Your 12-step PCI DSS compliance checklist

The PCI DSS (Payment Card Industry Data Security Standard) contains 12 requirements that organisations must meet if they are to achieve compliance.

In this blog, we explain each requirement and demonstrate how you can simplify your compliance journey.

1. Install and maintain a firewall configuration to protect cardholder data

Firewalls help control traffic as it comes into an out of an organisation’s network. They should form a core part of your technological defences, and must be set up to deny public access and traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment.

Because your network environment is subject to change, you must review your firewall configuration at least once every six months.

2. Don’t use default passwords

The simplest way for a criminal hacker to break into your systems is by correctly guessing your password. It’s also one of the quickest vulnerabilities to address. That’s why password management is typically an organisation’s top security priority.

As part of this, you must ensure that you don’t use default passwords in your payment card infrastructure. These usually follow a set pattern, which if a criminal can decipher, will enable them to guess default passwords.


You can find more advice on how to meet your compliance requirements by by reading PCI Audit Success in Nine Essential Steps.

This free guide helps organisations to prepare for a PCI audit and ensure a successful outcome.

It contains:

  • Nine essential tips to prepare for a successful RoC audit;
  • A checklist of what the auditor will be looking out for on the day;
  • Invaluable tips to avoid unnecessary delays and frustrations;
  • Advice on identifying non-conformities before the audit takes place; and
  • Guidance on how to choose the right QSA.

3. Protect cardholder data

This is arguably the most broad-ranging requirement in the PCI DSS. It’s concerned with the protection of data elements themselves, whether they’re in storage, in transit, in processing or in physical form.

You will need to adopt different defences depending on where the sensitive information is and who is handling it. However, as a general rule, the Standard requires that organisations limit data storage and retention time to reduce the risk.

Likewise, it mandates that organisations do no store sensitive authentication data after authorisation, mask the PAN when displayed (the first six and last four digits should be the maximum visible) and render the PAN unreadable anywhere that it’s stored.

4. Encrypt the transmission of cardholder data

Encryption is a technology that makes transmitted data unreadable to unauthorised persons, and it should be considered whenever there is a threat of it falling into the wrong hands.

This is particularly the case when data is being shared over open, public networks, such as the Internet.

5. Protect against malware

Malware comes in many varieties, from spying software that enables criminals to snoop on the activities of employees to ransomware, which debilitates the organisation and locks them out of their files.

But no matter what type of malware a cyber criminal uses, they stick to the same techniques – typically planting it in emails for unsuspecting employees to open or exploiting known vulnerabilities.

With anti-malware and antivirus software, you can detect malicious software promptly and warn employees that an attachment is suspicious before they open it.

6. Develop and maintain secure systems and applications

This category contains a range of requirements related to implementing adequate security mechanisms.

For example, organisations must patch vulnerabilities promptly, adopt secure coding practices and correctly follow change control procedures and other secure software development practices.

7. Restrict access to cardholder data

To ensure that only authorised personnel can view sensitive data, organisations must implement systems and processes that limit access based on a need-to-know basis.

This will require you to determine what information is relevant to each job role, and giving employees access to only that data.

8. Assign a unique ID to each person with computer access

By assigning a unique ID to employees, you can monitor when they log in to your systems and what they access. This is essential if you are to root out insider threats or find the source of a compromised account.

9. Restrict physical access to cardholder data

Just as you implement technologies to protect data stored in your systems, so too must you protect physical records.

Depending on how extensive your physical records are, this may be even more important, as there may be no backups or data trails to alert you of a breach.

Physical defences include key cards to access certain parts of the building, filing cabinets that are kept under lock and key, and visitor logs to maintain a physical audit trail of who is coming into and out of restricted parts of the building.

10. Monitor access to network resources and cardholder data

Logging mechanisms allow you to track and analyse any anomalies on your system. They are essential for spotting suspicious activity – either at the point at which an unauthorised individual is trying to break into your systems or as you investigate a breach after it has occurred.

11. Regularly test security systems and processes

It is no good implementing security controls if you can’t tell how effective they are. That’s why the PCI DSS requires organisations to monitor their networks to detect security incidents and to regularly test those systems to ensure they work as intended.

As part of this, you may need to update and patch applications as well as keeping up to date with threat management for malware and viruses.

12. Create and maintain and information security policy

The final requirement is to create a policy that establishes your organisation’s information security strategy.

It must address all employees and reflect your commitment to PCI DSS compliance. This includes your plans to implement technological defences as well as to provide training programmes to staff.

PCI DSS compliance made easy

Get started now with your PCI DSS compliance project with the help of our PCI DSS Documentation Toolkit.

It contains everything you need to implement the Standard’s requirements, including template documents and a document checker to ensure you select and amend the appropriate records.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organisation.

One Response

  1. Naimisha 6th August 2021

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.