PCI Compliance Checklist: How to Achieve Compliance in 2023

  • June 02, 2022

A quick scan of the PCI DSS’s 300+ controls, 12 requirements, and six control objectives will make one thing abundantly clear: PCI compliance is no walk in the park. 

To make the process a little easier, we’ve created a checklist that goes through each of the 12 requirements and highlights key policy, process, and implementation steps. 

Our checklist will help you tick off as many of these to-dos as possible before you begin the formal PCI DSS compliance process. 

Let’s dive in.

Quick review: What’s PCI compliance?

PCI DSS (or just PCI) is mandated by major credit card companies to standardize the protection of cardholder data. PCI provides clear guidelines for how to capture, process, and store sensitive cardholder information.  

PCI compliance is required for any company that accepts credit card payments. PCI also applies to any organization that can impact the security of payment card transactions. 

There are different levels of compliance that correspond with how many card transactions you handle over the course of a year. The more card transactions you process, the more rigorous your PCI compliance audit process will be. 

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

The 12 PCI DSS requirements

The PCI DSS standard includes 12 requirements with instructions for meeting compliance. The requirements cover technical and operational must-haves, such as installing firewalls and restricting physical access to cardholder data. 

Each requirement maps to one of six specific PCI DSS goals, which are:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

When a business can prove that all six goals and all 12 requirements are met, they are considered PCI compliant.

PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started on your compliance journey. While our checklist is not exhaustive, it provides a foundational starting point when preparing for PCI DSS compliance. 

PCI DSS compliance checklist

Requirement 1

Install and maintain a firewall configuration to protect cardholder data

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 2

Eliminate vendor defaults for passwords and other security parameters

Goal: Build and maintain a secure network and systems

Policy and process requirements:

Implementation requirements:

Requirement 3

Protect stored cardholder data

Goal: Protect cardholder data

Policy and process requirements:

Implementation requirements:

Requirement 4

Encrypt payment data transmission

Goal: Protect cardholder data

Policy and process requirements:

Implementation requirements:

Requirement 5

Protect against malware and regularly update antivirus software

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 6

Establish secure systems and applications

Goal: Maintain a vulnerability management program

Policy and process requirements:

Implementation requirements:

Requirement 7

Restrict cardholder data access

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 8

Assign unique user IDs and passwords

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 9

Restrict physical access to cardholder data

Goal: Implement strong access control measures

Policy and process requirements:

Implementation requirements:

Requirement 10

Track and monitor network access

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 11

Test security systems and processes

Goal: Regularly monitor and test networks

Policy and process requirements:

Implementation requirements:

Requirement 12

Establish and maintain an information security policy

Goal: Maintain an information security policy

Policy and process requirements:

Implementation requirements:

For a tangible copy of the above checklist, you can download our PCI compliance checklist PDF below. 

Additional requirements for service providers and issuers

There are additional requirements specifically for service providers and issuers that we may not have covered in our checklist above. To see a full list of everything required of you, visit the official PCI Security Standards website.

How Secureframe can help simplify the PCI DSS compliance process

If the checklist above looks daunting, know that you don’t have to go through the PCI compliance process alone. 

Secureframe has PCI experts who can help you at every step. 

They can also help you build PCI policies that comply with the standard. Considering the number of policies needed for PCI compliance, this is a significant lift off your team's shoulders. Request a demo to learn more about how our compliance automation platform can streamline the PCI compliance process.

FAQs

What is PCI DSS compliance checklist?

A PCI DSS compliance checklist is a tool designed to help an organization evaluate its compliance with the PCI DSS framework and ensure it has completed the essential steps to prepare for a successful audit. Using the checklist, organizations can check off the boxes to visualize their level of audit readiness and quickly identify any gaps they need to remediate before undergoing an audit.

What are the steps for PCI DSS compliance?

The steps for PCI DSS compliance including implementing controls to meet the 12 requirements of PCI DSS, which specify the framework for a secure payments environment, and completing either a full report on compliance or self-assessment questionnaire to assess whether your controls meet the 12 requirements. During a readiness assessment or the assessment itself, a QSA may document any gaps in your controls and provide a list of remediation items. The PCI DSS compliance process can therefore be broken down in three essential steps: Assess, Remediate and Report.

What is the first step of PCI DSS compliance?

The first step of PCI DSS compliance is determining which level of compliance you need. This depends on whether you're a merchant or service provider and a few other factors, including the size of your organization, number of annual credit card transactions, and requirements from your customers or acquiring bank. Once you've determined the PCI DSS level you fall under, you can put policies, procedures, and controls in place in order to meet the 12 requirements.