PCI DSS compliance checklist

We’ve created an interactive checklist to help you get started with your compliance journey.
While our checklist is not exhaustive, it provides a foundational starting point when preparing
for PCI DSS compliance.

Our checklist is in accordance with PCI v3.2.1, which is the current version of PCI DSS.

Install and maintain a firewall configuration

Requirement 1 to protect cardholder data
Goal: Build and maintain a secure network and systems

Policy and process requirements:

• Formal documentation for testing and approval of network changes

• Firewall, router, and personal firewall configuration standards

• Document the review of firewall rule sets every six months

• Document ports and services justification for every inbound and outbound rule

Implementation requirements:

• Configure and implement secure firewall and router settings and rules

• Configure network segmentation and network subnets to restrict connections

between trusted networks and any external untrusted network

• Prevent public direct access between the internet and any system component in the
internal cardholder data environment

• Install personal firewall software on all internet-connected portable devices that are
also used to access the cardholder data environment

• Implement security features for any insecure services utilized within the cardholder
data environment

• Install perimeter firewalls between all wireless networks and the cardholder data
environment

• 1
 Eliminate vendor defaults for passwords
Requirement 2 and other security parameters
Goal: Build and maintain a secure network and systems

Policy and process requirements:

• Document security policies and processes to manage vendor default settings and
vendor security best practice documentation

• Develop configuration standards for all system components

• Create and maintain a wireless network security policy

Implementation requirements:
• Change all vendor-supplied defaults and remove or disable unnecessary default
accounts before installing a system on your network

• Change all wireless vendor defaults at installation for wireless environments that
connect to the cardholder data environment or that transmit cardholder data

• Implement all systems utilizing documented configuration standards and

vendor best practice

• Encrypt all non-console administrative access utilizing strong cryptography

Protect stored cardholder data

Requirement 3
Goal: Protect cardholder data

Policy and process requirements:

• Document a data retention and disposal policy detailing retention time requirements
and a secure process for deletion of data

• Define a quarterly process for regularly identifying and deleting stored cardholder
data that exceeds the retention period

• Document a key management policy and process defining the secure generation,
storage and distribution of encryption keys

• 2
 Implementation requirements:
• Verify sensitive authentication data is not being stored (such as the card verification
code or PIN) after authorization, even if it is encrypted

• Implement a strong key management process including secure storage

configurations and restricting access to only required key custodians

• Verify PAN is unreadable whenever stored and masked when displayed.

Only explicitly authorized personnel should be able to view unmasked PAN

Encrypt payment data transmission

Requirement 4
Goal: Protect cardholder data

Policy and process requirements:

• Document the controls in place for encrypting cardholder data when transmitted
over open public networks with strong cryptography

• Document the configuration standards for implementing strong authentication and

transmission encryption for wireless networks

• Document the process for acceptance of trusted keys and certificates

Implementation requirements:
• Identify all locations where cardholder data is being sent over public networks and
verify strong encryption is being used

• Verify when PAN is sent over end-user messaging technologies, the PAN data is
unreadable or secured utilizing strong cryptography

• Ensure only trusted keys and certificates are accepted

• 3
 Protect against malware and regularly
Requirement 5 update antivirus software
Goal: Maintain a vulnerability management program

Policy and process requirements:

• Maintain policies for antivirus including how the software detects, removes,
and protects against all known types of malicious software

Implementation requirements:
• Verify antivirus software is kept current, performs periodic scans, and generates
audit logs

• Ensure antivirus software is actively running and cannot be disabled by users on

all systems commonly affected by malwareprior approval

Establish secure systems and applications

Requirement 6
Goal: Maintain a vulnerability management program

Policy and process requirements:

• Document a process to identify new security vulnerabilities and assign
vulnerability risk

• Document change control policies and procedures

• Document a software development policy including secure coding techniques

and processes for addressing common coding vulnerabilities

• 4
 Implementation requirements:
• Perform vulnerability assessments against web applications or use an automated
technical solution such as a web application firewall

• Protect systems from known vulnerabilities by installing applicable vendor

security patches

• Verify software is developed based on industry standards or best practice and

developed in accordance with PCI DSS standards including security throughout
the development lifecycle

• Ensure code reviews are being performed for all production code changes by an
individual other than the author

Restrict cardholder data access

Requirement 7
Goal: Implement strong access control measures

Policy and process requirements:

• Document a policy for access control that addresses access need and privilege
assignment, least privilege, and job classifications

Implementation requirements:
• Inspect system access regularly to determine that privileges assigned are
necessary for the job function and are restricted to least privilege

Assign unique user IDs and passwords

Requirement 8
Goal: Implement strong access control measures

Policy and process requirements:

• Document a policy and process for the creating, revoking, and modification
of access

• Document a policy for the management of user IDs including password policy,
lockout duration, authentication methods, and user guidance on credential usage

• 5
 Implementation requirements:
• Remove or disable any inactive accounts that are 90 days old

• Ensure passwords have a minimum length of 7 characters and require complexity

including both alphabetic and numeric characters

• Change user passwords at least every 90 days

• Ensure all non-console administrative access and remote access into the cardholder
data environment requires multi-factor authentication

• Do not use generic accounts and do not utilize shared accounts for administrative or
critical functions

Restrict physical access to cardholder data

Requirement 9
Goal: Implement strong access control measures

Policy and process requirements:

• Develop a policy for managing, securing, and destroying physical media

• Document a procedure for identifying new onsite personnel and visitors,

changing access requirements and revoking terminated onsite personnel and
expired visitor identification

• Distribute security training materials to personnel at point-of-sale locations

Implementation requirements:
• Implement facility entry controls and security controls to limit and monitor physical
access to systems

• Implement a visitor security program including the use of visitor authorization,

visitor badges, and visitor logs

• Verify physical media management includes securely storing, distributing, and

classifying media

• Maintain a list of POS devices and periodically inspect devices for tampering
or substitution

• 6
 Track and monitor network access
Requirement 10
Goal: Regularly monitor and test networks

Policy and process requirements:

• Document policies and procedures for monitoring and reviewing log files daily

• Review and document logs and security events for all system components to
identify abnormalities or suspicious activity

Implementation requirements:

• Implement automated audit trails for all system components for the
following events:

• All individual access to cardholder data

• All actions taken by any individual with root or administrative privileges

• Access to all audit trails

• Invalid logical access attempts

• Use of and changes to identification and authentication mechanisms, including:

• All elevation of privileges

• All changes, additions, or deletions to any account with root or

administrative privileges

• Initialization of audit logs

• Stopping or pausing of audit logs

• Creation and deletion of system level objects

• Verify audit logs are retained for three months which are immediately available
and one year archived

• 7
 Test security systems and processes
Requirement 11
Goal: Regularly monitor and test networks

Policy and process requirements:

• Document a process for identifying and removing unauthorized wireless access
points and inventory all authorized wireless access points in use

• Document a methodology used for penetration testing based on industry-accepted

penetration testing approaches

Implementation requirements:
• Perform quarterly internal vulnerability scans and complete quarterly external scans
utilizing an approved scanning vendor

• Perform internal and external penetration testing annually and after any significant
infrastructure or application upgrade or modification. Segmentation testing must be
performed bi-annually for service providers.

• Implement intrusion detection or preventions systems to monitor all traffic at the

perimeter of the cardholder data environment

• Implement a change detection mechanism such as file integrity monitoring to

generate alerts for unauthorized modification of system and configuration files

• 8
 Establish and maintain an information
Requirement 12 security policy
Goal: Maintain an information security policy

Policy and process requirements:

• Document an information security policy which is reviewed annually and changed
in relation to the risk environment or business objectives

• Document a risk assessment process which includes how to identify assets, threats,
and vulnerabilities

• Document acceptable use policies for all technologies and products in use

• Document an incident response plan and procedures to ensure your organization

is prepared to respond immediately to a system breach

• Document the responsibility of your service providers and perform due diligence
against their compliance efforts

Implementation requirements:
• Formally assign information security responsibilities to the appropriate personnel

• Train all personnel on cardholder data security awareness and require personnel
to acknowledge they understand all applicable policies and procedures

• Perform background screening of prospective employees within constraints of

the local law

• Review and test the incident response plan at least annually

• 9