Compliance in 2022

  • June 02, 2022

A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park. 

To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps. 

Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process. 

Let’s dive in.

Quick review: What’s PCI compliance?

PCI DSS (or just PCI) is mandated by major credit card companies to standardize the protection of cardholder data. PCI provides clear guidelines for how to capture, process, and store sensitive cardholder information.  

PCI compliance is required for any company that accepts credit card payments. PCI also applies to any organization that can impact the security of payment card transactions. 

There are different levels of compliance that correspond with how many card transactions you handle over the course of a year. The more card transactions you process, the more rigorous your PCI compliance audit process will be. 

ebook-logo

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

Download ebook

The 12 PCI DSS requirements

The PCI DSS standard includes 12 requirements with instructions for meeting compliance. The requirements cover technical and operational must-haves, such as installing firewalls and restricting physical access to cardholder data. 

Each requirement maps to one of six specific PCI DSS goals, which are:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

When a business can prove that all six goals and all 12 requirements are met, they are considered PCI compliant.

PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance. 

Our checklist is in accordance with PCI v3.2.1, which is the current version of PCI DSS. 

For context, the PCI Security Standards Council (PCI SSC) has revealed a new version update — PCI DSS v4.0 — that is set to become effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025. 

We’ll cover PCI v4.0 and the updates that come with it in an upcoming blog post.

PCI DSS compliance checklist

Requirement 1

Install and maintain a firewall configuration to protect cardholder data

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 2

Eliminate vendor defaults for passwords and other security parameters

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 3

Protect stored cardholder data

Goal: Protect cardholder data

Policy and process requirements:

Implementation requirements:

Requirement 4

Encrypt payment data transmission

Goal: Protect cardholder data

Policy and process requirements:

Implementation requirements:

Requirement 5

Protect against malware and regularly update antivirus software

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 6

Establish secure systems and applications

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 7

Restrict cardholder data access

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 8

Assign unique user IDs and passwords

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 9

Restrict physical access to cardholder data

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 10

Track and monitor network access

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 11

Test security systems and processes

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 12

Establish and maintain an information security policy

Goal: Maintain an information security policy

Policy and process requirements:

Implementation requirements:

For a tangible copy of the above checklist, you can download our PCI compliance checklist PDF below. 

Additional requirements for service providers and issuers

There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.

What’s next for PCI compliance

PCI DSS will slowly be moving from v3.2.1 to v4.0

This change will take place over years, giving businesses plenty of time to familiarize themselves with the new requirements and a chance to implement them within their PCI processes.

In the meantime, PCI v3.2.1 will continue to be effective in proving compliance with the standard.

How Secureframe can help simplify the PCI DSS compliance process

If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone. 

Secureframe has PCI experts who can help you at every step. 

They can also help you build PCI policies that comply with the standard. Considering the number of policies needed for PCI compliance, this is a significant lift off your team's shoulders. Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.