PCI Compliance Checklist: How to Achieve Compliance in 2022

June 02, 2022

A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park.

To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps.

Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process.

Let’s dive in.

Quick review: What’s PCI compliance?

PCI DSS (or just PCI) is mandated by major credit card companies to standardize the protection of cardholder data. PCI provides clear guidelines for how to capture, process, and store sensitive cardholder information.

PCI compliance is required for any company that accepts credit card payments. PCI also applies to any organization that can impact the security of payment card transactions.

There are different levels of compliance that correspond with how many card transactions you handle over the course of a year. The more card transactions you process, the more rigorous your PCI compliance audit process will be.

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified.

Download ebook

The 12 PCI DSS requirements

The PCI DSS standard includes 12 requirements with instructions for meeting compliance. The requirements cover technical and operational must-haves, such as installing firewalls and restricting physical access to cardholder data.

Each requirement maps to one of six specific PCI DSS goals, which are:

Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

When a business can prove that all six goals and all 12 requirements are met, they are considered PCI compliant.

PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance.

Our checklist is in accordance with PCI v3.2.1, which is the current version of PCI DSS.

For context, the PCI Security Standards Council (PCI SSC) has revealed a new version update — PCI DSS v4.0 — that is set to become effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025.

We’ll cover PCI v4.0 and the updates that come with it in an upcoming blog post.

PCI DSS compliance checklist

Requirement 1

Install and maintain a firewall configuration to protect cardholder data

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Formal documentation for testing and approval of network changes

Firewall, router, and personal firewall configuration standards

Document the review of firewall rule sets every six months

Document ports and services justification for every inbound and outbound rule

Implementation requirements:

Configure and implement secure firewall and router settings and rules

Configure network segmentation and network subnets to restrict connections between trusted networks and any external untrusted network

Prevent public direct access between the internet and any system component in the internal cardholder data environment

Install personal firewall software on all internet-connected portable devices that are also used to access the cardholder data environment

Implement security features for any insecure services utilized within the cardholder data environment

Install perimeter firewalls between all wireless networks and the cardholder data environment

Requirement 2

Eliminate vendor defaults for passwords and other security parameters

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Document security policies and processes to manage vendor default settings and vendor security best practice documentation

Develop configuration standards for all system components

Create and maintain a wireless network security policy

Implementation requirements:

Change all vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on your network

Change all wireless vendor defaults at installation for wireless environments that connect to the cardholder data environment or that transmit cardholder data

Implement all systems utilizing documented configuration standards and vendor best practice.

Encrypt all non-console administrative access utilizing strong cryptography

Requirement 3

Protect stored cardholder data

Goal: Protect cardholder data

Policy and process requirements:

Document a data retention and disposal policy detailing retention time requirements and a secure process for deletion of data

Define a quarterly process for regularly identifying and deleting stored cardholder data that exceeds the retention period

Document a key management policy and process defining the secure generation, storage and distribution of encryption keys

Implementation requirements:

Verify sensitive authentication data is not being stored (such as the card verification code or PIN) after authorization, even if it is encrypted

Implement a strong key management process including secure storage configurations and restricting access to only required key custodians

Verify PAN is unreadable whenever stored and masked when displayed. Only explicitly authorized personnel should be able to view unmasked PAN

Requirement 4

Encrypt payment data transmission

Goal: Protect cardholder data

Policy and process requirements:

Document the controls in place for encrypting cardholder data when transmitted over open public networks with strong cryptography

Document the configuration standards for implementing strong authentication and transmission encryption for wireless networks

Document the process for acceptance of trusted keys and certificates

Implementation requirements:

Identify all locations where cardholder data is being sent over public networks and verify strong encryption is being used

Verify when PAN is sent over end-user messaging technologies, the PAN data is unreadable or secured utilizing strong cryptography

Ensure only trusted keys and certificates are accepted

Requirement 5

Protect against malware and regularly update antivirus software

Goal: Maintain a vulnerability management program

Policy and process requirements:

Maintain policies for antivirus including how the software detects, removes, and protects against all known types of malicious software

Implementation requirements:

Verify antivirus software is kept current, performs periodic scans, and generates audit logs

Ensure antivirus software is actively running and cannot be disabled by users on all systems commonly affected by malware

Requirement 6

Establish secure systems and applications

Goal: Maintain a vulnerability management program

Policy and process requirements:

Document a process to identify new security vulnerabilities and assign vulnerability risk

Document change control policies and procedures

Document a software development policy including secure coding techniques and processes for addressing common coding vulnerabilities

Implementation requirements:

Perform vulnerability assessments against web applications or use an automated technical solution such as a web application firewall

Protect systems from known vulnerabilities by installing applicable vendor security patches

Verify software is developed based on industry standards or best practice and developed in accordance with PCI DSS standards including security throughout the development lifecycle

Ensure code reviews are being performed for all production code changes by an individual other than the author

Requirement 7

Restrict cardholder data access

Goal: Implement strong access control measures

Policy and process requirements:

Document a policy for access control that addresses access need and privilege assignment, least privilege, and job classifications

Implementation requirements:

Inspect system access regularly to determine that privileges assigned are necessary for the job function and are restricted to least privilege

Requirement 8

Assign unique user IDs and passwords

Goal: Implement strong access control measures

Policy and process requirements:

Document a policy and process for the creating, revoking, and modification of access

Document a policy for the management of user IDs including password policy, lockout duration, authentication methods, and user guidance on credential usage

Implementation requirements:

