PCI compliance checklist PDF

A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park. 

To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps. 

Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process. 

Let’s dive in.

Quick review: What’s PCI compliance?

PCI DSS, which stands for Payment Card Industry Data Security Standard, is mandated by major credit card companies to standardize the protection of account data. PCI provides clear guidelines for how to capture, process, and store this sensitive data.  

PCI compliance is required for any company that processes, stores, transmits, or impacts the security of cardholder data and/or sensitive authentication data.

There are different compliance levels that correspond with how many card transactions you handle over the course of a year or simply based on risk. The more card transactions you process or the higher your risk level, the more rigorous your PCI compliance audit process will be. 

Non-compliance may result in fines and penalties, increased likelihood of data breaches, and loss of merchant license or ability to work with payment processors.

The PCI Security Standards Council (PCI SSC) creates and updates the PCI DSS standard as part of a continuous effort to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally. PCI v4.0.1 is the latest version of the standard.

The 12 PCI DSS requirements

The PCI DSS standard includes 6 objectives and 12 principal requirements with sub requirements specifically stating which controls need to be in place. The requirements are a mix  of technical and operational controls designed to protect account data.

Each PCI compliance requirement maps to one of six specific objectives, which are:

Each requirement maps to one of six specific PCI DSS goals, which are:

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

. The objectives and requirements are listed in the image below.

When a business can attest that all requirements that are applicable to their environment  are met, they are considered PCI compliant.

Below is a brief overview of each requirement.

1. Install and Maintain Network Security Controls 

Organizations must establish and maintain network security controls (NSCs) to control traffic within their network — the cardholder data environment (CDE) in particular— and to protect their systems and data from exposure to untrusted networks like the Internet. Previously, organizations mostly relied on physical firewalls to prevent unauthorized access. Now, they use virtual devices, cloud access controls, virtualization/container systems, routers configured with access control lists, and other software-defined networking technology in addition to firewalls.

2. Apply Secure Configurations to All System Components

Since malicious individuals often use default passwords and other vendor default settings to compromise systems, organizations must apply secure configurations to all system components to reduce the risk that these individuals pose. This means:

• changing default passwords
• removing unnecessary software, functions, and accounts
• disabling or removing unnecessary services

3. Protect Stored Account Data

Organizations must protect stored account data by implementing strong protection methods such as encryption, truncation, masking, and hashing. Data retention and disposal policies should also be in place to minimize storage duration and securely remove data that is no longer needed.

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targeted by malicious individuals to gain privileged access to cardholder data environments. To protect against compromise, organizations must use strong encryption protocols during transmission of cardholder data over open, public networks.

5. Protect All Systems and Networks from Malicious Software

It is critical that organizations use anti-malware solutions to protect systems from all types of malware, such as:

• viruses
• worms
• Trojans
• spyware
• ransomware
• keyloggers
• rootkits
• malicious code, scripts, and links

Regular updates and scans must be conducted to ensure the systems remain protected against current and evolving threats.

6. Develop and Maintain Secure Systems and Software

Malicious individuals can also use security vulnerabilities to gain privileged access to systems.

To reduce this risk, organizations must develop and maintain secure systems and software by following secure coding guidelines and conducting regular security reviews. This includes applying vendor provided security patches promptly to address vulnerabilities.

7. Restrict Access to System Components and Cardholder Data by Business Need to Know

Hackers may exploit ineffective access control rules and definitions to gain unauthorized access to critical data or systems.

Organizations must put systems and processes in place to limit access to systems, application, and data based on the principles of least privilege and need to know. That means individuals should have the minimum level of privileges and access to the least amount of data needed to perform their job.

8. Identify Users and Authenticate Access to System Components

Organizations must implement strong access control measures to ensure that only authorized individuals can access system components. This includes using multi-factor authentication and unique IDs for all users, removing or disabling inactive user accounts, and setting password requirements.

9. Restrict Physical Access to Cardholder Data

Physical access to cardholder data or systems that store, process, or transmit cardholder data must be restricted to prevent unauthorized access. This involves securing physical locations where data is stored and ensuring that access is granted only to authorized personnel.

10. Log and Monitor All Access to System Components and Cardholder Data

Comprehensive logging and monitoring of all access to system components and cardholder data must be in place to prevent, detect, or minimize the impact of a data compromise. Logs should be reviewed regularly to detect and respond to unauthorized access or anomalies.

11. Test Security of Systems and Networks Regularly

Vulnerabilities are continuously being discovered by malicious individuals and introduced by new software. Organizations must regularly test security systems, processes, and software through vulnerability assessments, penetration testing, and other security testing methods to ensure security controls are effective in a changing environment and to identify and address any new vulnerabilities.

12. Support Information Security with Organizational Policies and Programs

A strong information security program supported by organizational policies is crucial for ensuring that all personnel are aware of the sensitivity of cardholder data and their responsibilities for protecting it. This requires organizations to:

• maintain information security and acceptable use policies
• identify, assess, and manage risks to the cardholder data environment
• conduct regular training and awareness programs for employees
• manage third-party risks

PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance. 

Additional requirements for service providers and issuers

There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.

How Secureframe can help simplify the PCI DSS compliance process

If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone. 

Secureframe has PCI experts who can help you at every step. 

As a Secureframe customer, you can reach out to your compliance manager to have an in-depth discussion about your current environment and scope to help determine exactly which controls are applicable to you and how you can implement them within your environment in order to meet the latest version of PCI DSS.

You can then use the Secureframe platform to assign owners to tasks, controls, and reviews, manage the completion of security awareness training and policy acceptance, complete your risk assessment, and remediate automated tests with the support of our compliance managers. Secureframe compliance managers can also help perform a readiness assessment with you prior to your audit so you can be confident in your PCI DSS v 4.0.1 compliance before your auditor performs the actual assessment.

Finally, you can select one of our partner QSAs to perform fieldwork directly within the platform.

Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.