PCI DSS Compliance Checklist: Understanding the 12 RequirementsWe dive into each of the 12 requirements and offer a helpful PCI compliance checklist to reference as you embark on your compliance journey.
by Troy Fine
To ensure businesses are properly protecting your cardholder data, credit card brands and their issuers created a set of controls known as the Payment Card Industry Data Security Standard (PCI DSS).
The PCI standard outlines 12 requirements for achieving compliance. We dive into each of these requirements below and offer a helpful PCI compliance checklist to reference as you embark on your compliance journey.
What is PCI DSS Compliance?
PCI defines the minimum standards for securing and protecting consumers’ credit card data. These standards apply to any company that accepts, processes, stores, or transmits cardholder data.
Cardholder data includes:
The primary account number
The cardholder name
The expiration date
The service code
Sensitive authentication data, which includes magnetic stripe or chip data and PINs
PCI applies both to merchants and service providers. A merchant is any entity that accepts payment cards bearing the logos of any of the six members of the PCI Security Standards Council (SSC)—American Express, Discover, JCB, Mastercard, Visa, or UnionPay—as payment for goods and services. A service provider is a company that provides services that control or could impact the security of cardholder data.
While a vendor at your local farmers market and a big-box retailer both need to comply with PCI, the requirements will vary depending on the number of transactions the business processes in a year.
PCI organizes merchants into four levels, with Level 1 requiring more stringent compliance practices and Level 4 requiring the least stringent practices. Each payment brand sets their own reporting requirements.
For example, American Express outlines their merchant levels into the following categories:
Level 1: merchants that process more than 2.5 million transactions annually
Level 2: merchants or service providers that process 50,000 to 2.5 million transactions annually
Level 3: merchants that process 10,000 to 50,000 transactions annually
Level 4: merchants that process fewer than 10,000 transactions annually
For exact information on each payment brand's PCI reporting requirements, we encourage you to visit their website:
PCI v4.0 Changes
Some PCI requirements became dated as technology evolved and new threats emerged. The PCI SSC developed an updated set of standards, PCI DSS v4.0, to give its stakeholders both more flexibility and more security.
These updates fall into four broad categories:
Evolving security needs: Version 4.0 adds new security practices, including multi-factor authentication (MFA), strong password practices, and ongoing defenses against phishing attacks.
Security as a continuous process: Because security attacks can come from any direction at any time, everyone in the organization must have clearly assigned and well-understood security responsibilities. Version 4.0 guides stakeholders as they make security a continuously improving process.
Flexibility to use different security methods: Version 4.0 adopts a risk-based approach that lets organizations create methods for protecting cardholder information that are appropriate for their business and risk tolerance.
Enhanced validation: PCI compliance assures cardholders, customers, and other stakeholders that an organization can protect cardholder information. Version 4.0 creates options for validation and reporting that deliver more granularity and transparency.
Version 4.0 was released in Q2 2022, but the transition period from the current version (v3.2.1) to v4.0 will last until Q1 2024. Future-dated requirements must be implemented by Q1 2025 in order to comply with v4.0.
PCI Compliance Checklist
The 12 PCI 4.0 Compliance Requirements
The PCI standard is comprised of 12 compliance requirements, organized under six objectives, which are:
Establish and maintain a secure network
Protect payment card and cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Monitor and test networks regularly and evaluate their effectiveness
Maintain an information security policy
Below, we offer additional information on how to comply with the PCI compliance requirements.
1. Determine the Scope of Your Cardholder Data Environment (CDE)
Before you fill out any information on your SAQ, you need to determine your scope. PCI scope is defined as the people, processes, and system components that touch or could otherwise impact your cardholder data.
Organizations can create a cardholder data environment (CDE) that's segmented from the rest of the company's network, allowing you to narrow the scope of your PCI compliance and save you time and resources in meeting the PCI requirements.
