The Complete PCI Compliance Checklist

Introduction

In today's retail landscape, credit cards have become indispensable, cementing their place as the primary transaction tool in retail frameworks. Businesses worldwide process a combined 1 billion credit card transactions daily with more consumers opting to use their credit cards for these transactions than ever before. 

However, with the surge in daily transactions comes an increased potential for illicit activities like theft and credit card fraud. With the sheer number of daily transactions, the potential for theft, fraud, and other illegitimate credit transactions remains high. Data from the Federal Trade Commission paints a sobering picture: over 65,000 instances of credit card fraud were reported in 2021 alone. 

In the realm of online credit card transactions, gaining the confidence of both regulatory bodies and consumers is paramount. This requires an assurance that your processes and infrastructure meet a variety of stringent requirements.

This is where PCI compliance comes in — it’s a critical step for any organization’s product launch, but it can be complex and time-consuming. Going in without a plan can lead to unforeseen setbacks, like failed compliance checks or critical security flaws.

The journey towards PCI compliance doesn't have a universally fitting roadmap, given the unique nature of each business. However, you can deploy a strategic approach, meticulously evaluating every stage of the process to ensure maximum efficacy. 

To facilitate this, we've crafted a comprehensive checklist. This tool aims to serve as a guide for your organization, aiding you in probing into your core systems, establishing essential security protocols, scrutinizing these systems to uncover and rectify latent loopholes, and finally, demonstrating compliance.

What Is PCI Compliance?

For years, the five major credit card brands — Visa, Mastercard, American Express, Discover, and JCB International — all maintained their security programs to ensure the safety of their consumers. However, as the advent of online payments increased demands for data security and interoperability, these five companies united to form the Payment Card Industry Security Standards Council (PCI SSC) in 2004.

The PCI SSC created the PCI Data Security Standard (PCI DSS) to standardize the development of systemic processes to secure sensitive consumer information, such as credit card numbers and addresses, both in transit and at rest. While adhering to the requirements set by the PCI DSS is not legally required by the U.S. government, credit card companies will not allow businesses to accept payment unless they prove compliance with these standards.

PCI DSS has undergone several revisions since its inception in 2004. The latest version is PCI DSS 4.0, released in March 2022.

Levels of PCI Compliance

Different companies have different needs regarding data security. For example, a large enterprise that processes millions of transactions yearly will have more data to protect — and more resources at its disposal — than a mom-and-pop retail business that only processes a few thousand. 

Credit card organizations understand this and have developed a series of multiple compliance levels that scale in complexity based on the number of annual transactions — the greater the number, the more strict the compliance process becomes. 

Each credit card company sets different thresholds for which level an organization belongs to. The following are Visa’s PCI compliance levels, which can act as a general baseline when seeking compliance from other credit card companies.

• PCI Level 1 Compliance: Any business processing more than 6 million transactions per year must meet this most stringent standard by:
  • Filing a formal Report on Compliance from a certified third-party assessor.
  • Filing an Attestation of Compliance (AOC) from a similarly qualified assessor.
• PCI Level 2 Compliance: Businesses that process anywhere from 1 million to 6 million online transactions must reach this level by:
  • Filing a self-assessment questionnaire (SAQ) as a purely internal evaluation.
  • Filing an AOC.
• PCI Level 3 Compliance: This level is required for businesses that handle anywhere from 20,000 to 1 million annual transactions, and much like Level 2, is reached by:
  • Filing an SAQ.
  • Filing an AOC.
• PCI Level 4 Compliance: This least-strict level is intended for smaller businesses that handle fewer than 20,000 annual transactions and presents an option:
  • Either file an SAQ or;
  • Complete an “alternate verification exercise” as required by the bank receiving the business’ funds.

