PCI DSS Compliance Checklist: Understanding the 12 Requirements

Companies that handle credit card data must comply with the many requirements of PCI DSS. Learn how to achieve and maintain PCI compliance.
Troy Fine

by Troy Fine

September 16, 2022

Credit card brands and their issuers created a set of controls, the Payment Card Industry Data Security Standard (PCI DSS), to protect cardholders’ personal and financial information.

If you’re getting prepared for PCI compliance, this article will help you understand: 

  • What PCI DSS compliance means.

  • The 12 requirements of PCI DSS compliance.

  • Four simple steps to getting started.

  • The changes in PCI DSS v4.0.

What is PCI DSS Compliance?

PCI DSS defines minimum standards for securing and protecting consumers’ cardholder data. 

These standards apply to any company that accepts, processes, stores, or transmits cardholder data. Cardholder data includes Primary Account Number (PAN) , Cardholder Name, Expiration Date, Service Code, and Sensitive Authentication Data. 

Vendors at your local farmers’ markets, big box retailers, e-commerce companies, card issuers, payment processors, and third-party service providers impacting their customers’ cardholder data environments or implementing PCI requirements on behalf of their customers must meet the requirements set out in PCI DSS.

Naturally, different types of companies face different types of risks. Many retail and online merchants have low-risk profiles. The farmer who runs a credit card through an app does not possess credit card data—the app stores that information. In these cases, merchants become PCI DSS compliant by submitting a self-assessment questionnaire to their payment processor.

In the case of large retailers, payment processors, banks, and other companies that store and transmit cardholder data, PCI DSS compliance is much more involved. These companies must prove they have the controls needed to comply with PCI DSS. Often, that proof requires a compliance report from a third-party auditor called a Qualified Security Assessor.

The 12 Standard Requirements 

To achieve PCI DSS compliance, companies must meet the following 12 standard requirements:

1. Protect Cardholder Data by Installing a Firewall

Firewalls use security rules to control traffic entering and leaving networks. They stand between a private network and the public internet to keep hackers out. 

Firewalls can also work within the network as an extra defense around databases containing cardholder information. Properly configuring and maintaining network firewalls is an essential element of network security.

2. Do Not Use Vendor-Default Passwords and Security Parameters

Hardware and software vendors ship their products with default passwords and security configurations, expecting customers to use something else. Many people and organizations never do, essentially leaving their front doors unlocked. Cybercriminals share lists of these defaults which can make their attacks much easier. 

PCI DSS expects organizations to replace these vendor defaults on every device and system.

3. Protect Cardholder Data at Rest

Information security requires a layered defense.

Even if hackers steal a password, breach a network, find a credit card database, and then exfiltrate the data from the network, there is still a chance to keep them from using cardholder information. Encrypting data stored on company servers makes stolen data too difficult to read.

4. Encrypt Cardholder Data in Transit

Data passing from one location to another can be particularly vulnerable to theft—especially if that journey passes over the public internet. Encryption makes any intercepted data unreadable, whether the data is passing between servers or destined for a mobile app.

5. Protect All Systems Against Malware

Antivirus and anti-malware software must constantly scan every system to defend against attacks. However, these applications are only effective against known threats. Organizations must quickly push updates to anti-malware applications to ensure the strongest protection against attack.

6. Develop and Maintain Secure Systems and Applications

Security policies must inform development processes from the beginning. Whether organizations are reconfiguring an office or developing a cloud application, it is much easier to include security at the beginning than tack it on at the end. 

Once deployed, every system will require continuous security maintenance.

7. Use Need-to-know Policies to Restrict Access to Cardholder Data

Since people are the weakest link in the security chain, organizations must minimize the risks people present. Limiting who can access the hardware and software handling cardholder data reduces the odds that stolen passwords could compromise that data. 

Organizations impost these restrictions through authorization policies based on need-to-know criteria.

8. Authenticate Access to all Systems

Identity verification is another way to minimize the human factor. Assigning every user a unique ID lets security teams track access attempts and spot unusual behavior. New requirements for multi-factor authentication add an extra verification step.

9. Restrict Physical Access to Cardholder Data

Security is not limited to networks. Compliance requires controlling physical access to any place where organizations physically or digitally store cardholder information. Security cameras and other systems should continuously monitor and record everyone accessing these areas.

10. Continuously Monitor Access to Networks, Systems, and Cardholder Data

Network security breaches can happen at any time. The faster administrators spot the attack, the faster they can cut off the hackers and lock down sensitive systems. 