As you're conducting your scoping exercise, you can sort systems into three buckets:
In-scope: Systems that relate to, impact, or connect to the security of cardholder data
Connected: Systems not directly involved in processing of cardholder data but are connected to your CDE
Out-of-scope: Systems that to not interact with or connect to your CDE
2. Install and Maintain Network Security Controls
Firewalls use security rules to control traffic entering and leaving networks. They stand between a private network and the public internet to keep hackers out.
Firewalls can also work within the network as an extra defense around databases containing cardholder information. Properly configuring and maintaining network firewalls is an essential element of network security.
3. Apply Secure Configurations to All System Components
Hardware and software vendors ship their products with default passwords and security configurations, which are often insecure, expecting customers to use something else. Many people and organizations never do, essentially leaving their front doors unlocked. Cybercriminals share lists of these defaults, which can make their attacks much easier.
PCI expects organizations to replace these vendor defaults on every device and system.
4. Encrypt Stored Account Data
Information security requires a layered defense. This PCI requirement states that companies must encrypt cardholder data transmissions across public networks.
Even if hackers steal a password, breach a network, find a credit card database, and then exfiltrate the data from the network, there is still a way to keep them from using cardholder information. Encrypting data stored on company servers makes stolen data too difficult to read.
5. Protect Cardholder Data With Strong Cryptography During Transmission Over Public Networks
Data passing from one location to another can be particularly vulnerable to theft—especially if that journey passes over the public internet. Encryption makes any intercepted data unreadable, whether the data is passing between servers or heading for a mobile app.
6. Protect All Systems Against Malware
Antivirus and anti-malware software constantly scan every system to defend against attacks. However, these applications are only effective against known threats. Organizations must regularly update anti-malware applications to ensure the strongest protection against attack.
7. Deploy and Maintain Secure Systems and Applications
Security policies must inform development processes from the beginning. Whether organizations are reconfiguring an office or developing a cloud application, it’s much easier to include security at the beginning than to tack it on at the end.
Once the policies are deployed, every system will require continuous security maintenance.
8. Restrict Access to System Components and Cardholder Data by Business Need to Know
Since people are the weakest link in the security chain, organizations must minimize human interaction with data. Limiting who can access the hardware and software handling cardholder data reduces the odds that stolen passwords could compromise that data.
Organizations impose these restrictions through authorization policies based on need-to-know criteria.
9. Identify Users and Authenticate Access to System Components
Identity verification is another way to minimize the human error factor. Assigning every user a unique ID lets security teams track access attempts and spot unusual activity. New requirements for multi-factor authentication add an extra verification step.
10. Restrict Physical Access to Cardholder Data
Security is not limited to networks. Compliance requires controlling physical access to any place where organizations physically or digitally store cardholder information. Security cameras and other systems should continuously monitor and record everyone accessing these areas.
11. Log and Monitor All Access to System Components and Cardholder Data
Network security breaches can happen at any time. The faster administrators spot the attack, the faster they can lock down sensitive systems.
However, traffic volume flowing across networks is so high that nobody can do it manually. Automated systems can detect and mitigate unusual traffic patterns or alert security administrators for more urgent action.
12. Test Security of Systems and Networks Regularly
A security plan begins degrading the minute it’s deployed. In response to a changing security landscape, businesses must constantly test and improve their security systems. Scans of network defenses and third-party penetration testing can spot security gaps before they become too serious.
13. Support Information Security With Organizational Policies and Programs
Security is not the job of one person or team—everyone in the organization has security responsibilities. PCI-compliant organizations develop information policies with clearly defined roles and responsibilities. Regular security training ensures people understand how they can keep networks and information secure.
How Drata Can Help You Streamline PCI Compliance
PCI compliance can seem overwhelming, especially for companies that store high volumes of cardholder data. An automated compliance platform from Drata simplifies your compliance efforts by letting you manage your PCI controls and requirements in a single dashboard.
Schedule a demo so our dedicated team of compliance experts can show you how to become PCI audit ready.