PCI DSS Compliance Checklist

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that were adopted as a general standard by major credit card companies and other financial institutions for the protection of payment systems from data breaches, fraud, and theft of cardholder data. It applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers. It was created by the world’s biggest card brand schemes: American Express, Discover, JCB, MasterCard, and Visa, and is continuously developed by the PCI Security Standards Council (PCI SSC).

PCI DSS is not legally binding, but any organization wishing to accept debit or credit card payments in person, over the phone, or online is required to comply. Failure to do so can lead to fines of up to $100,000/month and increased transaction fees. Worst still, they can have their relationship with their bank permanently terminated and wind up on the Merchant Alert to Control High-Risk (MATCH) list which means they will no longer be able to process card payments.

There are four levels of PCI DSS compliance, a merchant’s compliance level depends on the number of card transactions per year their company processes. To meet the highest level of PCI DSS compliance, Level 1, companies must process over 6 million card transactions per year. Organizations must be able to estimate this number accurately and assess which level they belong to, depending not only on PCI DSS requirements but also on the card scheme they require compliance for. Another factor in determining an organization’s compliance level is if there is a history of a data breach or other cyber attack that compromised cardholder data.

PCI DSS Compliance Checklist

As part of their Self-Assessment Questionnaire (SAQ) or in preparation for a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) audit, companies can use a PCI DSS compliance checklist to determine whether they are compliant, reducing the time and resources spent on auditors. Here is our checklist:

1. Familiarize yourself with PCI DSS requirements

Companies need to understand the requirements of PCI DSS and what they protect before putting together a compliance plan. PCI DSS covers two categories of data: sensitive authentication data and cardholder information. Sensitive authentication data includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID). Cardholder information refers to primary account numbers, cardholder names, card expiration dates, and service codes.

PCI DSS also provides a baseline of technical and operational requirements designed to protect account data. They consist of 12 core compliance requirements and nearly 250 associated security controls; covering everything from basic security measures to more complex wide-reaching requirements. PCI DSS offers a detailed description of each requirement, why it is needed, and how it can be tested, and offers guidance on how compliance with it can be achieved. Besides firewalls and antivirus software, organizations looking to avoid noncompliance can also apply strong access control measures and information security policies to limit access to card information.

PCI DSS v4.0 was released on March 31, 2022, and introduces new requirements for network security and data protection. Based on the concept of zero trust, PCI DSS v4.0 requires the mandatory use of automated mechanisms to protect against phishing and web application firewalls. There is a two-year transition period from PCI DSS version 3.2.1, which will be retired on March 31, 2024.

2. Correctly assess your level

As previously mentioned, a company will be assigned a PCI DSS compliance level based on the number of transactions it executes in a year. The more transactions a merchant processes, the higher the perceived risks, and the more stringent the route to validating compliance.

Level 1 organizations need to provide a yearly Report on Compliance (RoC) which involves an audit performed by a QSA or ISA certified by the PCI SSC. The auditor submits the RoC to the organization’s acquiring institutions to demonstrate its compliance. They must also undergo an annual network scan by an approved scanning vendor (ASV).

For Levels 2 to 4, merchants can complete an SAQ with multiple versions to accommodate different types of businesses and processing methods. Requirements for these levels, however, may differ depending on the card scheme. MasterCard, for example, requires Level 2 organizations to complete their SAQ with the assistance of a trained QSA or ISA.

3. Apply basic security measures

Several PCI DSS requirements fall under the umbrella of basic network and system security measures, including the use of a firewall and antivirus software and changing default passwords. Many organizations will already have these in place. Those who do not must install and maintain a firewall configuration to protect cardholder data, install and update antivirus software, and not use vendor-supplied defaults for system passwords and other security parameters.

Installing and maintaining network security controls is also very important. This includes cloud access controls, software-defined networking tools, and any other system that examines network traffic. Organizations should also apply secure configurations to all system components. In addition to not using vendor-supplied default passwords, it’s essential to remove unnecessary accounts and disable unneeded services.

4. Protect cardholder data

This category of requirements is the most important for PCI DSS compliance. Companies must know where cardholder data is stored and how it moves in and outside of their network. Cardholder data must be protected regardless of the state it finds itself in: at rest, in use, or in motion.

Strong cryptography during transmission over open, public networks is also required to protect cardholder data. When primary account number (PAN) data is transmitted over a public network like the Internet or wireless technologies (Wi-Fi), encrypt it either before transmission, encrypt the session, or, for maximum protection, do both.

Organizations can use Data Loss Prevention (DLP) tools such as Endpoint Protector by CoSoSys to discover, monitor, and control the transfer and storage of cardholder information. When data needs to be transferred, it should be encrypted to ensure it is not stolen once it leaves the company network.

5. Develop and maintain secure systems and applications

Companies should assess the risks of all their systems and applications before deploying them to process cardholder information. They should also be continuously patched and updated to address the latest vulnerabilities. PCI DSS compliance should be a key consideration when systems and applications are developed in-house. If they will be used to process cardholder data, they must meet PCI DSS security standards.

It’s crucial to protect all systems and networks from malicious software. This requires putting in place a range of controls that protect against all types of malware. A comprehensive anti-malware tool that protects against trojans, rootkits, and ransomware provides the best coverage for organizations.

6. Restrict access to cardholder data

Another big way in which companies can protect cardholder data is by restricting access to it. This means employees should be granted access only on a need-to-know basis and access control measures should be implemented through authentication technology and different levels of access based on an employee’s duties. PCI DSS also requires the prevention of unauthorized physical access to cardholder information stored in data centers or server rooms through measures such as locks and cameras.

Organizations should also put in place processes and systems that enable you to able to identify users and what they’re doing. Effective authentication ensures you can verify that users are who they claim to be. Implementing multi-factor authentication is key to preventing unauthorized access to sensitive data.

7. Regularly monitor and test networks

For continued PCI DSS compliance, networks and security mechanisms must be regularly tested and monitored. This is to verify that they continue to be sufficient for compliance. Monitoring also supports efforts to detect potential breaches or internal security policy violations.

Monitoring for suspicious activity helps in the early detection of potential breaches. It is essential for organizations to regularly test security systems by performing vulnerability scans and penetration testing of system components to identify potential security gaps. Identifying and addressing security vulnerabilities is crucial for PCI DSS compliance.

8. Implement and maintain an information security policy

PCI DSS compliance needs to be organizational which is why merchants should create, implement, and maintain a company-wide information security policy. A continuous training program for all employees and management, educating them about cybersecurity risks and the importance of protecting payment card data is needed. This helps in identifying and reporting suspicious activity and understanding the consequences of non-compliance with PCI DSS.

Organizations must ensure that cardholder information continues to be protected when they outsource payment processing to third parties, especially those handling e-commerce or point-of-sale (POS) transactions. These parties must adhere to PCI DSS requirements, especially when they have access to the organization’s network or process payment card data.