PCI DSS checklist: 12 requirements

PCI DSS Compliance Checklist: 12 Requirements Explained

Robyn Ferreira

Compliance Success Manager

Linkedin

Let’s cut to the chase; at first glance (even after a dozen glances), PCI DSS compliance is no easy feat. With an overwhelming recipe of 300+ security controls, 12 requirements from six control objectives, businesses are understandably cautious and confused. 

So, to alleviate some of the complexities associated with the mammoth task, we’ve created an all-you-can-read compliance checklist, complete with everything you need to know about the twelve PCI DSS requirements, the critical policies, processes and implementation steps. 

But first things first, let’s have a quick overview of what PCI DSS compliance is in the first place. 

What is PCI DSS compliance?

Understanding PCI DSS compliance is a whole lot easier when you start by focusing on what it’s protecting. Every inch of the security standard is geared toward protecting consumers’ cardholder data. This includes the primary account number (PAN), cardholder name, expiration date, service code, and sensitive authentication data. PCI DSS defines required standards for securing and protecting this data. Hence, the name “The Payment Card Industry Data Security Standard.” Naturally, such critical data and its safety can’t be left open to interpretation regarding how to best safeguard it. Hence, the need to ensure a baseline level of protection for businesses and consumers in the digital age. 

It’s important to note that PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. This standard ensures comprehensive data security across the entire payment processing lifecycle.

The PCI DSS is administered and managed by The PCI Security Standards Council (PCI SSC), an independent body that was created by the five major credit card companies (Visa, Mastercard, American Express, Discover and JCB). 

Speaking of compliance, the most logical next concern is whether or not your small business falls within the scope of compliance. In short, yes – but fortunately, different requirements apply to different companies.  

Who needs PCI DSS compliance? 

PCI DSS compliance recognizes that different types of companies will naturally face different risks. Therefore, four designated merchant levels determine your PCI DSS compliance requirements. For example, small businesses that have a low-risk profile or run credit cards through payment apps may classify as Level 4 merchants. In these cases, vendors and merchants must submit a self-assessment questionnaire (signed by senior management) to their payment processor and undergo quarterly network scans by approved scanning vendors. Unfortunately, this is as simple as it gets. 

Larger retailers and organizations are held liable to far more complex requirements and must prove that they have adequately met all twelve security standards of PCI DSS compliance. But your word isn’t good enough, and you must obtain proof of compliance from a third-party auditor called a Qualified Security Assessor. 

Your merchant level and compliance requirements are classified as follows: 

Type of LevelWhoRequirements
Level 1Merchants who have had previous security/data breaches. 

Merchants with a 6 million transaction threshold per year (across all channels).
Undergo annual 3rd-party audits.

Receive annual network scans via an approved scanning vendor.

Receive an Attestation of Compliance (AoC) and a Report on Compliance (RoC).
Level 2Businesses with between 1 million and 6 million annual transactions across all channels.Complete a SAQ signed off by senior management and conduct quarterly network scans. 
Level 3Merchants with between 20,000 and 1 million annual online transactions.Complete a SAQ signed off by senior management and conduct quarterly network scans. 
Level 4Merchants with fewer than 20 000 annual online transactions.
Merchants that process up to 1 million annual in-person transactions.
Complete a SAQ signed off by senior management and conduct quarterly network scans. 

PCI DSS checklist: Introduction to the 12 requirements

To achieve PCI DSS compliance you must meet the twelve requirements. These 12 requirements aren’t randomly selected to test your business’s ability to decipher tech jargon – although it may feel as if that’s the case. The 12 requirements all work together to meet the six overarching core security goals. These six control objectives are: 

  • Establish and maintain a secure network
  • Protect your clients’ cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Continuously monitor and test networks
  • Maintain an information security policy

A level one merchant must prove that they meet all 12 requirements, and subsequently meet the six core control objectives in order to be considered compliant by a Qualified Security Assessor.