The Benefits of PCI Compliance

PCI compliance may be a complex process, but it’s worth it. Here are just a few benefits available to your organization once it’s cleared by the PCI SSC:

• Continue to take credit card payments: Online payments are a fast and convenient way to accept payments from your customers, no matter where they’re located. Becoming compliant ensures your organization is built to handle these transactions.
• Secure identifiable customer and payment data: The core purpose of achieving PCI compliance is to keep addresses, credit card information, and other critical data out of the hands of malicious actors.
• Uplevels security policies and standards across your product: Achieving compliance doesn’t just improve security on payment processes — it boosts your security stance across all aspects of your business.
• Prevent data breaches: Maximizing your approach to security ensures that your organization is appropriately monitoring intrusion points and looking for unauthorized access, stopping data breaches before they happen.

Penalties for Failing to Achieve Compliance

Each credit card company has its own rules organizations must agree to in order to process credit card transactions, which include associated penalties for falling out of compliance. Failure to comply with PCI DSS standards can lead to several negative consequences, such as:

• Regulatory fees: While credit card companies set their own monetary penalties for noncompliance, organizations that fail to maintain security standards can experience fines of up to $500,000 per incident.
• Loss of ability to process payments: Repeated infractions can result in the revocation of credit card transaction privileges, resulting in an even greater loss of revenue than large one-time fines.
• Common Point of Purchase (CPP) notice: If your organization was the target of a data breach, some credit card companies, such as Visa, require businesses to post notification that credit card details may have been compromised.
• Lawsuits: Some penalties go beyond those levied by credit card companies. If your organization was found to be negligent in handling sensitive customer information, it may be subject to legal action by affected parties.
• Loss of trust: If your business cannot secure sensitive data, you may miss out on future customers and business opportunities. Data breaches and noncompliance will negatively impact your organization’s reputation and, ultimately, its bottom line.

How to Achieve PCI Compliance

PCI DSS 4.0 lays out the following high-level categories — each one represents core standards for protecting consumer data, as well as building the systems and policies that will keep it safe over the long haul. Each category within PCI DSS 4.0 asks the following questions: 

• Build and maintain a secure network and systems: Are network security controls and configurations installed, maintained, and secured?
• Protect account data: Does your organization have policies and protocols that protect consumer data in transit and at rest?
• Maintain a vulnerability management program: Are you protecting systems from malicious software? Do you have processes in place to mitigate, contain, and resolve attacks if and when they occur?
• Implement strong access control measures: Do employees and customers have least-privilege access to critical systems?
• Regularly monitor and test networks: Is your organization regularly logging and monitoring systems access and testing security strength?
• Maintain an information security policy: Have you set security policies that all members of your organization are aware of and have agreed to follow?

These main categories are further subdivided into 12 total requirements, which form the backbone of the PCI DSS compliance process. The following checklist will provide an overview of key elements for each requirement. Be sure to download the PCI DSS 4.0 document from pcisecuritystandards.org for the complete list of requirements.

Once policies and controls are in place, you can apply for approval based on your PCI compliance level. Depending on the size of your business, you may need to perform a self-evaluation or undergo an assessment by a third-party auditor.

PCI Compliance Requirements Checklist

#1: Install and Maintain Network Security Controls

These enforce pre-defined policies and rules that monitor and secure traffic between trusted and untrusted networks, especially when traffic interacts with sensitive areas, such as the cardholder data environment (CDE). These controls can be implemented through physical firewalls, virtual devices, or cloud access controls. 

• ☐ Configure network security controls.

Implementation should be properly defined to ensure rules are applied consistently and misconfigurations are avoided. Diagrams of your network environment can help define the boundaries between the CDE and trusted or untrusted networks. Regularly review configurations at least once every six months.

• ☐ Restrict access to cardholder data.

Inbound and outbound traffic to the CDE should be restricted to authorized IP addresses, services, and protocols. Wireless traffic should be denied access by default, only allowing authorized wireless traffic to access the CDE.

• ☐ Control network connections between trusted and untrusted networks.

Implement network security controls to monitor traffic between trusted and untrusted networks, only allowing authorized communications from untrusted networks. Only allow access to sensitive cardholder data from trusted networks, and implement anti-spoofing techniques to prevent forged IP addresses from accessing trusted networks.