However, high-volume traffic flowing across networks is so high that nobody can do it manually. Automated systems can detect and mitigate unusual traffic patterns or alert security administrators for more urgent action.

11. Regularly Test Security Systems and Processes

A security plan begins degrading the minute it is deployed. In response to a changing security landscape, businesses must constantly test and improve their security systems. Scans of network defenses and third-party penetration testing can spot security gaps before they become too serious.

12. Maintain Information Security Policies for all Personnel

Security is not the job of one person or team. Everyone in the organization has security responsibilities. PCI DSS-compliant organizations develop information policies with clearly-defined roles and responsibilities. Regular security training ensures people understand how they can keep networks and information secure.

4 Steps to Prepare for PCI Compliance

Here are four simple steps that will put you on the right track to PCI compliance: 

1. Determine if You’re a Merchant or Third-party Service Provider

Most businesses know their merchant status, however, determining whether you’re a third-party service provider can be trickier. Here are the definitions from PCI SCC


A merchant is any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. 

Service Provider

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.

2. Figure Out Your Scope of Compliance

If you are a merchant, determine your validation requirements based on the number of transactions you accept from each payment brand. If you’re only required to complete a self-assessment questionnaire (SAQ), determine the appropriate SAQ to complete.

If you’re a third-party service provider, determine if your customers require SAQ D or QSA to complete an audit and corresponding Report on Compliance (ROC).

3. Determine the Type of Cardholder Data You Work With

Determine what type of cardholder data you store, process, or transmit. For PCI, cardholder data consists of the full primary account number (PAN) plus the cardholder name, expiration date, and service code. 

Although not stored, you may also transmit or process Sensitive Authentication Data including card validation codes and PINs. 

4. Implement Applicable PCI Requirements 

By following the steps above, you’ll be able to determine the PCI requirements applicable to your business. The twelve compliance requirements can be grouped into six broad categories that describe what organizations need to do to comply with PCI DSS, here they are:

  • Build and maintain a secure network and systems.

  • Protect cardholder data.

  • Maintain a vulnerability management program.

  • Implement strong access control measures.

  • Regularly monitor and test networks.

  • Maintain an information security policy.

4.0 Modifications

Some of the previous PCI DSS requirements were becoming dated in the face of new technologies and emerging threats. The PCI Security Standards Council developed an updated set of standards, PCI DSS v4.0, to give its stakeholders more flexibility while becoming more secure. These updates fall into four broad categories:

Address Evolving Security Needs

Cyberattacks do not only target network security systems. They increasingly target the weakest security link, people. Anyone is a potential victim of social engineering attacks that open the door for hackers to access sensitive data. 

Version 4.0 adds new security practices, including:

  • Multi-factor authentication (MFA).

  • Strong password practices.

  • Ongoing defenses against e-commerce and phishing attacks.

In addition, the PCI Security Standards Council updated its security technologies descriptions to encompass modern firewall alternatives.

Security as a Continuous Process

Security cannot be a one-time event. Attacks can come from any direction at any time. Everyone in the organization must have clearly assigned and well-understood security responsibilities. This new PCI DSS guides stakeholders as they make security a continuously improving process.

Flexibility to Use Different Security Methods

Rather than specifying technologies and practices that could quickly become outdated, PCI DSS v4.0 adopts a risk-based approach that lets organizations create methods for protecting cardholder information appropriate to their business and risk tolerance.

Enhanced Validation

PCI DSS compliance assures cardholders, customers, and other stakeholders that an organization can protect cardholder information. The new standards create options for validation and reporting that deliver more granularity and transparency.

PCI DSS compliance can seem overwhelming, especially for companies that store high volumes of cardholder data. An automated compliance platform from Drata simplifies your compliance efforts by letting you manage your PCI DSS controls and requirements in a single dashboard.

Schedule a demo so our dedicated team of compliance experts can show you how to become PCI DSS audit ready.

Trusted Newsletter
Resources for you
PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

G2 Fall Reports Thumb

Drata Shines in G2 Fall Reports

Cyberattacks on Local Govs Hero

Cyberattacks on Local Governments on the Rise, Highlighting a Need for Enhanced Security

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

PCI Compliance Cost What It Takes to Become Certified

PCI DSS Compliance Cost: What It Takes to Become Certified


PCI DSS Compliance Checklist: Understanding the 12 Requirements

Choosing the Right PCI SAQ for Your Business

Choosing the Right PCI SAQ for Your Business