The 12 requirements to PCI DSS compliance

Being aware that your business needs to implement the 12 PCI DSS requirements only gets you so far, ergo – not very far in terms of security or compliance. So the next step is to know what these requirements are and how to implement them in a way that helps you stay compliant and follow security and industry best practices. Fortunately, the 12 PCI DSS requirements closely align with security best practices and can be implemented in a step-by-step approach. 

When implementing the 12 requirements, it’s beneficial to detail specific control measures. For instance, under Requirement 4, which focuses on the encryption of cardholder data transmissions, organizations should employ strong encryption protocols such as TLS (Transport Layer Security). This ensures that any data transmitted across public networks is adequately protected against interception or eavesdropping.

Here’s a look at the 12 PCI DSS requirements:

Step 1: Configure and maintain a secure firewall

A firewall is a network’s first line of defense, so naturally, it’s the first step towards PCI DSS compliance. It protects cardholder data and prevents unauthorized access across connections like e-commerce platforms, emails or the internet. But simply installing a firewall is not enough. To maintain a secure firewall, your business needs to: 

  • Configure and standardize firewall and router rules and criteria
  • Standardize the process for restricting network access
  • Review firewall rules and procedures every six months.

Additionally, it’s crucial to have a formal process for approving and testing all network connections and changes to firewall and router configurations, ensuring they are secure against known vulnerabilities.

Step 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS requirement two takes one look at default passwords and security parameters and clearly states that it’s not only risky but unacceptable. Organizations must avoid default passwords, usernames and additional security parameters. This includes all operating systems, security software, application and system accounts and point-of-sale (POS) terminals. Merchants who use default passwords are highly targeted as most of these default security passwords are readily available, even through a basic Google search. 

Step 3: Protect stored cardholder data

If your organization stores cardholder data, you open the floodgates to various security risks. PCI DSS standards request that businesses only store data when absolutely necessary, preferably not at all. However, requirement three determines guidelines to best protect data if data is stored. This includes: 

  • Implementing robust security mechanisms (encryption, truncation, masking, and hashing).
  • Ensuring that no sensitive authentication data is being held without your knowledge.
  • Verifying that PAN is unreadable if stored and masked when displayed.

Step 4: Use encryption tools while transferring data

Without proper encryption, your cardholder data has a big red target on its back when transmitted over open and unencrypted public networks. This technical security requirement hones in on the way you transfer data and requires organizations to: 

  • Identify all areas where cardholder data is sent over public networks. In these cases, implement and verify strong encryption tools.
  • Never send PANs or other cardholder data using unencrypted messaging platforms.
  • Render all PAN data unreadable or secured via strong cryptography.

Emphasis should also be placed on using strong encryption methods to protect stored cardholder data, aligning with specific encryption standards recommended by PCI DSS for enhanced security.

Step 5: Regularly update anti-virus software or programs

Securing your network without an anti-virus is similar to closing up shop but leaving the door unlocked. Organizations must implement and regularly update anti-virus software to detect, remove, and protect against all known malware. Responsibilities also include: 

  • Keeping your anti-virus updated through periodic scans
  • Ensure that any user across all systems cannot disable your anti-virus
  • Maintain audit logs
  • Stay updated on current malware trends and threats

Step 6: Create and maintain secure systems and applications

Complacency is one of the core reasons organizations become non-compliant, sometimes without knowing it. That’s why requirement six expects you to do due diligence in terms of not only creating a secure system but also maintaining it. Responsibilities to meet requirement six include: 

  • Verify that all your software is developed in alignment with PCI industry standards throughout the entire development lifecycle. 
  • Install regular security patches against new vulnerabilities.
  • Roll out regular updates to protect your systems.
  • Install vendor security patches.

An essential aspect of maintaining secure systems and applications is the continuous application of updates and security patches. This is particularly crucial for software and operating systems that are part of the cardholder data environment, including point-of-sale (POS) systems. Regular updates ensure that systems are protected against newly discovered vulnerabilities and threats, which is a critical component of maintaining PCI DSS compliance.

