PCI Compliance Checklist – Achieving PCI DSS Compliance

To comply with the PCI DSS, an organization should follow three steps:

  • Assessment – this includes identifying the cardholder data, taking an inventory of the technology and business processes and analyzing them for vulnerabilities.
  • Remediate – once detected, fix the vulnerabilities and don’t store unnecessary cardholder data.
  • Report – document and submit remediation validation reports, as well as compliance reports, to the bank and card brands involved.


PCI DSS Certification vs. Compliance: What’s the Difference?

PCI certification is essentially the same as compliance—it requires your business to adhere to the same 12 requirements, in accordance with your PCI level. The difference is that:

  • PCI compliance is voluntary and based on self-assessment, or a lightweight external assessment that takes less than a month.
  • PCI certification is a much longer process which can take up to 6 months, and involves in-depth investigation by a Qualified Security Assessor (QSA) whether your business meets each one of the hundreds of sub-requirements of the PCI DSS standard.

Do you need full PCI certification?
If you are a PCI Level 1 business, yes. If not, you are not required to perform PCI certification, but can elect to do so to. Many businesses become PCI certified to increase the confidence of customers and other third parties in their information security standards.

PCI Security Compliance Checklist

Follow this process to ensure your organization is PCI compliant:

  1. Determine PCI level – find out the number of transactions you process annually, then compare it to the requirements of each credit card company you plan to support.
  2. Map the flow of cardholder data – including applications, systems and people who work with credit card data. All credit payment platforms and storage systems that hold card data must be included. This is usually done with the assistance of IT staff.
  3. Fill out the Self-Assessment Questionnaire (SAQ) – the SAQ is a tool used to validate PCI compliance, which checks if your business meets each of the 12 requirements listed above (organized into 6 cControl mMeasures); each requirement is broken down into smaller steps. Your business must meet all the requirements to be compliant. If you are a PCI Level 1 business, a PCI approved auditor will validate your compliance.
  4. Fill out the Attestation of Compliance (AOC) – this document differs according to the PCI compliance level of your business. AOC ensures that you fulfill every PCI compliance step.
  5. Conduct a vulnerability scan – you can hire approved scanning vendors (ASVs) to scan for security vulnerabilities and make sure that you meet all standards. You can decide if you need an ASV based on the results of your SAQ.
  6. Submit documents – you may need to submit documents including AOC, SAQ, and ASV reports to banks, credit card companies, etc.
  7. Monitoring—your business, the infrastructure and the data you store may change with each security scan. Therefore, it is necessary to monitor compliance on an ongoing basis throughout the year. There should be a security team responsible for monitoring and responding to vulnerability and threats.

How to Become PCI Compliant: The 12 Requirements of PCI Security Standards

To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

The 12 PCI compliance requirements are summarized below:

  1. Maintain a firewall – protects cardholder data inside the corporate network
  2. Passwords need to be unique – change passwords periodically, do not use defaults
  3. Protect stored data – implement physical and virtual measures to avoid data breaches
  4. Encrypt transmission of cardholder data across public networks – data must be encrypted, and you should never store card validation data
  5. Antivirus – use and regularly update antivirus on all systems holding sensitive data
  6. Develop and maintain secure systems and applications – actively search for vulnerabilities and remediate them
  7. Restrict access to cardholder data – sensitive data should be accessible on a need-to-know basis to reduce vulnerability
  8. Restrict access to system components – systems holding sensitive data should be accessible only with authentication and clear user identification
  9. Restrict physical access to cardholder data
  10. Track and monitor access to network resources and cardholder data – to provide an audit trail and assist with breach investigations
  11. Regularly test security systems and processes – identify weaknesses and remediate them

PCI Compliance Best Practices

The following best practices can help you improve security measures, to more easily comply with PCI-DSS security requirements.

Use a firewall – Per the first requirement, you’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.

Do not use default passwords – To be in PCI compliance, you must ensure all devices and user accounts use passwords that are unique, and that includes lowercase and capital letters, numbers and symbols, to make them more secure.

Use both digital and physical measures to protect cardholder data – The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorized access to passwords. Some of these barriers may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.

Create and enforce a security policy – A security policy should be drafted, supported by management, and made known across the organization, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.

Establish an incident response process – Have a clear process for detecting, remediating, mitigating and recovering from security incidents.

Keep track of changes – Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.

Keep software patched and install security updates – Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.