PAYMENT COMPLIANCE

PCI-DSS Compliance Checklist

Track your Payment Card Industry Data Security Standard v4.0 compliance with this interactive checklist covering all 12 requirements.

OVERALL PROGRESS0%(0 / 37)

1.1

Network security controls are defined and maintained

Establish and maintain firewall and router configuration standards

Document all network connections and data flows
Define firewall rules and review regularly
Maintain network diagrams

1.2

Inbound and outbound traffic is restricted

Restrict connections between untrusted networks and the cardholder data environment

Configure firewalls to deny all by default
Document business justification for allowed protocols
Implement stateful inspection

1.3

Direct public access to cardholder data is prohibited

Prohibit direct public access between the internet and systems storing cardholder data

Use DMZ architecture
Never expose databases to the internet
Implement network segmentation

2.1

Change vendor-supplied defaults

Always change vendor defaults before installing a system on the network

Change all default passwords
Remove unnecessary default accounts
Disable unnecessary services

2.2

Develop configuration standards

Develop configuration standards for all system components

Create hardening standards
Document secure configurations
Enable only necessary services

2.3

Encrypt non-console administrative access

Encrypt all non-console administrative access using strong cryptography

Use SSH, VPN, or TLS
Disable Telnet, HTTP
Implement strong cipher suites

3.1

Minimize data storage

Keep cardholder data storage to a minimum

Document data retention policy
Purge data after retention
Store only necessary data

3.2

Do not store sensitive authentication data

Do not store sensitive authentication data after authorization

Never store full track data
Never store CVV/CVC codes
Never store PIN blocks

3.3

Mask PAN when displayed

First 6 and last 4 digits maximum

Display only last 4 digits
Implement role-based access
Mask PAN in logs

3.4

Render PAN unreadable

Render PAN unreadable anywhere it is stored

Use strong cryptography
Implement truncation or tokenization
Use one-way hashes

4.1

Use strong cryptography protocols

During transmission over open, public networks

Use TLS 1.2 or higher
Verify certificates
Use only secure cipher suites

4.2

Never send unencrypted PANs via messaging

Never send unencrypted PANs by end-user messaging technologies

Never email card numbers
Prohibit PANs via SMS or chat
Train staff

5.1

Deploy anti-malware solutions

On all systems commonly affected by malware

Install antivirus on Windows systems
Keep definitions current
Evaluate other systems

5.2

Anti-malware is active and maintained

Active, maintained, and monitored

Enable automatic updates
Perform periodic scans
Generate audit logs

6.1

Identify and manage security vulnerabilities

Processes are in place to identify security vulnerabilities

Use reputable vulnerability sources
Assign risk rankings
Install critical patches within 30 days

6.2

Develop software securely

Bespoke and custom software is developed securely

Train developers in secure coding
Follow OWASP guidelines
Review custom code

6.3

Protect web applications

Public-facing web apps are protected against attacks

Use a WAF
Conduct security assessments
Address OWASP Top 10

7.1

Define access control policies

Restrict access to system components

Define access needs per role
Restrict to minimum necessary
Document access levels

7.2

Implement access control system

Access is appropriately defined and assigned

Use RBAC
Default deny
Review access regularly

8.1

Assign unique IDs

Identification and authentication processes managed

Unique ID per user
Manage credentials
Remove inactive accounts

8.2

Strong authentication for users

Strictly managed

MFA for admin access
Strong password policies
Lock after failed attempts

8.3

Strong authentication for all access

Established for users and admins

MFA for all remote access
MFA for non-console CDE
Protect against replay attacks

9.1

Define physical security policies

Physical access control processes

Limit physical access to CDE
Use access control mechanisms
Escort visitors

9.2

Manage physical access controls

Manage entry into facilities and sensitive areas

Use video cameras
Protect against tampering
Log physical access

9.3

Protect media containing cardholder data

Securely managed

Classify media
Securely send/receive
Destroy when not needed

10.1

Implement logging mechanisms

Logging access processes defined

Log all CHD access
Log admin actions
Log auth attempts

10.2

Audit logs capture required events

Support detection of anomalies

Record user identification
Type of event and date/time
Success/failure indication

10.3

Protect audit logs

From destruction and unauthorized modifications

Restrict log access
Use integrity monitoring
Backup logs to central server

10.4

Review logs and security events

Reviewed to identify anomalies

Daily review of critical events
Review all components
Follow up on exceptions

11.1

Wireless access points testing

Identify and test for wireless access points

Test for unauthorized wireless quarterly
Maintain inventory
Respond to unauthorized wireless

11.2

Vulnerability scanning

Internal and external vulnerabilities identified and addressed

Quarterly internal scans
Quarterly external ASV scans
Rescan until passing

11.3

Penetration testing

External and internal penetration testing performed

Annual pen testing
Network and app layers
Address findings and retest

11.4

Intrusion detection

IDS/IPS used

IDS/IPS at perimeter
Monitor all CDE traffic
Keep signatures up to date

12.1

Establish security policy

Comprehensive policy established and maintained

Establish and publish
Review at least annually
Define roles and responsibilities

12.2

Manage risk

Acceptable use and risk assessment processes

Annual risk assessments
Define acceptable use
Identify and classify assets

12.3

Security awareness program

Education provided to all personnel

Train upon hire
Train at least annually
Require acknowledgment

12.4

Incident response plan

Established and tested

Create plan
Test annually
24/7 response personnel

DISCLAIMER

This checklist is for educational purposes only. Actual compliance requires a formal assessment by a Qualified Security Assessor (QSA) or completion of the appropriate Self-Assessment Questionnaire (SAQ).

Merchant levels

Level	Annual transactions	Validation requirements
Level 1	Over 6 million	Annual ROC by QSA, quarterly ASV scans
Level 2	1–6 million	Annual SAQ, quarterly ASV scans
Level 3	20K–1M (e-commerce)	Annual SAQ, quarterly ASV scans
Level 4	< 20K (e-commerce) or 1M total	Annual SAQ, quarterly ASV scans recommended

FAQ

What is PCI-DSS and who must comply?

PCI-DSS is a set of security requirements for organizations that handle credit card data. Any business that accepts, processes, stores, or transmits cardholder data must comply.

What's new in PCI-DSS v4.0?

Customized approach validation, MFA everywhere, stronger encryption, more focus on continuous testing, expanded service provider scope.

What is an SAQ?

Self-Assessment Questionnaire — validation tool for merchants to self-assess compliance based on payment processing methods.

Penalties for non-compliance?

Monthly fines from $5K to $100K, increased transaction fees, loss of card processing, liability for fraud losses.

How often is validation required?

Annual validation via SAQ or ROC. Quarterly ASV scans. Annual penetration testing.

What is the CDE?

Cardholder Data Environment — all systems, people, and processes that store, process, or transmit cardholder data.

Do I need PCI-DSS if I use a processor?

Yes, but scope may be reduced. Tokenization or hosted payment pages can minimize compliance burden.

RELATED TOOLS

BOOK A CALL

Need help with PCI-DSS compliance?

Our team has experience building PCI-compliant payment systems and e-commerce platforms.

Or WhatsApp +91 90710 67777