PCI Compliance Checklist

📖 What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the PCI Security Standards Council. Compliance is mandatory for any business that stores, processes, or transmits credit card data. The standard is enforced by the major card networks (Visa, Mastercard, American Express, Discover, JCB), and non-compliance can result in fines, increased transaction fees, and ultimately the loss of your ability to accept card payments.

PCI DSS v4.0 is the current version (migrated from v3.2.1), introducing more flexible validation options and stronger security requirements. Merchants should ensure they are validating against v4.0, as v3.2.1 was retired on March 31, 2024.

📋 The 12 PCI DSS Requirements

PCI DSS is organized into 6 goals and 12 requirements. For each requirement, we've listed the key actions merchants must take:

Goal 1: Build and Maintain a Secure Network

Requirement 1 Install and maintain firewall and network security controls — Configure firewalls to restrict inbound and outbound traffic to only what is necessary. Segment the cardholder data environment (CDE) from other network zones. Document firewall rules and review them quarterly.

Requirement 2 Do not use vendor-supplied defaults — Change all default passwords, encryption keys, and security parameters before deploying any system. Remove unnecessary services and protocols. Document security configurations.

Goal 2: Protect Cardholder Data

Requirement 3 Protect stored cardholder data — Never store full PAN, CVV, or track data after authorization is complete. Render PAN unreadable when stored (truncation, hashing, tokenization, or encryption). Define and implement data retention and disposal policies.

Requirement 4 Encrypt transmission of cardholder data — Use strong cryptography (TLS 1.2 or higher) for all transmission of cardholder data over open/public networks. Never send unencrypted PAN via email, messaging, or FTP.

Goal 3: Maintain a Vulnerability Management Program

Requirement 5 Protect systems against malware — Deploy anti-malware software on all systems commonly affected by malware. Keep anti-malware software updated, logged, and actively running.

Requirement 6 Develop and maintain secure systems and applications — Apply security patches within one month of release (critical patches within one week). Use secure coding practices for custom applications. Review public-facing web applications for vulnerabilities annually or after significant changes.

Goal 4: Implement Strong Access Control Measures

Requirement 7 Restrict access to cardholder data by business need-to-know — Implement role-based access controls. Use the principle of least privilege — employees should only have access to data they specifically need for their job function.

Requirement 8 Identify and authenticate access to system components — Assign unique IDs to every person with access. Implement multi-factor authentication for remote access to the CDE. Enforce strong passwords (12+ characters, complexity requirements) and change them periodically.

Requirement 9 Restrict physical access to cardholder data — Secure physical locations where cardholder data is processed or stored. Use access controls (badges, locks) and visitor logs. Destroy media containing cardholder data when no longer needed.

Goal 5: Regularly Monitor and Test Networks

Requirement 10 Track and monitor all access to network resources and cardholder data — Implement audit logging for all system components. Log all access to cardholder data, privileged actions, and failed login attempts. Retain logs for at least 12 months (3 months immediately available for analysis).

Requirement 11 Test security systems and processes regularly — Conduct quarterly external ASV (Approved Scanning Vendor) vulnerability scans. Perform internal and external penetration tests annually. Implement change detection (file integrity monitoring) on critical system files.

Goal 6: Maintain an Information Security Policy

Requirement 12 Support information security with organizational policies — Maintain a written information security policy reviewed annually. Define information security responsibilities. Implement a formal risk assessment process. Provide security awareness training to all personnel.

📄 Choosing the Right SAQ

Most merchants validate PCI compliance through a Self-Assessment Questionnaire (SAQ). The correct SAQ depends on how your business processes card data:

• SAQ A: Card-not-present merchants who outsource all cardholder data processing to a PCI-validated third party (no electronic storage, processing, or transmission of card data). This is the simplest and most common SAQ for merchants using hosted payment gateways.
• SAQ A-EP: E-commerce merchants who partially outsource payment processing but whose website could affect the security of the payment transaction (e.g., using an iFrame or JavaScript embed from a payment gateway).
• SAQ B: Merchants using only imprint machines or standalone dial-up terminals. No electronic cardholder data storage.
• SAQ B-IP: Merchants using standalone PTS-approved payment terminals with an IP connection (no electronic cardholder data storage on merchant systems).
• SAQ C-VT: Merchants using only web-based virtual terminals on a PC that is not connected to the cardholder data environment.
• SAQ C: Merchants with payment application systems connected to the internet (but no electronic cardholder data storage).
• SAQ D for Merchants: All other merchants not eligible for the simplified SAQs above. This is the most comprehensive SAQ with all 12 requirements.

The majority of high-risk e-commerce merchants using a hosted payment gateway qualify for SAQ A, which requires only requirements 11 (quarterly scans) and 12 (security policy). However, if your checkout integrates via JavaScript or API on your own domain, SAQ A-EP may be required.

🔄 Compliance Validation Process

Achieving and maintaining PCI compliance is an annual cycle:

• Step 1 — Determine Your SAQ: Work with your payment processor or a Qualified Security Assessor (QSA) to determine the correct SAQ for your processing environment.
• Step 2 — Complete the SAQ: Answer all questions honestly. Retain documentation supporting each affirmative answer (policies, logs, scan reports, configuration files).
• Step 3 — Quarterly ASV Scan: If your SAQ requires it (most do), schedule and pass a vulnerability scan by an Approved Scanning Vendor. Scans must be completed once per calendar quarter, at least 90 days apart.
• Step 4 — Submit Attestation of Compliance (AOC): Submit your completed SAQ, scan reports, and signed AOC to your acquiring bank or payment processor. This is typically done through their compliance portal.
• Step 5 — Ongoing Maintenance: PCI compliance is not a one-time event. Continuously monitor, maintain logs, apply patches, and ensure your environment does not deviate from the compliant state.

⚠️ Consequences of Non-Compliance

Failing to maintain PCI compliance carries serious consequences that escalate over time:

• Monthly Fines — Non-compliant merchants face fines of $5,000 to $100,000 per month from the card networks
• Higher Fees — Processors can levy non-compliance fees ($10–$50/month) and apply higher discount rates
• Increased Liability — Non-compliant merchants bear full liability for fraudulent transactions and chargebacks, regardless of who is at fault
• Data Breach Costs — In the event of a data breach, non-compliant merchants face fines of $50–$90 per compromised card number, forensic investigation costs ($50,000–$500,000+), and potential class-action lawsuits
• Account Termination — Persistent non-compliance can result in termination by your processor and placement on the MATCH terminated merchant list

For high-risk merchants, maintaining PCI compliance is especially critical because processing options are already limited — losing a processor due to compliance issues can be extremely difficult to recover from.

💡 Simplifying Compliance

Reducing PCI compliance scope is the most effective way to simplify compliance and reduce risk. Strategies include:

• Use a hosted payment page: Redirect customers to your gateway's secure payment page — card data never touches your servers, qualifying you for SAQ A
• Tokenization: Store tokens instead of PANs for recurring billing and customer profiles. Tokens cannot be used outside your processing environment
• Payments iframe: Use an iframe-based checkout hosted by your gateway to keep card data off your infrastructure
• PCI-validated P2PE: Use point-to-point encryption solutions that encrypt card data at the point of interaction and decrypt only at the processor
• Third-party compliance management: Many processors offer PCI compliance management services that handle SAQ guidance, scan scheduling, and submission for a monthly fee