PCI DSS9 min readUpdated Feb 2026

PCI DSS Compliance Checklist

This checklist provides a practical, actionable guide to achieving PCI DSS compliance. It's organized by the 12 PCI DSS requirements with specific tasks for each. The checklist is most relevant for organizations pursuing SAQ A-EP or SAQ D; if you're using hosted payment forms (SAQ A), your requirements are significantly reduced.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

Use this as a planning tool to understand the scope of work and track your progress toward compliance.

Key Takeaways

Point	Summary
Scope first	Defining your cardholder data environment (CDE) is critical before implementing controls
Evidence-based	You need documented evidence for every control
Ongoing process	Compliance requires continuous maintenance, not just one-time implementation
Risk-based	Focus on high-impact controls first
Right-size	Match controls to your actual SAQ requirements

Phase 1: Scoping and Planning

Before implementing controls, you must understand what's in scope.

Define Your Cardholder Data Environment

Map data flows: Document how cardholder data enters, moves through, and exits your systems
Identify all systems: List every system that stores, processes, or transmits cardholder data
Identify connected systems: List systems connected to those handling cardholder data
Document third parties: List all service providers handling cardholder data on your behalf
Create network diagram: Visual representation of CDE and connected systems

Determine Your SAQ Type

Classify your role: Merchant, service provider, or both
Assess payment methods: How do you accept/process payments
Select SAQ type: A, A-EP, B, B-IP, C, C-VT, D (Merchant), or D (Service Provider)
Confirm with acquirer: Validate your level and SAQ type with your acquiring bank

Plan Scope Reduction (If Needed)

Evaluate tokenization: Can you replace stored PANs with tokens
Assess hosted payments: Can you move to hosted payment pages/iframes
Plan segmentation: Can you isolate CDE from other networks
Review service providers: Can you outsource more to PCI-compliant providers

Phase 2: Network Security (Requirements 1-2)

Requirement 1: Network Security Controls

Firewall and Routing:

Document and diagram all network connections to/from CDE
Implement firewall between CDE and untrusted networks
Configure deny-all, permit-by-exception rules
Restrict inbound traffic to only necessary ports
Restrict outbound traffic to business-justified destinations
Document business justification for each allowed connection

Firewall Management:

Establish firewall rule review process (at least every 6 months)
Document and approve all firewall rule changes
Identify and secure all wireless access points
Implement personal firewall on mobile devices accessing CDE

Requirement 2: Secure Configurations

System Hardening:

Develop configuration standards for all system types
Change all vendor-supplied defaults (passwords, SNMP strings, etc.)
Remove or disable unnecessary services and protocols
Configure one primary function per server (no mixed-use)
Document security parameters for each system type
Encrypt all non-console administrative access (SSH, HTTPS)

Inventory:

Maintain inventory of all system components in CDE
Document hardware and software versions
Establish process for updating inventory

Phase 3: Protect Account Data (Requirements 3-4)

Requirement 3: Protect Stored Data

Data Retention:

Document data retention policy
Implement processes to delete cardholder data when no longer needed
Quarterly process to identify and delete unnecessary stored data

Data Protection:

Never store sensitive authentication data (CVV, PIN, full track data) post-authorization
Mask PAN when displayed (first 6, last 4 maximum)
Render stored PAN unreadable using:
- Strong one-way hashing
- Truncation
- Index tokens with secure lookup
- Strong cryptography with key management
Document cryptographic key management procedures
Implement split knowledge for key management
Rotate encryption keys per defined schedule

Requirement 4: Protect Data in Transit

Transmission Security:

Use TLS 1.2 or higher for all cardholder data transmission
Verify TLS certificates are valid and trusted
Document all transmission points for cardholder data
Never send PAN via unprotected messaging (email, SMS, chat)
Implement certificate pinning where applicable

Phase 4: Vulnerability Management (Requirements 5-6)

Requirement 5: Malware Protection

Anti-Malware:

Deploy anti-malware on all systems commonly affected by malware
Ensure anti-malware is actively running and cannot be disabled
Configure automatic updates for anti-malware definitions
Generate and retain anti-malware logs
Document systems evaluated as not needing anti-malware (with risk assessment)

Anti-Phishing (v4.0):

Implement technical controls to detect and block phishing
Configure email filtering for malicious content
Train users on phishing awareness

Requirement 6: Secure Development and Systems

Patch Management:

Maintain inventory of all software
Subscribe to security vulnerability alerts
Apply critical patches within one month of release
Establish risk-based patching timeline for non-critical patches
Document patch testing procedures

Secure Development:

Train developers on secure coding practices
Follow secure coding guidelines (OWASP, etc.)
Review custom code for vulnerabilities before release
Separate development/test from production environments
Remove test data before production deployment
Remove development tools from production systems

Web Application Security:

Deploy Web Application Firewall (WAF) for public-facing apps
Configure WAF to block common attacks (SQL injection, XSS, etc.)
Or perform annual application security assessment
Address identified vulnerabilities

Change Management:

Document change control procedures
Separate duties for development and production deployment
Test all changes before production
Document rollback procedures
Approve all changes before implementation

Phase 5: Access Control (Requirements 7-9)

Requirement 7: Restrict Access by Need to Know

Define access control policy
Document roles and access privileges
Implement role-based access control (RBAC)
Grant access based on job function
Configure deny-all by default
Review access privileges at least every 6 months
Remove access promptly upon role change or termination

Requirement 8: Identify and Authenticate Users

User Management:

Assign unique ID to each user
Eliminate shared accounts
Manage privileged accounts separately
Control addition/deletion/modification of user IDs
Immediately revoke access for terminated users

Authentication:

Implement strong passwords OR multi-factor authentication
If passwords: minimum 12 characters, complexity requirements
Enforce password history (cannot reuse last 4)
Enforce password change every 90 days (if no MFA)
Lock accounts after 6 failed attempts
Set lockout duration to minimum 30 minutes

Multi-Factor Authentication:

Implement MFA for all administrative access to CDE
Implement MFA for all remote network access
MFA uses at least two different factors (something you know, have, or are)
MFA cannot be bypassed

System Accounts:

Document all system and application accounts
Secure service account credentials
Review system accounts periodically

Requirement 9: Physical Access

Facility Controls:

Implement physical access controls to CDE areas
Use badges or locks for secure areas
Monitor access points (cameras, guards, or access logs)
Escort visitors in secure areas
Identify visitors with visible badges
Maintain visitor logs (name, organization, date, time)

Media Security:

Classify media containing cardholder data
Secure media in locked storage
Control distribution of media
Track media when transported
Destroy media when no longer needed (cross-cut shred, degauss, etc.)

Point of Interaction (POI) Devices:

Maintain inventory of POI devices
Periodically inspect devices for tampering
Train personnel to detect tampering
Document device inspection procedures

Phase 6: Monitoring and Testing (Requirements 10-11)

Requirement 10: Logging and Monitoring

Audit Logging:

Implement logging on all CDE systems
Log user access to cardholder data
Log administrative actions
Log access to audit logs
Log invalid access attempts
Log changes to identification mechanisms
Log initialization/stopping of audit logs
Log creation/deletion of system objects

Log Details:

Include user identification in logs
Include event type
Include date and time
Include success/failure indication
Include origin of event
Include identity of affected resource

Log Management:

Synchronize all system clocks (NTP)
Secure audit trails against modification
Retain logs for at least one year
Keep at least 3 months immediately available
Implement daily log review process
Configure alerts for security events

Security Monitoring:

Implement file integrity monitoring on critical files
Configure alerts for unauthorized changes
Document response procedures for alerts

Requirement 11: Security Testing

Wireless Detection:

Inventory authorized wireless access points
Perform quarterly wireless scans or use wireless IDS
Investigate unauthorized wireless access points

Vulnerability Scanning:

Perform quarterly internal vulnerability scans
Perform quarterly external scans by Approved Scanning Vendor (ASV)
Rescan until passing results achieved
Address high and critical vulnerabilities
Scan after significant changes

Penetration Testing:

Perform annual penetration test
Test from both inside and outside the network
Include network-layer and application-layer testing
Test segmentation controls (if using segmentation)
Address findings and retest
Document methodology and results

Change Detection:

Implement mechanism to detect unauthorized changes to payment pages
Monitor HTTP headers and scripts on payment pages (v4.0 requirement)

Phase 7: Governance (Requirement 12)

Information Security Policy

Establish information security policy
Review policy annually
Assign responsibility for security program
Define security responsibilities for all personnel

Acceptable Use:

Document acceptable use policies for technology
Require acknowledgment from personnel
Address remote access, mobile devices, and removable media

Risk Assessment:

Perform formal risk assessment annually
Identify critical assets and threats
Evaluate vulnerabilities and likelihood
Document risk mitigation strategies
Perform targeted risk assessments as required

Personnel Security:

Screen personnel with access to CDE (background checks)
Train all personnel on security awareness annually
Train relevant personnel on PCI DSS requirements
Document training completion

Service Provider Management:

Maintain list of all service providers
Document services provided and responsibilities
Obtain written agreements acknowledging PCI DSS obligations
Review service provider compliance status annually
Monitor service provider compliance

Incident Response:

Create incident response plan
Define roles and responsibilities
Establish communication procedures
Include notification requirements (card brands, law enforcement)
Document containment and recovery procedures
Test incident response plan annually
Update plan based on lessons learned

Phase 8: Validation

Complete Self-Assessment

Gather all evidence of compliance
Complete appropriate SAQ
Sign and date attestation
Submit to acquiring bank (if required)

Ongoing Compliance

Quarterly:

External ASV vulnerability scans
Internal vulnerability scans
Wireless access point scans
Review and secure deletion of unnecessary data

Annually:

Complete SAQ or QSA assessment
Penetration testing
Risk assessment
Security awareness training
Policy reviews
Service provider compliance reviews
Access privilege reviews
Firewall rule reviews
Incident response plan testing

Frequently Asked Questions

How long does it take to become PCI DSS compliant?

For SAQ A: A few weeks with proper payment integration. For SAQ D: 3-6 months typically, depending on starting point and resources.

What's the minimum I need for SAQ A?

SAQ A covers approximately 27 questions (in v4.0) focused on: service provider management, physical security of payment devices (if any), policy documentation, and confirmation of proper integration with hosted payment forms.

Do I need a QSA for initial compliance?

Only Level 1 merchants and Level 1 service providers require a QSA assessment. Others can self-assess using the appropriate SAQ.

Need help navigating PCI DSS compliance for your organization? Talk to our team

Sources

PCI DSS v4.0.1 Requirements - Full requirements
PCI SSC SAQ Documents - Self-assessment questionnaires
PCI DSS Prioritized Approach - Phased implementation guidance

← PreviousPCI DSS for SaaS Companies Next →PCI DSS Penetration Testing Requirements

Back to PCI DSS guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company