• ☐ Define and document processes for current and future employees, and keep them up to date.

#2: Apply Secure Configurations to All System Components

Changing default passwords and settings to more secure configurations ensures a base level of security for network components, preventing initial access to lesser systems that enable further lateral movement.

• ☐ Configuration standards must address all system components and known security vulnerabilities and must be updated regularly.

Ensure only necessary systems and protocols are enabled, and if unsecured services or protocols are in place, provide documentation justifying their use. Update as new vulnerabilities are discovered, and apply updates consistently as new elements are added to the network.

• ☐ Ensure vendor accounts do not use default passwords and deactivate unused vendor accounts.

Vendor accounts should be updated with unique login credentials, and default accounts should be removed and disabled. 

• ☐ Secure wireless environments.

Wireless encryption keys belonging to vendors and employees should be secured, and defaults should be changed at installation, especially when accessing sensitive environments like the CDE. Keys should be revoked when employees leave the company or are known to be compromised. 

• ☐ Define and document processes for current and future employees, and keep them up to date.

#3: Protect Stored Account Data

Sensitive account data, such as credit card numbers, addresses, and other identifiable information, must be secured at rest through encryption, truncation, and other data protection methods. Cryptographic keys used to protect stored data must also be secured.

• ☐ Keep storage of account data to a minimum.

Implement data retention and disposal processes to prevent unauthorized access and limit the time data is stored to mitigate risk. Sensitive authentication data, such as card verification codes or personal identification numbers (PINs), should be deleted once authorization has been completed. Verify that expired data has been securely deleted at least once every three months to ensure sensitive information is not recoverable.

• ☐ Secure and limit access to primary account numbers.

If account numbers need to be publicly displayed, only provide the last four digits at maximum. Only authorized personnel should be able to access more than the last four digits of customer account numbers. Primary account numbers should be unreadable when stored, using one-way hashes, truncation, index tokens, or other strong cryptography to encrypt this information.

• ☐ Define and document processes for current and future employees, and keep them up to date.

#4: Protect Cardholder Data With Strong Cryptography During Transmission Over Open, Public Networks

Customers will likely make purchases or submit payment data from public, untrusted networks. Data must be encrypted before transmission, during the session when the data is transmitted, or both. Failure to do so can leave sensitive data open to malicious actors who can access this data during transmission through network misconfigurations and vulnerabilities.

• ☐ Only accept trusted keys and certificates.

To minimize the risk of unauthorized access, certificates should be verified before transmissions are accepted. Protocols should only support the latest, most secure versions, and account information should be secured with strong cryptography before or during transmission. Wireless technologies must use industry best practices to verify authenticity.

• ☐ Define and document processes for current and future employees, and keep them up to date.

#5: Protect All Systems and Networks From Malicious Software

Malware like viruses, Trojans, and ransomware are common tools malicious actors use to access critical systems. Businesses must integrate malware mitigation techniques and software to prevent and address attacks if they arise.

• ☐ Detect, prevent, and address malware.

Anti-malware systems must be deployed on all potentially at-risk system components and must be able to detect and remove or contain all forms of malware. Systems that aren’t at risk must be documented and regularly evaluated.

• ☐ Anti-malware and anti-phishing mechanisms are in place and updated regularly.

Automatic updates ensure anti-malware solutions have information on the latest programs.

• ☐ Define and document processes for current and future employees, and keep them up to date.

#6: Develop and Maintain Secure Systems and Software

Malicious actors find and exploit system vulnerabilities to gain access, so organizations must apply the latest security patches to close these vulnerabilities. They must also aim to create security-forward programs from the ground up to prevent these vulnerabilities from appearing in the first place.

• ☐ Use industry best practices to develop secure programs.

Software must be developed per the PCI DSS framework, including secure authentication and logging standards. Employees should be trained at least once every 12 months, learning secure coding techniques and protocols relevant to their function. Regular code reviews will enable teams to identify and address security vulnerabilities before malicious actors detect them. 