Remove or disable any inactive accounts that are 90 days old

Ensure passwords have a minimum length of 7 characters and require complexity including both alphabetic and numeric characters

Change user passwords at least every 90 days

Ensure all non-console administrative access and remote access into the cardholder data environment requires multi-factor authentication

Do not use generic accounts and do not utilize shared accounts for administrative or critical functions

Requirement 9

Restrict physical access to cardholder data

Goal: Implement strong access control measures

Policy and process requirements:

Develop a policy for managing, securing, and destroying physical media

Document a procedure for identifying new onsite personnel and visitors, changing access requirements and revoking terminated onsite personnel and expired visitor identification

Implementation requirements:

Implement facility entry controls and security controls to limit and monitor physical access to systems

Implement a visitor security program including the use of visitor authorization, visitor badges, and visitor logs

Verify physical media management includes securely storing, distributing, and classifying media

Maintain a list of POS devices and periodically inspect devices for tampering or substitution

Requirement 10

Track and monitor network access

Goal: Regularly monitor and test networks

Policy and process requirements:

Document policies and procedures for monitoring and reviewing log files daily

Review and document logs and security events for all system components to identify abnormalities or suspicious activity

Implementation requirements:

Implement automated audit trails for all system components for the following events:

All individual access to cardholder data

All actions taken by any individual with root or administrative privileges

Access to all audit trails

Invalid logical access attempts

Use of and changes to identification and authentication mechanisms, including:

All elevation of privileges

All changes, additions, or deletions to any account with root or administrative privileges

Initialization of audit logs

Stopping or pausing of audit logs

Creation and deletion of system level objects

Verify audit logs are retained for three months which are immediately available and one year archived

Requirement 11

Test security systems and processes

Goal: Regularly monitor and test networks

Policy and process requirements:

Document a process for identifying and removing unauthorized wireless access points and inventory all authorized wireless access points in use

Document a methodology used for penetration testing based on industry-accepted penetration testing approaches

Implementation requirements:

Perform quarterly internal vulnerability scans and complete quarterly external scans utilizing an approved scanning vendor

Perform internal and external penetration testing annually and after any significant infrastructure or application upgrade or modification. Segmentation testing must be performed bi-annually for service providers.

Implement intrusion detection or preventions systems to monitor all traffic at the perimeter of the cardholder data environment

Implement a change detection mechanism such as file integrity monitoring to generate alerts for unauthorized modification of system and configuration files

Requirement 12

Establish and maintain an information security policy

Goal: Maintain an information security policy

Policy and process requirements:

Document an information security policy which is reviewed annually and changed in relation to the risk environment or business objectives

Document a risk assessment process which includes how to identify assets, threats, and vulnerabilities

Document acceptable use policies for all technologies and products in use

Document an incident response plan and procedures to ensure your organization is prepared to respond immediately to a system breach

Document the responsibility of your service providers and perform due diligence against their compliance efforts

Implementation requirements:

Formally assign information security responsibilities to the appropriate personnel

Train all personnel on cardholder data security awareness and require personnel to acknowledge they understand all applicable policies and procedures

Perform background screening of prospective employees within constraints of the local law

Review and test the incident response plan at least annually

For a tangible copy of the above checklist, you can download our PCI compliance checklist PDF below.

Additional requirements for service providers and issuers

There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.

What’s next for PCI compliance

PCI DSS will slowly be moving from v3.2.1 to v4.0.

This change will take place over years, giving businesses plenty of time to familiarize themselves with the new requirements and a chance to implement them within their PCI processes.

In the meantime, PCI v3.2.1 will continue to be effective in proving compliance with the standard.

How Secureframe can help simplify the PCI DSS compliance process

If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone.

Secureframe has PCI experts who can help you at every step.

They can also help you build PCI policies that comply with the standard. Considering the number of policies needed for PCI compliance, this is a significant lift off your team's shoulders. Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo

Why Secureframe?

Integrations

SOC 2

HIPAA

ISO 27001

PCI DSS

Blog

Help Center

Books

HIPAA Training

SOC 2 Hub

Blog

Blog

Blog

About

Careers We're Hiring

Security

Newsroom

Auditors

Partners

Table of Contents

PCI Compliance Checklist: How to Achieve Compliance in 2022

Quick review: What’s PCI compliance?

The Ultimate Guide to PCI DSS

The 12 PCI DSS requirements

PCI DSS compliance checklist

PCI DSS compliance checklist

Install and maintain a firewall configuration to protect cardholder data

Policy and process requirements:

Implementation requirements:

Eliminate vendor defaults for passwords and other security parameters

Policy and process requirements:

Implementation requirements:

Protect stored cardholder data

Policy and process requirements:

Implementation requirements:

Encrypt payment data transmission

Policy and process requirements:

Implementation requirements:

Protect against malware and regularly update antivirus software

Policy and process requirements:

Implementation requirements:

Establish secure systems and applications

Policy and process requirements:

Implementation requirements:

Restrict cardholder data access

Policy and process requirements:

Implementation requirements:

Assign unique user IDs and passwords

Policy and process requirements:

Implementation requirements:

Restrict physical access to cardholder data

Policy and process requirements:

Implementation requirements:

Track and monitor network access

Policy and process requirements:

Implementation requirements:

Test security systems and processes

Policy and process requirements:

Implementation requirements:

Establish and maintain an information security policy

Policy and process requirements:

Implementation requirements:

Additional requirements for service providers and issuers

What’s next for PCI compliance

How Secureframe can help simplify the PCI DSS compliance process

Become a security expert