Create a free

PCI Compliance Checklist

Used by 3,577 people
Get started
PCI Compliance Checklist
Install and maintain a firewall configuration to protect cardholder data
by next Wednesday
Protect stored cardholder data
by next Thursday
Do not use vendor-supplied defaults for system passwords and other security parameters
by next Thursday
Encrypt transmission of cardholder data across open, public networks
by next Friday
Button Text

The best way to create your

PCI Compliance Checklist

Trusted by 1,000s of teams
Choose your preferred template from our library of 300+ vetted forms, checklists and workflows.
Flexible to your needs
Change the content of the tasks, their order, due date or even owner.
Export your template in PDF or use it directly within Betterflows to track progress and completion.

PCI Compliance Checklist

as easy as 1-2-3

Select your template
Customize tasks, due date and owners
Download a PDF or use it live

The Payment Card Industry Data Security Standard (PCI DSS) is meant to protect consumers from fraud and other credit card issues that may plague them. These mandates were created by major card companies and are given to businesses that transmit data. This can be storing data, processing it, or transmitting payment card information. If you’re a business that does one of these things, you’ll be subject to fines if you fail to abide by PCI compliance. Maintaining PCI compliance can be difficult and time-consuming. It’s a complex task and will require constant attention to fully maintain. Many companies find success in developing a compliance checklist to ensure that they’re abiding by all regulations set for them. The PCI DSS outlines 12 requirements.

PCI Compliance Checklist Requirements

Many businesses think 12 requirements are relatively manageable and often make the mistake of thinking that compliance is relatively easy and not time-consuming. Be smart and don’t make the same mistake, PCI compliance will take time and effort on your behalf.

The larger your business or corporation, the more complex PCI will become. It can quickly become a job for more than one person and you may eventually need a team to manage it.

Here are the requirements:

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update antivirus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

As you can see, the requirements may not be as easy as they sound. Constant maintenance and attention will be required to be able to fully maintain PCI compliance. Here is the breakdown, step by step.

You and your team will want to meet to create the best PCI compliance checklist. (Source)

1. Install and Maintain a Firewall Configuration to Protect Cardholder Data

Firewalls will help your computer network defend against attacks. They’re vital for protecting consumers and act as the front line of defense in the event someone attempts to gain access to sensitive data. They work to block traffic that doesn’t meet predefined criteria. By utilizing one, you can grant access to the people who need it and deny access to everyone else.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

This is one of the new rules that aren’t as complicated as it may sound. Those who seek to gain access to sensitive card data know what they’re doing. They wouldn’t take the risk otherwise. Common knowledge amongst thieves includes vendor default passwords and default settings that can compromise the integrity of your system. To be able to fully protect consumers, you’ll need to change the default vendor-supplied password. It’s an easy step that can add a lot of value in terms of protection.

You’d be amazed at how many companies will simply forget to do this and it costs them big in the end.

3. Protect Stored Cardholder Data

This is a fairly vague mandate and can be done in many ways. However, you choose to do this, adding multiple layers of protection will always be better than a singular one. These methods can include truncation, encryption, masking, and hashing. Ideally, you’re going to want to implement all of these protections to maintain proper compliance.

If you need a good reason, ask the management of Target how important protecting stored cardholder data is. Back in 2014, Target incurred a direct financial cost of $145 million because of a data breach between 2013 and 2014. Beyond direct financial losses, if a breach occurs, your business will also suffer falling stocks and a decline in consumer confidence. Both of these aspects are key in the success of your organization and you should strive to maintain proper protection at all times.

Encrypting data is an integral part of a PCI compliance checklist. (Source)

4. Encrypt transmission of Cardholder Data Across Open, Public Networks

This is another layer of protection for the consumer. You’ll need to encrypt cardholder’s sensitive data as well as authentication information during the transmission of either one. Transmissions are frequently targeted by criminals because they’re relatively easy to get into. By having sensitive information encrypted, you’ll deny potential wrongdoers from the opportunity to seize the information from the transformation. This is essentially adding a second level of protection if the transmission becomes breached.

5. Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

This may seem like common sense, but it’s a simple step that can be quickly forgotten in the hustle and bustle of each day. It makes sense. To provide the best protection possible, you’re going to want to have your tools and resources be up to date. This is because the world of cybersecurity is constantly evolving and updates will always be required. Anti-virus software must be installed and fully functional on all systems that are related to your business. On top of this, your security team will need to ensure that the software is always correctly configured and maintained as best practices of the current-time indicator.