• ☐ Define and document processes for current and future employees, and keep them up to date.

#7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Authorized users should have access to the systems and information they need to complete their job — nothing more. Processes and policies should reflect identity and access management best practices, such as ensuring users have least privilege access to sensitive information.

• ☐ Clearly define user roles and profiles.

Every user that accesses critical systems must have their roles and responsibilities clearly defined and approved by authorized personnel. 

• ☐ Use access management systems to ensure least privilege access.

These systems help teams actively monitor and update account use and privileges.

• ☐ Regularly review accounts, including third-party vendors, at least once every six months.

Unused accounts should be deactivated as soon as possible to prevent unauthorized access by former employees, vendors, or malicious actors that may have attained the login credentials of these accounts. IT departments should also revoke privileges when employees no longer need access to network systems.

• ☐ Define and document processes for current and future employees, and keep them up to date.

Create repeatable and consistent policies to adhere to this category’s specified requirements, and ensure all team members are aware of and adhere to these policies.

#8: Identify Users and Authenticate Access to Systems Components

Users must be identified and authenticated before accessing critical systems. Often, this is performed through user IDs and passwords, but they can also include multi-factor authentication (through a token generator or physical device) or biometrics. PCI DSS requires authentication for all accounts on all system components, including point-of-sale accounts, administrative accounts, and all accounts that can directly view or access cardholder data or access systems containing cardholder data.

• ☐ Implement login restrictions to prevent unauthorized access.

User accounts should be logged out of critical systems after 15 minutes of inactivity, and invalid login attempts should lock user IDs for at least 30 minutes after less than ten repeated attempts.

• ☐ Implement strong authentication for users and administrators through multi-factor authentication systems.

In addition to robust password requirements, organizations must implement multi-factor authentication for any accounts that access the CDE. Multi-factor authentication should not be bypassed by any users (including administrators) unless specifically approved and documented by authorized users.

• ☐ Define and document processes for current and future employees, and keep them up to date.

Create repeatable and consistent policies to adhere to this category’s specified requirements, and ensure all team members are aware of and adhere to these policies.

#9: Restrict Physical Access to Cardholder Data

Organizations aren’t just responsible for securing data. They must also ensure that the physical buildings and servers that house that data and any devices that may come into contact with customer data are secure and free from tampering.

• ☐ Implement access controls to manage entry into storage facilities and cardholder data systems.

Facilities that house sensitive cardholder data should be secured with keycards or other security measures, and authorized individuals must be vetted regularly to be granted continued access. Access should be revoked if an employee no longer needs it, or is no longer with the company. Facilities should also be monitored with video and other surveillance tools.

• ☐ Properly dispose of physical data when no longer needed.

If physical copies of digital records are required, access must be approved, logged, stored securely, then destroyed when no longer in use. Organizations should conduct an inventory of physical media containing cardholder data, such as offline backups contained on hard disk drives or USB thumb drives, at least once a year.

• ☐ Protect point of interaction devices from tampering.

Card readers should be regularly inspected for malicious activity to ensure these devices aren’t siphoning customer data to unauthorized users. Maintain an up-to-date list of all point of interaction devices, and include the make and model, where the device is located, and the serial number.

• ☐ Define and document processes for current and future employees, and keep them up to date.

Create repeatable and consistent policies to adhere to this category’s specified requirements, and ensure all team members are aware of and adhere to these policies.

#10: Log and Monitor All Access to System Components and Cardholder Data

Without effective logging protocols, organizations will have a difficult time tracking unauthorized access and mitigating damage if it occurs. 

• ☐ Implement audit logs to detect and analyze suspicious activity.

Audit logs must be active for all available systems and cardholder data. Logs must capture all user actions within these systems, including changes to credentials, systems access, and other changes. Captured data should include information about the user, what access or change occurred, the date and time of the event, and whether it was successful or not.

• ☐ Log history is maintained, and logs are protected from unauthorized modification or destruction.

