PCI DSS compliance checklist

Organizations that store, process or transmit cardholder data must comply with the Payment Card Industry Data Security Standard (PCIDSS). This checklist outlines core PCI DSS requirements to help you evaluate your compliance posture.

PCI DSS compliance requirements

1. Install and maintain network security controls
   Ensure firewalls and network controls are configured to protect cardholder data environments.
2. Apply secure configurations to all system components
   Harden systems and remove default passwords and unnecessary services.
3. Protect stored cardholder data
   Encrypt or otherwise secure stored payment data.
4. Encrypt transmission of cardholder data
   Use strong cryptography when transmitting sensitive data over open networks.
5. Protect systems from malware
   Deploy and maintain antimalware solutions where applicable.
6. Develop and maintain secure systems and applications
   Apply patches, fix vulnerabilities and follow secure development practices.
7. Restrict access to cardholder data
   Limit access based on business need to know.
8. Identify and authenticate access to system components
   Use strong authentication methods, including multifactor authentication where required.
9. Restrict physical access to cardholder data
   Control and monitor physical access to systems and environments.
10. Log and monitor all access to system components
    Track and review logs to detect suspicious activity.
11. Test security systems and processes regularly
    Conduct vulnerability scans, penetration testing and ongoing security testing.
12. Maintain a security policy
    Establish, maintain and enforce a security policy that addresses PCI DSS requirements.

How to use this checklist

Use this checklist as a starting point to assess whether your organization meets core PCI DSS requirements. A full assessment may require deeper analysis depending on your environment, transaction volume and scope.

Need help with PCI DSS compliance?

Wipfli helps organizations assess and strengthen their PCI DSS compliance programs, from readiness assessments to ongoing monitoring and advisory support. Contact us to evaluate your compliance posture.