PCI DSS, which stands for Payment Card Industry Data Security Standard, exists to help businesses protect themselves and their customers by defining how sensitive personal information such as credit card data is stored.
If you are processing payments with debit or credit cards, you must meet and comply with the PCI DSS requirements. Otherwise, you may be subject to various penalties, or your card processing rights may be canceled entirely.
Fraud is a severe problem in the payment industry, and the primary source of these problems is caused by both the customers and the organizations that receive payments.
Concerning PCI compliance, all data collected from a credit and debit card, such as card number, cardholder ID, PINs, and any chip or magnetic stripe data, are data you need to secure.
Attackers also discover ways to steal such data from card readers, point of sale networks, computers, websites, wireless hotspots, and sometimes from your employees.
Fortunately, most of the data and network security measures you have should also meet your PCI compliance requirements. You can achieve full compliance by setting and maintaining simple goals and procedures.
Lack of PCI compliance for your business will cost money and reputation. Referring to the PCI compliance checklist will help you take all the necessary steps to become compliant.
You can use the PCI DSS Audit checklist to make sure you meet every requirement. But beware, the requirements may vary based on your transaction volume. It is your responsibility to track the payment transactions and choose the correct compliance level.
Because PCI DSS requirements are complicated at first glance, an essential PCI compliance checklist can assist and simplify your job as an initial introduction to PCI DSS. You can also find detailed PCI DSS compliance checklists and detailed descriptions to guide the implementation of the standards in the links under the control items’ headings.
To make it a little easier for you to establish and maintain compliance with PCI DSS, we have created a short PCI self-assessment guide and checklist. You can reach your PCI compliance by checking that no critical steps are missed.
12 Steps to Compliance with PCI DSS
PCI DSS Compliance Checklist # 1
Use firewalls to secure critical devices and networks from intruders and malware. The firewall blocks many malicious network traffic that may include malware or illegal access attempts to your system. All your devices and networks must remain protected from untrusted traffic sources or unauthorized access to maintain PCI compliance.
- Install a firewall on your network to ensure network security and prevent unauthorized access.
- To increase the efficiency of the firewall, you must have a documented firewall configuration policy.
- Identify and document unsafe services, protocols, and allowed ports.
- Perform regular reviews of your firewall to make sure your firewall rule sets are compatible with your procedures.
- Create a network topology diagram that defines all connections between the cardholder data medium and other networks.
- Install a personal firewall or any software with equivalent functionality on user devices.
PCI DSS Compliance Checklist # 2
Never use the default password and system parameters. Routers and other devices you may be used for POS most likely come with a default password. Most wireless routers use a default password, such as admin or password. Using the default passwords without changing them makes it much easier for attackers to enter the network and gain unauthorized access to devices.
- Do not use manufacturer-supplied default values for system passwords and other security parameters.
- Establish configuration standards for all system components.
- Ensure that servers perform only one primary function to avoid coexisting different core functions on the same server and requiring different security levels.
- Enable only necessary services, protocols, background procedures as required for business needs.
- Keep an inventory of system components that are covered by PCI DSS.
- Ensure security policies and operating procedures for managing manufacturer defaults and other security parameters are documented, in use, and known to all affected parties.
PCI DSS Compliance Checklist # 3
Focus on protecting cardholder data. There are many methods to protect cardholder data, including encryption, hashing, and masking. The important thing is that if there is no business need or legal obligation, do not store cardholder data. If you need to hide, use encryption, hashing, or masking methods that comply with the standards.
- Develop a data retention policy that specifies what data should be stored and where that data is located. Thus, when no longer needed, these data can be safely deleted or destroyed.
- Do not store sensitive authentication data after authorization. If sensitive authentication data is received, make all data unrecoverable after the authorization process is complete.
- Mask the PAN when it is displayed. Only employees with a legitimate business need can see more than the first six / last four PAN digits.
- Use hashing, truncation, strong cryptography, or index tokens to make PAN unreadable wherever it is stored.
- Document and implement all key and cryptographic management procedures and processes used to encrypt cardholder data.
PCI DSS Compliance Checklist # 4
Encrypt all cardholder information you send over an extensive public network or public networks such as the internet. All information you submit must be protected to remain compliant with PCI DSS.
- Use strong cryptography and security protocols to protect sensitive cardholder data over public networks during transmission.
- Never send unprotected PANs through end-user messaging technologies.
- Ensure that security policies and operational procedures for encrypting cardholder data transfers are documented, used, and understood by all parties involved.
PCI DSS Compliance Checklist # 5
To protect against malware, use antivirus software, and maintain it regularly. Malware can enter your network and computers in many different ways, from the internet, through an infected USB, or a vulnerability in your hardware.
- Install antivirus software on all systems commonly infected with malware.
- Ensure all antivirus mechanisms are kept up to date, regular scans are run, and audit logs are generated.
- Make sure that antivirus mechanisms are continually working. Users should not be able to remove or replace their antivirus software.
- Ensure security policies and operating procedures are documented, used, and understood by all affected parties to protect networks against malware.
PCI DSS Compliance Checklist # 6
Ensure that software, hardware, and operating systems are up to date with security vulnerabilities and that security patches are installed. Vulnerabilities of operating systems or devices without security patches are the easiest way to add malware to your network. To comply with PCI DSS, you must make every effort to ensure that the covered components are regularly updated.
- Establish a mechanism to detect vulnerabilities. Use reliable external sources for information about vulnerabilities and assign a risk score to newly discovered vulnerabilities.
- Ensure that all system components and applications are protected from known vulnerabilities by installing security updates released by manufacturers.
