Interactive PCI DSS Checklist: Navigate the 12 Requirements of PCI DSS 4.0

  • July 30, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Marc Rubbinaccio

Manager, Compliance

A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park. 

To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps. 

Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process. 

Let’s dive in.

Quick review: What’s PCI compliance?

PCI DSS, which stands for Payment Card Industry Data Security Standard, is mandated by major credit card companies to standardize the protection of account data. PCI provides clear guidelines for how to capture, process, and store this sensitive data.  

PCI compliance is required for any company that processes, stores, transmits, or impacts the security of cardholder data and/or sensitive authentication data.

There are different compliance levels that correspond with how many card transactions you handle over the course of a year or simply based on risk. The more card transactions you process or the higher your risk level, the more rigorous your PCI compliance audit process will be. 

Non-compliance may result in fines and penalties, increased likelihood of data breaches, and loss of merchant license or ability to work with payment processors.

The PCI Security Standards Council (PCI SSC) creates and updates the PCI DSS standard as part of a continuous effort to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally. PCI v4.0.1 is the latest version of the standard.

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

4 key steps to adhering to PCI DSS

PCI DSS compliance is a continuous process that can be broken down into a series of ongoing steps:

  1. Gap assessment Using the PCI DSS prioritized approach tool, Secureframe platform, or a consultant — or a combination of all three — identify the scope of your PCI DSS environment and assessment, inventory all account data storage locations, software and infrastructure, and begin reviewing your implementation of PCI DSS requirements and objectives.
  2. Audit — If your organization requires a third-party audit by a QSA, scheduling and preparing for an audit would be your next step. Secureframe has a qualified partner list and can help introduce you to partners if your organization has not engaged with a QSA firm.  
  3. Remediate — Fix any identified vulnerabilities or non-conformities from the audit and gap assessment phase. This may involve patching software, updating firewall rules, securely removing any unnecessary account data storage, or implementing secure business processes.
  4. Report — The auditor will then draft a report on compliance or, if you are self attesting, you will use the template on the PCI SSC website to attest to your own PCI DSS compliance.  You can then use an attestation of compliance to share your PCI DSS compliance to customers or requesting agencies.

Complying with PCI DSS’s technical and operational requirements can help mitigate  vulnerabilities and protect cardholder data and/or sensitive authentication data wherever it is processed, stored or transmitted. Let’s dive into these requirements below.

The 12 PCI DSS requirements

The PCI DSS standard includes 6 objectives and 12 principal requirements with sub requirements specifically stating which controls need to be in place. The requirements are a mix  of technical and operational controls designed to protect account data.

Each PCI compliance requirement maps to one of six specific objectives, which are:

Each requirement maps to one of six specific PCI DSS goals, which are:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

. The objectives and requirements are listed in the image below.

When a business can attest that all requirements that are applicable to their environment  are met, they are considered PCI compliant.

Below is a brief overview of each requirement.

1. Install and Maintain Network Security Controls 

Organizations must establish and maintain network security controls (NSCs) to control traffic within their network — the cardholder data environment (CDE) in particular— and to protect their systems and data from exposure to untrusted networks like the Internet. Previously, organizations mostly relied on physical firewalls to prevent unauthorized access. Now, they use virtual devices, cloud access controls, virtualization/container systems, routers configured with access control lists, and other software-defined networking technology in addition to firewalls.

2. Apply Secure Configurations to All System Components

Since malicious individuals often use default passwords and other vendor default settings to compromise systems, organizations must apply secure configurations to all system components to reduce the risk that these individuals pose. This means:

  • changing default passwords
  • removing unnecessary software, functions, and accounts
  • disabling or removing unnecessary services

3. Protect Stored Account Data

Organizations must protect stored account data by implementing strong protection methods such as encryption, truncation, masking, and hashing. Data retention and disposal policies should also be in place to minimize storage duration and securely remove data that is no longer needed.

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targeted by malicious individuals to gain privileged access to cardholder data environments. To protect against compromise, organizations must use strong encryption protocols during transmission of cardholder data over open, public networks.

5. Protect All Systems and Networks from Malicious Software

It is critical that organizations use anti-malware solutions to protect systems from all types of malware, such as:

  • viruses
  • worms
  • Trojans
  • spyware
  • ransomware
  • keyloggers
  • rootkits
  • malicious code, scripts, and links

Regular updates and scans must be conducted to ensure the systems remain protected against current and evolving threats.

6. Develop and Maintain Secure Systems and Software

Malicious individuals can also use security vulnerabilities to gain privileged access to systems.

To reduce this risk, organizations must develop and maintain secure systems and software by following secure coding guidelines and conducting regular security reviews. This includes applying vendor provided security patches promptly to address vulnerabilities.

7. Restrict Access to System Components and Cardholder Data by Business Need to Know

Hackers may exploit ineffective access control rules and definitions to gain unauthorized access to critical data or systems.

