PCI DSS (Payment Card Industry) Compliance outlines a set of requirements for securing credit card transactions and protecting cardholder data. Any merchant processing, storing, or transmitting credit card information should comply with PCI DSS and organizations that aren’t compliant may be fined up to $500,000 per incident. Companies also must notify each person who might have been exposed in an attack.
PCI DSS is governed by the PCI DSS Standards Council, which was formed to manage credit card security. Compliance with PCI DSS is not optional and is a critical requirement to ensure data security and avoid potential fines or restrictions from card networks. Obligated organizations must meet its requirements to establish and maintain a secure environment for client credit card data. To become PCI DSS compliant, obligated organizations must meet 12 requirements. This checklist is designed to help organizations easily identify the steps they need to take to ensure they comply, organized by the main requirement categories:
1. Build and Maintain a Secure Network and Systems
☐ Install and maintain network security controls (firewalls, routers, etc.)
☐ Document and implement network security control configurations
☐ Restrict connections between untrusted networks and system components
☐ Install personal firewall software on mobile devices with connectivity
☐ Document security control roles and responsibilities
☐ Change all vendor-supplied defaults for system passwords and security parameters
☐ Maintain an inventory of system components in scope for PCI DSS
☐ Ensure wireless networks are properly configured and secured
2. Protect Account Data
☐ Store cardholder data only when necessary and with proper protection
☐ Do not store sensitive authentication data after authorization
☐ Mask PAN (Primary Account Number) when displayed (only first 6 and last 4 digits visible)
☐ Render PAN unreadable anywhere it is stored (using encryption, hashing, etc.)
☐ Protect encryption keys used for cardholder data
☐ Document and implement key management processes
☐ Implement secure cryptographic architecture
3. Maintain a Vulnerability Management Program
☐ Protect all systems and networks from malicious software
☐ Ensure anti-virus programs are running and kept current
☐ Develop and maintain secure systems and applications
☐ Establish a process to identify and assign risk rankings to vulnerabilities
☐ Ensure all system components are protected from known vulnerabilities
☐ Develop internal and external software securely
☐ Manage change control procedures for all system changes
☐ Separate development/test environments from production
4. Implement Strong Access Control Measures
☐ Restrict access to cardholder data on a need-to-know basis
☐ Implement a formal access control system
☐ Restrict physical access to cardholder data
☐ Document and implement procedures for proper labeling and handling of media
☐ Maintain visitor logs and authorization procedures
☐ Identify and authenticate access to system components
☐ Implement multi-factor authentication for all non-console access
☐ Implement MFA for all access to the cardholder data environment
☐ Render all passwords unreadable during transmission and storage
5. Regularly Monitor and Test Networks
☐ Track and monitor all access to network resources and cardholder data
☐ Implement automated audit trails for all system components
☐ Secure audit trails so they cannot be altered
☐ Review logs and security events for all system components
☐ Test security systems and processes regularly
☐ Conduct penetration testing at least annually and after significant changes
☐ Perform internal and external network vulnerability scans at least quarterly
6. Maintain an Information Security Policy
☐ Establish, publish, and maintain security policies
☐ Implement a risk assessment process performed at least annually
☐ Develop usage policies for critical technologies
☐ Define information security responsibilities for all personnel
☐ Implement a formal security awareness program
☐ Screen personnel prior to hiring
☐ Ensure service providers with access to cardholder data maintain proper security
☐ Document and implement an incident response plan
7. Additional PCI DSS v4.0 Requirements
☐ Implement a targeted risk analysis for any customized approach
☐ Document and validate PCI DSS scope
☐ Perform reviews to confirm personnel follow security policies and procedures
☐ Implement a continuous security monitoring approach
☐ Conduct reviews after significant changes to detect and document potential impacts to PCI DSS scope
☐ Document cryptographic cipher suites and protocols in use
This checklist provides a high-level overview of PCI DSS v4.0 requirements. For a complete and detailed understanding, you should consult the official PCI DSS v4.0 documentation and potentially use a Qualified Security Assessor (QSA) to help with your compliance efforts.
PCI is a sprawling requirement and effective exposure management is crucial for meeting it comprehensively. XM Cyber can help organizations address elements PCI including:
- Breach Prevention (Requirement 11 – 12) – XM Cyber helps organizations gain real-time threat visibility to prevent unauthorized access
- Authentication Management (Requirement 8) – Organizations can ensure the security of credentials and avoid unauthorized access
- Vulnerability Scans (Requirement 11.2) – Scans identify weak points on internet-facing assets
- Secure System Development (Requirement 6.2) – Now organizations can ensure vulnerabilities in payment systems are identified and addressed promptly
- Regularly Test Security Systems & Processes (Requirement 11) – XM Cyber helps organizations regularly test security systems and processes to detect weaknesses that could impact cardholder data (CHD) security
In addition, all PCI controls are mapped to a dedicated framework. This allows organizations to monitor compliance with the controls and detect exceptions to them.
PCI DSS is a comprehensive way to protect sensitive payment information and increase trust with customers and stakeholders. XM Cyber makes it easy and effective to communicate PCI DSS compliance adherence to stakeholders and auditors.