PCI Compliance Explainers:
Quick PCI Compliance Checklist: Be Ready for Your Next Audit
What is a PCI Compliance Checklist?
The Payment Card Industry Data Security Standard (PCI DSS) is mandatory for any organization that stores or processes payment cardholder data. PCI compliance is a complex process. Your PCI Merchant Level (1-4) will determine your level of auditing — from Self Assessment Questionnaires (SAQ) to a full external audit, which requires extensive preparation.
A PCI compliance checklist can help you organize your PCI compliance effort, at any Merchant Level. By following the checklist, you can identify areas that require attention and proactively improve security controls in line with PCI requirements.
The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial, and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information.
The information in this article is provided “as is” without any representations or warranties, express, or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.
You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.
This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.
PCI DSS Compliance Checklist
Here is a comprehensive checklist to help you comply with the 12 PCI requirements. It is intended to help you self-audit your IT and data security strategy, rather than provide a definitive, official list of requirements.
- Establish a security policy that addresses all internal systems and any relevant third-party services. This includes processes for handling information securely.
- Make sure the policy addresses all the relevant PCI DSS requirements.
- Ensure your hosting providers have strong security protocols to protect any data stored on their services.
- Review the policy annually (or when you introduce changes to your internal systems).
- Incorporate the following aspects into your policy:
- A timely process for addressing and maintaining all discovered vulnerabilities.
- Company-wide endpoint protection, such as antivirus software across all devices.
- Regular reviews and scheduled updates/patches of software.
- Regular vulnerability tests for all systems that handle payment card data (you can use designated scanning services for this).
- An incident response plan that can be implemented quickly in the event of a breach.
- Ensure you have a firewall in place, as well as router standards.
- Make sure all devices are secured with a personal firewall, whether they belong to the company or to employees (if they can access cardholder data).
- Create and document a policy defining all firewall security-related practices and ensure that all relevant parties are familiar with it.
- Revise your firewall configurations and rules at least every six months. These should restrict any inbound or outbound traffic originating from an unreliable source, or that isn’t necessary.
- Create a policy for creating and storing passwords securely.
- Make sure any default settings and passwords are disabled before you connect a new system to the network.
- Ensure that all passwords are robust and adhere to your password policy.
- Use robust encryption to protect all payment card data, whether in transit or at rest.
- Store encryption keys safely to avoid misuse or exposure.
- Protect in-transit data with SSL/TLS security protocols when using unsecured public networks.
- Ensure that unencrypted PAN codes are never shared via text.
- Ensure everyone in your organization has a unique user credential, which determines their level of access.
- Establish rules for data access based on users’ roles. These should include the context and scope of data use.
- Make sure that permissions are granted on a need-to-know basis, so data can only be accessed for tasks where it is necessary.
- Restrict access to cardholder data to prevent unauthorized users (including employees) from viewing it.
- Apply access control measures to enable and disable ID-based access — these should be overseen by a designated system administrator.
- Restrict physical access to systems (i.e. computers, servers) that store or process cardholder data.
- Monitor and log visitors to any facilities containing cardholder data.
- Monitor sensitive system files to identify unauthorized access or modifications.
Testing and auditing
- Ensure you regularly test and review the systems and networks of your organization to identify vulnerabilities and prevent exploits.
- Apply tests whenever you introduce new software or make configuration changes.
- Make sure all testing processes are logged. Store the logs securely for auditing purposes.
- Ensure vulnerabilities are addressed when discovered.
- Periodically perform penetration tests and vulnerability scans to ensure network security.
Related content: PCI DSS Requirements
5 Best Practices for PCI DSS Compliance
PCI-DSS Requirement 3 stipulates that to protect credit card information, data should only be stored in certain known locations with limited access. Therefore, organizations must map data streams and perform regular network scans to ensure that employees do not store or forget credit card information in unauthorized locations.
Overlaps between GDPR and PCI DSS compliance policy
Organizations that adopt PCI DSS best practices are not far from being GDPR compliant. By addressing both compliance standards together, an organization can achieve important efficiencies.
PCI compliance limits the amount of personal customer data stored in the organization in an insecure manner. One of the principles of GDPR is that if a company doesn’t need personal data, it shouldn’t store it. This strongly overlaps with one of the preparatory steps for a PCI DSS assessment, called scope reduction.
Focus on employee training
People are very often the weakest link in a security strategy — do not ignore the human factor of PCI DSS compliance. The software can greatly improve security, whether it’s DLP, ARM, or antivirus software, but it will be more effective if your staff understands compliance needs and the risks of violations.
An informed employee will not find a way to circumvent security measures once they know the purpose and the consequences of non-compliance. Therefore, businesses should invest in training their employees in specific industries to understand the importance of PCI DSS and the risks and consequences of non-compliance.
Review cloud architecture regularly
Cloud environments are subject to frequent change. Any change to cloud applications, hardware, and software, or other adjustments to cloud use may result in unintended changes to PCI compliance. Plan such changes with a security expert, and conduct regular reviews to identify risks stemming from your organization’s cloud environments.
The central requirement of PCI DSS is ongoing monitoring of the security controls that form a part of the cloud development environment. Organizations must use an existing Security Information and Event Management (SIEM) plan or select a new SIEM tool. The SIEM solution should be capable of collecting logs from all of the security controls of the organization.
When you enable security auditing on the appropriate systems, SIEM methods may monitor networks on an ongoing basis, which need to meet PCI DSS rules. A SIEM tool can create the reports required to review audit details and create alerts for suspicious behavior that creates a risk to information security.
PCI Compliance with Exabeam Fusion SIEM
Exabeam Fusion SIEM, a cloud-delivered solution, combines conventional SIEM with an effective outcome-based approach to threat detection and incident response (TDIR) requirements, finding threats with behavior analytics, and automating detection, investigation, and response efforts. Fusion SIEM can support your PCI Compliance checklists and governance by helping you:
- Detect and control all privileged, shared, and executive accounts
- Ensure that users have access only to appropriate systems, detect any violations
- Track and monitor all privileged, administrative, executive accounts, as well as unusual access to sensitive systems
- Uniquely, identify all users, even if they attempt to obscure their identity via device or account switching
- Analyze and identify all anomalous behavior, whether by privileged, regular, or machine accounts, and then alert and assist in investigation of this activity
- Present prebuilt PCI reports to help your audit team meet compliance objectives
See Exabeam in action: Request a demo