Step 7: Follow a need-to-know business approach when managing data access

Naturally, to mitigate risk, you don’t need to give access to cardholder data unless absolutely required. Therefore, requirement seven expects you to review all access to data and create a written policy to define data privileges relevant to specific job titles and responsibilities. Reviewing access privileges regularly and following a need-to-know approach to reduce the risk of data misuse or violations is critical.  

Step 8: Assign a unique ID to each person with computer access

Although this may seem like infosec 101, it’s still important to lay the groundwork for PCI DSS compliance regarding IDs, usernames and passwords. To be PCI DSS compliant, each individual with access to cardholder data must have a unique identification and password. Moreover, any changes in authentication credentials must be managed and controlled. This includes tracking and documenting all new users and terminating and removing all access from previous users. Additional ID requirements for PCI DSS compliance include: 

  • Disable accounts that have been inactive for 90 days or more
  • Review and update all passwords every 90 days
  • Vendor-supplied defaults will not be allowed (see step 2)
  • Encrypt all passwords during transmission and storage

Step 9: Restrict physical access to cardholder data

Business in the digital age is fast moving away from having to restrict physical access to data. But it’s important to know that data doesn’t just only live in the cloud. Cardholder data is also stored in physical locations such as your server, computer room or data center. Requirement 9 expects organizations to restrict access to physical areas where cardholder data may live. This includes: 

  • Access and security controls to facilities to limit and monitor physical access to systems (badge readers and key-controlled locks)
  • Implementing automatic server locking and timeout systems
  • Visitor security programs such as the use of visitor authorization, visitor badges, or visitor logs

Step 10: Track and monitor access to network resources and cardholder data

In the event of a security breach or data violation, your organization must be able to track activity to determine and troubleshoot the root cause. However, this is a challenging task without proper logging mechanisms in place. Requirement 10 expects organizations to track and log all access over their network and devices where cardholder data is stored, processed and transmitted. Activities to audit include: 

  • All individual access to cardholder data.
  • All invalid access attempts.
  • Access to audit logs.
  • Audit all account changes, including new additions, user removals and access privileges.

In addition, all audit logs must be verified and retained for three months, be immediately available, and one year archived.

Step 11: Test your security systems and processes

Once you’ve set up a secure security network and system, you must keep it that way. Requirement 11 expects organizations to regularly test their systems to keep up with the ever-changing security landscape. Within this requirement, your to-do list will include the following: 

  • Conducting quarterly vulnerability scans by an approved scanning vendor
  • Conduct annual penetration tests
  • Service providers must perform bi-annual segmentation tests.
  • Routinely check for any unauthorized wireless access points.

Step 12: Create and maintain an information security policy

Organizations are required to create and maintain a firm information security policy. In practicality, implementing a compliant security policy involves creating and documenting a manifesto that contains everything needed to execute due diligence and maintain a robust security posture. This includes:

  • Assigning official roles and information security responsibilities to employees.
  • Frequent security awareness training and programs
  • Regular incident response plans
  • Established risk assessment processes

This policy should also include a well-documented incident response plan that is regularly tested. Additionally, regular employee training and awareness programs are essential in maintaining PCI DSS compliance.

The future of PCI DSS compliance

Simplify your PCI DSS compliance with automated smooth sailing. At Scytale, we know if you put in the work (albeit months later), you might be able to achieve PCI DSS compliance, but the anxiety of technical controls, complex processes and detailed tasks can make you lose your mind. 

Remember, PCI DSS requirements are not static; they evolve to address new and emerging threats. Businesses need to stay informed about these changes and regularly assess their compliance. Regular self-assessments or engagement with a Qualified Security Assessor (QSA) are advisable to ensure ongoing compliance.

Rather than stress about how to accept, process, store or transmit cardholder information, get everything you need to get PCI DSS compliant in one place and 90% faster.   

Shatterproof your security compliance with Scytale superheroes in your corner. 

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs