In This Article

What is PCI Compliance? The 12 Requirements and Checklist

Philip Robinson
| Read Time 11 min read| Updated On - June 25, 2024

PCI Compliance Checklist

As the acronym would suggest, the Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards for the payment card industry, which is maintained by the PCI Security Standards Council (PCI SSC). There are 12 core requirements for any complete PCI DSS checklist, and these are explained below.

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set of security standards aimed at ensuring companies are adequately protecting payment card information whilst it’s being stored, transmitted, or processed. The PCI DSS was developed by the Payment Card Industry Security Standards Council (PCI SSC), which was founded and made up of several major players in the payment industry; including Visa, MasterCard, American Express, Discover and JCB.

PCI compliance aims to ensure that companies protect the cardholder data of their customers from theft, breaches, misuse, and fraud. It aims to do this by providing a framework that companies can use that cover various aspects of security, including firewalls, data encryption, antivirus, and implementation of data governance practices. PCI DSS also provides guidance for security testing and monitoring, and the implementation of proper security policies.

PCI DSS is not a one time event, it’s an ongoing process that involves regular assessments and audits. Depending on the volume of card payments that your company handles, you may be required to submit to a specific level of compliance validation, of which there are several. Lager organizations might need on-site assessments conducted on an annual basis by Qualified Security Assessors (QSAs), whereas smaller companies might be able to get away with a self-assessment questionnaire.

Non-compliance with PCI DSS can be devastating to companies. Large fines, or increased transaction fees can be crippling to everyday business. In some cases, non-compliance could even lead to the loss of the ability to process credit card payments altogether.

Why is PCI DSS Compliance Necessary?

PCI compliance is important for entities that handle electronic payments to reduce costs, increase efficiency and improve the accuracy of transactions. Being PCI compliant protects cardholder data, helps prevent attacks, and increases confidence in using card payments. Non-compliance can lead to penalties, service suspension and financial losses for the non-compliant

What level of PCI applies to you?

PCI Compliance comes in four different levels based on the number of credit card transactions you have per year.

Merchant Level Applicable to
PCI Compliance Level 1 Sellers that process over 6 million Visa or MasterCard transactions per year
PCI Compliance Level 2 Sellers that process 1 million to 6 million Visa or MasterCard transactions per year
PCI Compliance Level 3 Sellers that process 20,000 to 1 million Visa or MasterCard transactions per year
PCI Compliance Level 4 Sellers that process lesser than 20,000 Visa or MasterCard transactions per year

Consequences of Failing a PCI Audit

  • Lost confidence which forces customers to go to other merchants
  • Diminished sales
  • Fraud losses
  • Fines and penalties
  • Lost jobs
  • Going out of business
  • Legal costs, settlements, and judgments

12 Requirements and Checklist for PCI Compliance

Below is a detailed PCI compliance checklist that should help you improve the accuracy and speed of your PCI compliance audits and reports:

1. Install and maintain a firewall

Properly configure your firewall and routers to protect your payment card data. Establish rules and standards for your firewall and routers to determine the type of network traffic that is permissible.

2. Implement a strong password policy

To gain access to an internal network, hackers often resort to trying default password combinations which are widely known for most hardware devices and network services. If these passwords are not changed, it becomes easy for them to enter the system without the need for any sophisticated hacking techniques. Therefore, it is crucial to change the default credentials of any system before deploying it on the network and have custom configuration standards for all system components.

As part of this requirement, it is essential to implement a strong password policy. No PCI compliance checklist is complete without adhering to detailed password requirements. To meet PCI DSS compliance standards, passwords must be the following:

  • Passwords must have a minimum length of seven characters.
  • Passwords must contain both numbers and alphabetic characters.
  • Users must change their passwords at least every 90 days.
  • Passwords must be unique to each user and changed after the first use.
  • New passwords must differ from the previous four passwords.
  • Accounts must be locked when a user enters the wrong password after six attempts.
  • Once a user is locked out of their account, they must remain locked out for a minimum of 30 minutes or until a system administrator resets the account.
  • Vendor-supplied default passwords/settings for all servers, devices, and applications must be changed.
  • Passwords must be encrypted, both at rest and in transit.

NOTE: Once PCI DSS v4.0 comes into effect, covered entities may be required to use multi-factor authentication for all accounts that have access to cardholder data.

3. Protect stored cardholder data

Use a data discovery and classification tool to ensure that you know exactly what cardholder data you store, and where it is located. Determine where the data came from and where it will go, e.g. a merchant, payment gateway, or payment processor. Determine who should have access to it and keep track of how cardholder data is accessed and used. Determine how long the cardholder data should be retained. Encrypt all cardholder data, both at rest and in transit. Redact card numbers so that only the first six or last four digits are shown.

4. Maintain secure systems and applications

Keep your antivirus software up-to-date. Ensure that your anti-virus software generates logs that can be scrutinized for anomalies. Ensure that all software applications are patched in a timely manner, which should include any point-of-sale devices, operating systems, and database engines. Consider using an automated patch management solution.

5. Protect against malware

Malicious software can breach your network through various channels, such as email attachments, USB drives, software vulnerabilities, and other means. As a result, PCI DSS mandates that companies have the necessary measures in place to protect against malware. This includes keeping all software (including antivirus software) up-to-date and keeping up to speed with emerging threats.

6. Restrict access to cardholder data

Ensure that access to cardholder data is restricted based on a need-to-know basis. Ensure that your access controls have been clearly documented and that you have protocols in place to grant and revoke access on a time-limited basis.

Ensure that you have the necessary physical security measures in place to protect cardholder data, which includes locks, alarms, ID badges, CCTV cameras, and so on. Recordings and access logs must be kept for a minimum of 90 days. Ensure that you have adequate measures in place to distinguish between employees and visitors.