Only authorized users should have access to systems-critical logs, which should be protected via access control and physical or network segregation. Monitoring must be in place to ensure that alerts are generated when any changes are made to activity logs.

• ☐ Failures are promptly detected, reported, and responded to.

Logs of security events and critical systems components (such as those that store cardholder data or perform security functions) should be reviewed at least once daily. Teams should have automation in place to perform periodic log reviews to help detect any unauthorized access.

• ☐ Define and document processes for current and future employees, and keep them up to date.

Create repeatable and consistent policies  to adhere to this category’s specified requirements, and ensure all team members are aware of and adhere to these policies.

#11: Test Security of Systems and Networks Regularly

Organizations should review systems capabilities and vulnerabilities regularly to ensure any issues are discovered and addressed quickly.

• ☐ Monitor wireless access points.

Teams should identify and log any authorized and unauthorized wireless access points within the facility. Testing should occur at least once every three months, and unauthorized access points should be addressed as they are discovered.

• ☐ Identify and address external and internal vulnerabilities.

Vulnerability scans should be conducted at least once every three months, and scanning tools should be up-to-date before conducting scans. Detected vulnerabilities should be ranked according to risk, and high-risk and critical vulnerabilities should be resolved immediately.

• ☐ Perform regular penetration tests.

Penetration testing should be conducted at least once a year and cover the entire CDE perimeter and critical systems. Vulnerabilities discovered during testing should be resolved according to the level of risk or access to critical systems. 

• ☐ Define and document processes for current and future employees, and keep them up to date.

Create repeatable and consistent policies to adhere to this category’s specified requirements, and ensure all team members are aware of and adhere to these policies.

#12: Support Information Security with Organizational Policies and Programs

Maintaining a truly secure and compliant environment goes beyond simply completing a long checklist of tasks. Processes, policies, and programs must be developed and maintained to ensure ongoing, organization-wide adherence to security standards to ensure sensitive data remains secure and private.

• ☐ Develop a comprehensive Information Security (IS) policy.

This policy should clearly define the roles and responsibilities of everyone in the IS department, be universally disseminated and applied to all employees, and should be reviewed at least once every 12 months.

• ☐ Set end-user policies.

Employees should understand the acceptable use of all provided technology and only use explicitly approved technology and products.

• ☐ Manage PCI DSS compliance.

Many requirements within PCI DSS have some flexibility in when processes are completed and how to achieve them. These requirements should be documented and reviewed to ensure necessary procedures are conducted regularly and accurately. All technologies should be surveyed, cryptography should be tested, and a full risk analysis should be completed at least once per year. An entire inventory of all systems components in scope for PCI DSS should be kept current, and the scope should be documented at least once a year.

• ☐ Perform ongoing security awareness education.

Employees should undergo regular security training, informing team members of security policies and their role in protecting sensitive data. Security programs should be reviewed at least once yearly and updated as new threats or vulnerabilities are discovered.

• ☐ Perform regular personnel screening.

Employees with access to sensitive data or systems, such as the CDE, should be screened for potential security risks. 

• ☐ Respond to security incidents immediately.

An incident response plan must exist and be activated when a security incident occurs. Incident response plans must be reviewed and updated at least once every 12 months.

About DuploCloud

Navigating the complexities of PCI DSS compliance manually can be a monumental task, particularly for organizations operating at the scale needed to compete in today’s landscape. 

Enter DuploCloud’s innovative DevOps automation platform. Designed to automate the construction of Infrastructure-as-a-Code frameworks, integrate security protocols, and enforce compliance, DuploCloud empowers you to rapidly build cloud-native applications at scale. Its automated scanning tools provide proactive detection of security and compliance issues, directly mapping to SOC 2, PCI DSS, HIPAA, HITRUST, and GDPR standards.

With DuploCloud, you gain not only ongoing PCI DSS compliance but also the assurance that your customers' payment data is protected. Discover how DuploCloud can bolster your PCI DSS compliance efforts and safeguard your customers' financial information. Contact us today for a personalized one-on-one walkthrough, and see DuploCloud in action for yourself.