PCI Compliance Checklist: How to Achieve Compliance in 2022
PCI Compliance Checklist: How to Achieve Compliance in 2022
June 02, 2022
A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park.
To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps.
Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process.
Let’s dive in.
Quick review: What’s PCI compliance?
PCI DSS (or just PCI) is mandated by major credit card companies to standardize the protection of cardholder data. PCI provides clear guidelines for how to capture, process, and store sensitive cardholder information.
PCI compliance is required for any company that accepts credit card payments. PCI also applies to any organization that can impact the security of payment card transactions.
There are different levels of compliance that correspond with how many card transactions you handle over the course of a year. The more card transactions you process, the more rigorous your PCI compliance audit process will be.
The Ultimate Guide to PCI DSS
Learn everything you need to know about the requirements, process, and costs of getting PCI certified.
The PCI DSS standard includes 12 requirements with instructions for meeting compliance. The requirements cover technical and operational must-haves, such as installing firewalls and restricting physical access to cardholder data.
Each requirement maps to one of six specific PCI DSS goals, which are:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
When a business can prove that all six goals and all 12 requirements are met, they are considered PCI compliant.
PCI DSS compliance checklist
We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance.
Our checklist is in accordance with PCI v3.2.1, which is the current version of PCI DSS.
For context, the PCI Security Standards Council (PCI SSC) has revealed a new version update — PCI DSS v4.0 — that is set to become effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025.
We’ll cover PCI v4.0 and the updates that come with it in an upcoming blog post.
PCI DSS compliance checklist
Requirement 1
Install and maintain a firewall configuration to protect cardholder
data
Goal: Build and maintain a secure network and
systems
Policy and process requirements:
Implementation requirements:
Requirement 2
Eliminate vendor defaults for passwords and other security
parameters
Goal: Build and maintain a secure network and
systems
Policy and process requirements:
Implementation requirements:
Requirement 3
Protect stored cardholder data
Goal: Protect cardholder data
Policy and process requirements:
Implementation requirements:
Requirement 4
Encrypt payment data transmission
Goal: Protect cardholder data
Policy and process requirements:
Implementation requirements:
Requirement 5
Protect against malware and regularly update antivirus software
Goal: Maintain a vulnerability management program
Policy and process requirements:
Implementation requirements:
Requirement 6
Establish secure systems and applications
Goal: Maintain a vulnerability management program
Policy and process requirements:
Implementation requirements:
Requirement 7
Restrict cardholder data access
Goal: Implement strong access control measures
Policy and process requirements:
Implementation requirements:
Requirement 8
Assign unique user IDs and passwords
Goal: Implement strong access control measures
Policy and process requirements:
Implementation requirements:
Requirement 9
Restrict physical access to cardholder data
Goal: Implement strong access control measures
Policy and process requirements:
Implementation requirements:
Requirement 10
Track and monitor network access
Goal: Regularly monitor and test networks
Policy and process requirements:
Implementation requirements:
Requirement 11
Test security systems and processes
Goal: Regularly monitor and test networks
Policy and process requirements:
Implementation requirements:
Requirement 12
Establish and maintain an information security policy
Goal: Maintain an information security policy
Policy and process requirements:
Implementation requirements:
For a tangible copy of the above checklist, you can download our PCI compliance checklist PDF below.
Additional requirements for service providers and issuers
There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.
This change will take place over years, giving businesses plenty of time to familiarize themselves with the new requirements and a chance to implement them within their PCI processes.
In the meantime, PCI v3.2.1 will continue to be effective in proving compliance with the standard.
How Secureframe can help simplify the PCI DSS compliance process
If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone.
Secureframe has PCI experts who can help you at every step.
They can also help you build PCI policies that comply with the standard. Considering the number of policies needed for PCI compliance, this is a significant lift off your team's shoulders. Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.