All portable drives and devices that store, or have access to cardholder data, must be physically guarded and destroyed when they are no longer relevant.

7. Assign a unique ID to each person with computer access

Ensure that each user has their own unique ID, or in other words, a unique username and password. Make sure that users never share login credentials. Use multi-factor authentication where possible.

8. Monitor access to network resources and cardholder data

All relevant network resources and cardholder data must be continuously monitored. Ensure that you have an immutable record of all relevant activity that takes place on your network. This record must be retained, time-synchronized, and maintained for at least one year.

Leverage the best technologies available to monitor network activity, which may include Firewalls, IPS, DLP, and SIEM solutions.

Use a DCAP/UBA solution to monitor access to cardholder data, which will give you insights into who is accessing the data, when, why, how, and from where.

Ensure that all relevant activity is presented in an intuitive format via a centralized dashboard. The displayed information must be sortable and searchable.

9. Test security systems and processes

Schedule activities such as penetration testing and vulnerability scanning, at least annually.

Conduct periodic wireless analyzer scanning on a quarterly basis to identify unauthorized access points.

Use a PCI Approved Scanning Vendor (ASV) to scan external IPs and domains. This should also include quarterly internal vulnerability scans.

You will also need to thoroughly test any applications that consume cardholder data for vulnerabilities.

10. Develop documentation and conduct risk assessments

Develop a comprehensive set of company-wide information security policies and risk assessments. Ensure that your policies/assessments cover employees, managers, business associates, vendors, etc.

Conduct an annual review of your policies. Make sure that all relevant stakeholders are aware of these policies, and have been trained to comply with them.

Have well-documented onboarding procedures. Since you are handling cardholder data, you must be extra vigilant when it comes to carrying out background checks on potential employees

11. Encrypt cardholder data in transit

Ensure that the same level of security standards for storing payment data are also followed when transmitting it. Use encrypted networks to prevent any alterations during the transmission of cardholder data. To encrypt the cardholder’s data in transit, make use of secure cryptography protocols like SSL/TLS. Refrain from storing PANs in non-encrypted text format.

12. Restrict physical access to cardholder data

The final point in our PCI DSS compliance checklist, is that to comply with PCI DSS, organizations must also ensure physical security measures are in place to safeguard their systems. Access to servers containing cardholder data must be restricted using CCTV cameras and electronic monitoring. Measures to enforce strict controls on entry to buildings and server rooms should be implemented. To maintain a physical audit trail, visitor logs should be kept and video surveillance employed. Backups containing sensitive data should be securely stored off-site, and media containing such data should be shredded when no longer required.

How Can Lepide Help You with PCI DSS Compliance?

The Lepide Data Security Platform provides in-depth auditing of your cardholder data, as well as detailed reports that are customized to meet the requirements of PCI DSS. The Lepide Data Security Platform will aggregate event data from multiple platforms, including the most popular cloud platforms, and display a summary of important events via a centralized dashboard.

This will help you determine who is accessing your data, as well as determine who should have access to your data.

The Lepide Data Security Platform can deliver real-time alerts on changes made to any data that falls under PCI DSS, which might include access/changes to payments data, as well as changes to permissions of user accounts that have access to payments data. You can also audit computers that store payment data, to ensure that any changes are authorized and the data is secure.

If you’d like to see how the Lepide Data Security Platform can help you achieve PCI compliance audit, schedule a demo with one of our engineers.

PCI FAQs

What does it mean to be PCI compliant?

Being PCI Compliant indicates that your business is adhering to the data security regulations of the Payment Card Industry (PCI) and has met all the requirements for keeping customer information secure.

Does my e-commerce site need to be PCI compliant?

It is mandatory for e-commerce stores that store credit card information, conduct financial transactions, or accept payments using credit, debit, prepaid cards, or other forms of payment to comply with the PCI DSS regulations. Failure to comply could result in penalties and the loss of customer trust and harm to your business’s reputation.

Am I required by law to become PCI compliant?

While being compliant with the PCI standards is not mandatory under federal law, certain states mandate that e-commerce websites comply with it. It is advisable to gather information about the requirements of your local or regional government to understand how the laws relate to your business. Failing to comply with the PCI DSS standards jeopardizes the ability of merchants to provide payment processor services from their acquirers or acquiring banks.

Is it difficult to become PCI compliant?

PCI DSS holds merchants accountable for maintaining secure networks and systems, safeguarding cardholder data, and enforcing strong access controls. As such, achieving full compliance can be very demanding, and requires a high level of attention to detail.

Which version of PCI DSS should I use?

The current version of PCI DSS is 4.0. Version 3.2.1 will remain operative until 31 March 2024, beyond which it will be phased out. Subsequently, PCI DSS v4.0 will be the only version in use. Any queries regarding compliance, including whether a PCI DSS v3.2.1 report can be submitted after its termination date, must be directed to the entities in charge of the compliance procedures, such as payment brands and acquirers.

Who do I contact about specific PCI reporting requirements?

Each PCI SSC Participating Payment Brand member (American Express, Discover, JCB International, Mastercard, UnionPay, and Visa) has its own programs to ensure the safety of affiliated payment card data. If you require information about compliance programs and reporting requirements, you should contact the payment brands directly. You can find a list of contact details on the official PCI Security Standards website. PCI SSC advises entities to be mindful of any local laws and regulations that could impact the applicability of PCI standards.

Philip Robinson
Philip Robinson

Phil joined Lepide in 2016 after spending most of his career in B2B marketing roles for global organizations. Over the years, Phil has strived to create a brand that is consistent, fun and in keeping with what it’s like to do business with Lepide. Phil leads a large team of marketing professionals that share a common goal; to make Lepide a dominant force in the industry.

Popular Blog Posts