- Develop software applications that are compliant with PCI DSS.
- Follow processes and procedures for change management control for all system component changes.
- Build software that focuses on secure coding standards.
- Educate software developers at least annually in up-to-date secure coding techniques.
- Test web applications accessible from the internet at least once a year through manual or automated security testing techniques or processes.
- Ensure security protocols and operating practices to develop and maintain secure systems and applications are documented, used, and known to all affected parties.
PCI DSS Compliance Checklist # 7
Restrict access to cardholder data only to required people and applications, disable and block other access. Employee errors are the primary reason for leaks or any additional disclosure of cardholder data. Grant employees and systems access when they need it to do their jobs or perform a required task.
- Limit access to system components and cardholder data based on business needs.
- Restrict access based on a need-to-know principle. Establish an access control mechanism programmed to “deny everything” unless specifically allowed.
- Ensure security policies and operational processes to restrict access to cardholder data are documented, used, and known to all interested parties.
PCI DSS Compliance Checklist # 8
Set unique passwords for anyone with access to cardholder data. Do not share passwords and usernames. Establish policies on identity management and passwords, and train employees to avoid sharing credentials. Unique identities such as usernames are important in audits so that you can identify who has accessed cardholder information.
- Establish and enforce policies and procedures to ensure that user IDs are properly handled across all system components for service accounts and administrators.
- Provide convenient user authentication management for administrators using multi-factor authentication for all individual non-console administrative access and all remote access to the CDE.
- Document authentication policies and procedures and communicate with all users.
- Do not use groups, shared or generic IDs, and passwords.
- All-access to any database containing cardholder data should be restricted only by programmatic methods.
PCI DSS Compliance Checklist # 9
Restrict physical access to servers or machines that process, store, or transfer cardholder data. Any removable device can be used as a gateway for malware and attackers. Therefore, make sure that only trusted personnel can access physical devices containing cardholder information.
- Use appropriate facility entry controls to restrict and monitor physical access to systems in the cardholder data environment.
- Establish procedures to distinguish staff and guests on-site quickly.
- Provide control of physical access to sensitive areas for on-site personnel.
- Physically protect all media.
- Maintain tight control over any media distributed internally or externally.
- Maintain tight control over media storage and accessibility.
- Destroy media, when a business or legal purposes no longer require it.
- Take and secure tampering and tampering measures for devices that capture payment card data.
PCI DSS Compliance Checklist # 10
Track and monitor what is happening on networks and devices that contain cardholder data. Apply daily monitoring schedules to monitor sensitive data access. You need to know who accessed anything on the network and when.
- Apply audit trails to link access to all system components to each user and all system components.
- The logs should contain the user ID, event type, date, time, and affected component information.
- Synchronize critical system clocks and times using time synchronization technology.
- Protect audit trails securely so they cannot be altered.
- Examine logs and security events to detect abnormalities or suspicious activity on all system components.
- Retain audit trail records for a minimum of one year, with three months for immediate review.
PCI DSS Compliance Checklist # 11
Evaluate security measures, including employees. Whether the vulnerability is in hardware, software, or a worker error, everything is vulnerable to an attacker with sufficient time and access. Regular testing of penetration testing and cardholder data with internal vulnerability scans will enable you to take the necessary precautions.
- Apply a process to check the presence of wireless access points. Detect and classify both permitted and unauthorized wireless access points quarterly.
- Scan internal and external networks for vulnerabilities at least once a year.
- Apply a penetration testing methodology that focuses on industry-accepted approaches.
- Perform an external and internal leak test at least once a year.
- Use intrusion detection or intrusion prevention techniques to detect or prevent network intrusions.
- Use change detection tools for file integrity monitoring and be aware of unwanted changes to critical system data.
- Ensure security policies and operating procedures are documented, in use, and known to all affected parties for security monitoring and testing.
PCI DSS Compliance Checklist # 12
Establish policies and procedures that govern data security and define eleven previous requirements. Policies set your organization’s security framework and ensure that both new and experienced employees understand what you expect of them.
Even if protections are available, you must communicate and work to enforce your policy. Each employee must know and follow your third-party vendor and customer policies.
Your written security policy should include an overview of how you are protecting customer data. All required persons should be made aware of the PCI standards and how to comply with them.
- Establish, publish, maintain, and distribute a security policy.
- Implement a risk assessment procedure that is performed at least annually.
- Develop strategies for the use of critical technologies and determine the acceptable use of these technologies.
- Make sure that the security policy and procedures clearly define responsibilities for all personnel involved in information security.
- Implement a security awareness program to bring cardholders’ data security policies and procedures to all staff’s attention.
- Perform background screening of potential personnel before hiring to minimize the risk of internal attack sources.
- Maintain and enforce policies and procedures to control service providers where cardholder data is shared or affect cardholder data security.
- Implement an incident response plan. Get ready to respond to a system breach immediately.
PCI DSS Compliance Checklist Best Practices
If you choose “yes” for each of the above items, your company is in an excellent position to make your PCI DSS compliance process successful.
The purpose of the PCI DSS checklist is to provide a basic overview of PCI compliant applications and speed up your compliance work by specifying the requirements’ basic needs. Therefore, the list should not be regarded as an approved, detailed checklist or PCI compliance assessment.
It is essential to build a climate of trust with your customers because a lack of confidence can also affect your overall well-being. Compliance with PCI standards is crucial to increase trust in your customers, prospects, and business partners.
The PCI compliance checklist items should be used to optimize data protection techniques following recommended technology and best practices.
For detailed information, you can review the PCI DSS Quick Reference Guide: Understanding Payment Card Industry Data Security Standard version 3.2.1.