6. Develop and Maintain Secure Systems and Applications

The vulnerability of your system’s security will always be exploited by criminals with the intent to gain access to cardholder data. Vulnerabilities will be constant and you’ll need to apply constant patches to your applications to ensure that they’re being taken care of as they come up. This constant maintenance will be required as long as PCI compliance is mandated. It can be one of the most time consuming and costly factors when ensuring PCI compliance.

7. Restrict Access to Cardholder Data by Business Need to Know

Restricting access to cardholder data is one of the simplest and easiest ways to provide more protection for consumers. With fewer people touching the data, there will be fewer opportunities for intruders to access it. Thus, cardholder data should be given to those on a need-to-know basis. No one in your organization who doesn’t explicitly need access to the data should be granted access to it. In 2015, employee error leads the pack in reasons why data breaches occurred. This step is one of the most important because it can drastically reduce the issues on your end without much effort. Identifying process vs procedure during this step can be helpful. Trying using a template to make life easier. 

8. Identify and Authenticate Access to System Components

Each person who has been granted access to cardholder data will need their own personal, unique identification and set of credentials. By having these credentials mandated, you’ll be ensuring that each person who is accessing the cardholder data is the appropriate person. This will also hold those who access the data accountable if something were to go wrong.

9. Restrict Physical Access to Cardholder Data

If you have cardholder data located in a physical space rather than online, these spaces should be restricted and granted only to those who need to know. In the same vein, computers that can grant access to cardholder data will also need to be restricted to those who are granted access.

10. Track and Monitor All Access to Network Resources and Cardholder Data

You’ll need system traces, log files, and other resources and tools that track who is accessing cardholder data and when and where they do it. This added level of accountability will help you understand what happened if something were to go wrong.

11. Regularly Test Security Systems and Processes

This step is regularly forgotten about because it requires attention. Regularly testing your security systems will help you understand their faults and vulnerabilities. Once you understand these, you’ll be able to effectively remedy them.

12. Maintain a Policy that Addresses Information Security for all Personnel

This policy is meant to help your employees understand the standards that they’re expected to achieve. If someone is unsure of what the best practices for PCI compliance are, you can quickly find many mistakes and burdens coming your way. That’s why you must maintain a policy for employees and mandate that they read and understand it during employee orientation. Try incorporating this into your employee onboarding checklist.

Process Vs. Procedure and PCI Compliance

There are plenty of people that do not understand the difference between a process and procedure. Management handles processes while those in production usually implement procedures. PCI compliance is imperative for any company that collects data on payment information from clients. The right processes being created and procedures being done daily can protect this vital information. 

The following are processes and processes that can help ensure PCI compliance:

  • Payments and information that uses an open server need to be encrypted. 
  • Passwords should be on a need to know basis as data leaks can be caused by unhappy former employees.
  • Running antivirus software and having professionals do a risk assessment can work wonders. 
  • Passwords need to be changed with each employee that leaves the organization under positive or negative circumstances. 

Instituting processes that will help ensure the safety of information need to be carried out using the right procedures. Policies can be a huge help in reducing the risk of information being hacked. 

Process Management and PCI Compliance

A business is comprised of multiple processes that all need to be optimized and improved regularly. Process management can be a huge task depending on the complexity of the processes. The management of processes includes their improvement, changes, and their analysis. PCI compliance can be encouraged through process management in the following ways:

  • Keep physical data safe with knowledge of location on a need to know basis.
  • Making security checks a part of daily tasks can ensure that information is protected appropriately. 
  • A team of risk management professionals should test systems and processes to identify potential weak areas on cybersecurity. 
  • When information is being transmitted on an open network it is imperative it is encrypted. 

PCI compliance is imperative for a variety of reasons including the large fines that come along with data leaks. Losing the trust of customers has happened to brands as large as Target and Home Depot. In today’s digital age, keeping information safe is important as hackers are willing to sell sensitive information to the highest bidder. 

Process Optimization and PCI Compliance 

Process optimization is on the mind of nearly every manager looking to improve production at a business. Optimizing processes can be done with a complete overhaul or a small tweak in a process. Process optimization, when related to PCI compliance, will not deal with production but rather keeping information safe. Far too many brands leave their customer’s payment information unencrypted leading to leaks.

The following are reasons that PCI compliance should be optimized at a company:

  • Data leaks can lead to fines as well as lawsuits.
  • Customers losing trust in a company can produce negative long-term results.
  • Competitors could take advantage of a leak by stressing the processes they have in place to keep information safe. 
  • The customer’s experience comes first, dealing with potential identity theft is not something people pay for. 

Take the time to identify the processes that can improve the security of payment information of customers. Once risks have been identified put together an actionable plan to start optimizing today!

Related templates