Organizations must put systems and processes in place to limit access to systems, application, and data based on the principles of least privilege and need to know. That means individuals should have the minimum level of privileges and access to the least amount of data needed to perform their job.

8. Identify Users and Authenticate Access to System Components

Organizations must implement strong access control measures to ensure that only authorized individuals can access system components. This includes using multi-factor authentication and unique IDs for all users, removing or disabling inactive user accounts, and setting password requirements.

9. Restrict Physical Access to Cardholder Data

Physical access to cardholder data or systems that store, process, or transmit cardholder data must be restricted to prevent unauthorized access. This involves securing physical locations where data is stored and ensuring that access is granted only to authorized personnel.

10. Log and Monitor All Access to System Components and Cardholder Data

Comprehensive logging and monitoring of all access to system components and cardholder data must be in place to prevent, detect, or minimize the impact of a data compromise. Logs should be reviewed regularly to detect and respond to unauthorized access or anomalies.

11. Test Security of Systems and Networks Regularly

Vulnerabilities are continuously being discovered by malicious individuals and introduced by new software. Organizations must regularly test security systems, processes, and software through vulnerability assessments, penetration testing, and other security testing methods to ensure security controls are effective in a changing environment and to identify and address any new vulnerabilities.

12. Support Information Security with Organizational Policies and Programs

A strong information security program supported by organizational policies is crucial for ensuring that all personnel are aware of the sensitivity of cardholder data and their responsibilities for protecting it. This requires organizations to:

  • maintain information security and acceptable use policies
  • identify, assess, and manage risks to the cardholder data environment
  • conduct regular training and awareness programs for employees
  • manage third-party risks

PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance. 

PCI DSS compliance checklist

Requirement 1

Install and maintain network security controls

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 2

Apply secure configurations to all system components

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 3

Protect stored account data

Goal: Protect account data

Policy and process requirements:

Implementation requirements:

Requirement 4

Protect cardholder data with strong cryptography during transmission over open, public networks

Goal: Protect account data

Policy and process requirements:

Implementation requirements:

Requirement 5

Protect all systems and networks from malicious software

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 6

Develop and maintain secure systems and software

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 7

Restrict access to system components and cardholder data by business need to know

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 8

Identify users and authenticate access to system components

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 9

Restrict physical access to cardholder data

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 10

Log and monitor all access to system components and cardholder data

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 11

Test security systems and networks regularly

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 12

Support information security with organizational policies and programs

Goal: Maintain an information security policy

Policy and process requirements:

Implementation requirements:

For a tangible copy of the above checklist, you can download our PCI compliance checklist PDF below. 

PCI compliance checklist

This step-by-step checklist will walk you through the process of preparing for PCI DSS compliance.

Additional requirements for service providers and issuers

There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.

How Secureframe can help simplify the PCI DSS compliance process

If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone. 

Secureframe has PCI experts who can help you at every step. 

As a Secureframe customer, you can reach out to your compliance manager to have an in-depth discussion about your current environment and scope to help determine exactly which controls are applicable to you and how you can implement them within your environment in order to meet the latest version of PCI DSS.

You can then use the Secureframe platform to assign owners to tasks, controls, and reviews, manage the completion of security awareness training and policy acceptance, complete your risk assessment, and remediate automated tests with the support of our compliance managers. Secureframe compliance managers can also help perform a readiness assessment with you prior to your audit so you can be confident in your PCI DSS v 4.0.1 compliance before your auditor performs the actual assessment.

Finally, you can select one of our partner QSAs to perform fieldwork directly within the platform.

Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.

FAQs

What is PCI DSS compliance checklist?

A PCI DSS compliance checklist is a tool designed to help an organization evaluate its compliance with the PCI DSS framework and ensure it has completed the essential steps to prepare for a successful audit. Using the checklist, organizations can check off the boxes to visualize their level of audit readiness and quickly identify any gaps they need to remediate before undergoing an audit.

What are the steps for PCI DSS compliance?

The steps for PCI DSS compliance include implementing controls to meet the 12 requirements of PCI DSS, which specify the framework for a secure payments environment, and completing either a full report on compliance or self-assessment questionnaire to assess whether your controls meet the 12 requirements. During a readiness assessment or the assessment itself, a QSA may document any gaps in your controls and provide a list of remediation items. The PCI DSS compliance process can therefore be broken down in three essential steps: Assess, Repair and Report.

What is the first step of PCI DSS compliance?

The first step of PCI DSS compliance is determining which level of compliance you need. This depends on whether you're a merchant or service provider and a few other factors, including the size of your organization, number of annual credit card transactions, and requirements from your customers or acquiring bank. Once you've determined the PCI DSS level you fall under, you can put policies, procedures, and controls in place in order to meet the 12 requirements.

Who administers PCI DSS?

PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.