The Ultimate PCI DSS Compliance Checklist
Vimal Mohan
Oct 31, 2024As an organization processing card data via online portals, you should be PCI DSS compliant to avoid penalties and reputational damage. But the process is exhaustive, time-consuming, and expensive.
This article aims to simplify and demystify the PCI compliance framework, help you identify the PCI levels, learn about the 12 PCI DSS requirements checklist, and learn the steps to become PCI DSS compliant.
We’ve also included an exhaustive PCI DSS compliance checklist with 45 checkboxes to help you gain momentum in your compliance journey.
TL;DR |
PCI DSS compliance involves implementing key security measures like firewalls, encryption, antivirus software, and strict access controls. |
There are four levels of PCI DSS compliance—these levels are based on the transaction volumes an organization makes. At an organizational level, compliance can entail extensive audits or the filling out of self-assessment questionnaires. |
For an organization to get PCI DSS compliant, it must fulfill the 12 requirements, categorized under 6 control objectives. |
Overview of PCI DSS compliance
PCI DSS (Payment Card Industry Data Security Standard) compliance is a set of security standards created by credit card companies to ensure that businesses that process, transmit, or store credit card information do so in a secure manner.
The PCI DSS compliance standards goal is to prevent data breaches and protect sensitive cardholder information.
Global digital card payments grew by an annual rate of 20 percent in 2020 compared to 2019, and this trend is witnessing a non-linear upward growth. In 2020, 900+ million online transactions were processed, which rose to 2.14 billion in 2025.
This upward spike in card transactions also means bad actors and hackers now have a broader pool to target and extract sensitive information maliciously. Sensitive user data had to be protected.
In 2004, the founding members of PCI DSS, i.e. VISA, MasterCard, JCB International, and Discover Financial Services, came together and drafted a regulatory framework to protect user credit card data from fraudulent activities.
Why was PCI DSS implemented?
The PCI DSS compliance framework was implemented to enable organizations processing electronic transactions to implement the processes and policies required to maintain a strong security posture to protect cardholder data.
The latest revision, i.e. PCI DSS version 4, launched in March 2022, introduced reforms to a few existing security rules to make the framework more flexible and easy to use among others, and can be easily implemented with the help of the PCI DSS compliance checklist.
What does a PCI DSS compliance checklist include?
A PCI compliance requirements checklist includes adherence to policies and implementation of controls such as installing a firewall, updating antivirus,, and encrypting data that is transmitted. It requires you to understand the PCI compliance levels in which your business falls and then decide the scope of compliance.
PCI DSS Levels:
There are 4 levels of PCI DSS compliance and depending on the level, the stringency of requirements can vary:
Level 1: Processes over 6 million transactions annually, and any organization that VISA determines as Level 1 should implement Level 1 grade controls.
Level 2: Processes 1 million to 6 million annual transactions. Level 2 grade controls and policy implementation is required.
Level 3: Processes 20,000 to 1 million e-commerce transactions in a year. Level 3 grade controls and policy implementation is required.
Level 4: Processes up to 20,000 e-commerce transactions a year and organizations that process up to 1 million total transactions a year. Implementation of Level 4 grade controls and policies is required.
The reporting requirements vary based on levels.
- Level 1 merchants are required to undergo on-site assessment by Qualified Security Assessor (QSA) and submit a Report on Compliance (ROC)
- Level 2, level 3 and level 4 merchants can complete an annual Self- Assessment Questionnaire (SAQ)
All the levels must however conduct quarterly vulnerability scans by Approved Scanning Vendors (ASV) to ensure protection of sensitive information.
The easy path to PCI DSS compliance
PCI DSS compliance checklist
Organizations looking to get PCI DSS compliant must fulfill 12 requirements, categorized under 6 control objectives. These include the control implementation, security policies, and administrative processes designed to protect card data from unauthorized access.
Here’s a detailed 12-step PCI DSS compliance checklist:
1. Install and maintain a firewall
For an organization to remain PCI DSS compliant, all its security systems must be protected from unauthorized traffic from unknown sources. A firewall ensures unregulated inbound or outbound traffic isn’t allowed access to your internal secure systems.
A good firewall configuration must:
- Filter and allow access only to authorized traffic to the business environment
- Automatically decline all unauthorized traffic access
- Protect all your POS devices connected to wireless networks
- Authorize all outbound traffic from your business card storage environments
- Automatically log all the changes implemented, even in instances where changes were implemented by authorized entities in the business environments, with reasons justifying why the said change was necessary.
2. Don’t use default vendor settings and passwords
Do not rely on vendor-generated default usernames and passwords for software, firewalls, routers, POS devices, and more. Also, ensure that the settings have secure configurations instead of leaving them to default.
The second requirement of PCI DSS is to change vendor supplied default settings and use passwords with solid scores.
3. Protect cardholder data
All cardholder information that enters your business environment must be protected. To provide holistic protection, organizations must know how the cardholder data flows through their internal systems – Places it gets stored in, the teams that have access to it, how it leaves your business environment (if applicable), and how to safely dispose of sensitive data.
This requirement also mandates that organizations mask the PAN(Personal Account Number). Masking only makes the last few digits of the card visible.
4. Encrypt transmission
Unlike the earlier requirement, this requirement focuses on protecting the cardholder data environment by deploying encryption methods to protect it from malicious software when transmitted via open, closed, private, and public wireless channels. Often organizations overlook the protection of cardholder data when transmitting them via the internet.
Instances of unauthorized access to sensitive data during transmission have been reported in the past.
5. Use updated antivirus software to protect against malware
Installing basic anti-virus software to prevent malware will not do the job—requirement five details how organizations should constantly update their antivirus software and apply regular patches.
Advanced antivirus solutions must be installed across servers, firewalls, laptops, desktops, and mobile devices with access to business environments. This software should always be active and continuously scan logs.
6. Develop and maintain secure systems and applications
To develop and deploy security systems, knowing which part of your business environment is the least secure is essential. Organizations can reach this conclusion only after conducting an internal risk assessment. A risk assessment gives you complete visibility into your existing security systems and identifies areas that require patching. Deploying new security measures in such areas ensures a strong security posture.
This requirement also recommends organizations to continuously apply patches and remediation measures across their business environments including servers, POS devices, POS operating systems, laptop and desktop operating systems, and firewalls.
Also find out: How to automate PCI DSS compliance process
7. Restrict access to cardholder data
Requirement seven discusses how organizations should control and limit access to sensitive user information. In addition, strong access control measures for employees should be implemented. For example, access may be granted on the basis of seniority, a justified need to access secure data or job-role-based classifications. This requirement also asks organizations to document their access control procedures and regularly review access logs.
8. Assign unique user access IDs
This requirement of PCI DSS enforces organizations to assign unique user IDs to employees. This prevents the occurrence of a security breach and doubles up as an efficient tracking mechanism to isolate and effectively identify the source of an internal breach.
9. Restrict physical access to cardholder data
This requirement focuses on the physical aspects of cardholder data security. Phys