PCI DSS Checklist: Secure Your Business

Published on : 31 Jul 2023


pci dss compliance checklist

The PCI DSS Checklist is a crucial first step in securing your business. It’s a tool that helps businesses ensure they’re meeting all the requirements of the Payment Card Industry Data Security Standard (PCI DSS). By following the steps outlined in the checklist, businesses can take a comprehensive approach to security measures and access controls, and respond to new threats posed by technological advancements.

After completing all the applicable requirements and steps mentioned in the PCI DSS checklist, businesses may engage a Qualified Security Assessor (QSA) to perform a formal assessment of their compliance with the PCI DSS. The QSA will review the business’s security measures and access controls, and provide a report on their findings. If any areas of non-compliance are identified during the assessment, the QSA will report their findings to the business. It is then up to the business to engage a consultant or take other appropriate measures to address the areas of non-compliance.

To get started on your journey towards PCI DSS compliance, we recommend visiting the PCI DSS v4.0 Resource Hub and consulting the checklist to familiarize yourself with the requirements of Version 4.0 and prepare your organization for any changes.

 

The 12 Essential Steps to Achieving PCI DSS Compliance

1.Install and Maintain a Firewall:

Complying with PCI DSS requires meeting firewall requirements to protect payment card data. Firewalls control traffic and are the first defense against hackers, necessitating correct setup and rules specifying allowed traffic.

  • Create a Formal Procedure :Establish a standardized process for restricting network access by configuring rules and criteria for your firewalls and routers.
  • Maintain Documentation of Your Procedures: Keep a record of your process and create visual representations of cardholder data streams between systems and networks.
  • Conduct Periodic Evaluations of Your Configuration Guidelines: Regularly review your configuration rules and flowcharts, at least every six months, to ensure they continue to meet your business needs.
  • Segregation of Networks: This involves isolating the cardholder data environment (CDE) from the rest of the business’s network. Doing so can help reduce the scope of PCI DSS compliance and minimize the risk of data breaches.

2.Eliminate Vendor Default Setting:

PCI DSS Requirement 2 emphasizes on strengthening your network to deter unauthorized access. Avoid default settings for servers, software applications, and network devices. Upgrade your security settings and maintain documentation for configuration security hardening procedures. 

  • Change Default Passwords: Change the default passwords, usernames, and administration accounts that come with devices like firewalls and routers. This includes passwords used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, wireless equivalent privacy (WEP) keys, and default service set identifier (SSID) passwords.
  • Never Rely on Default Settings: Never rely on the default settings for any servers, network devices, or software applications. Make sure to upgrade your settings for all new devices and hardware.
  • Maintain Documentation: Maintain documentation for your configuration security hardening procedures.

 

3.Protect Stored Cardholder Data:

PCI DSS Requirement 3 reduces risks of storing sensitive data by using encryption, truncation, masking and hashing to protect cardholder data from hackers; thereby ensuring compliance with regulations.

  • Utilize Robust Encryption Techniques: Secure stored data using robust encryption techniques and ensure proper management of encryption keys.
  • Truncate or Mask Full Primary Account Numbers (PANs): Truncate or mask full primary account numbers (PANs) when they are not required for business purposes.
  • Minimize the Storage of Unnecessary Cardholder Data: Reduce potential risks by minimizing the storage of unnecessary cardholder data.
  • Establish Formalized Policies for Data Retention and Destruction: Ensure that cardholder data is disposed of when it is no longer necessary by establishing formalized policies for data retention and destruction.

 

4.Encrypt Payment Data Transmission:

Protect cardholder data during transmission by knowing the origin and destination. Hackers target data in transit, making it important to implement safeguards and encryption measures. PCI DSS v4.0 will offer guidance on multi-factor authentication.

  • Disable Weak Keys and Protocol Implementations: Disable weak keys and protocol implementations with known vulnerabilities and use stronger implementations like TLS 1.1 or higher instead of early SSL, SSH v1.0, or TLS.
  • Never Send PANs or Other Cardholder Data Using Unencrypted Email: Never send PANs or other cardholder data using unencrypted email or other end-user messaging like instant messaging, chat, or forum sessions.
  • Encrypt Cardholder Data Prior to Transmission: Encrypt cardholder data prior to transmission using secure versions of protocols like TLS 1.1 or higher.

 

5.Update Antivirus Software Regularly:

PCI-DSS compliance requires more than basic antivirus installation. To prevent cybercrime, organizations must take necessary precautions and implement anti-virus solutions. These measures include:

  • Keep Antivirus Up-to-Date: Keep antivirus up-to-date in the cardholder information technology ecosystem (i.e., servers, workstations, laptops, and mobile devices).
  • Ensure Comprehensive Protection: Ensure that antiviruses can detect, remove, and protect against all malware types, including viruses, worms, Trojans, bots, and ransomware.
  • Regularly Generate Audit Logs: Antivirus software should be active, updated, and generate audit logs regularly.
  • Install Antivirus on All Systems: Install antivirus on all systems commonly infected with malware and ensure regular scans and audits.
  • Prevent User Removal or Replacement: Antivirus mechanisms should not be removable or replaceable by users.
  • Document and Understand Security Policies: Documentation and understanding of security policies and operating procedures are key to protect against malware attacks.

 

6.Deploy Secure Systems and Applications:

To protect against attackers exploiting security vulnerabilities, regularly install security updates and patches and ensure compliance with PCI-DSS standards by implementing processes to identify and classify technology deployment risks. Organizations should take the following measures to enhance security:

  • Identify Security Vulnerabilities: Establish a process for identifying security vulnerabilities using trustworthy external sources such as Microsoft Security Bulletins and Cisco Security Advisories.
  • Assign Risk Rankings: Newly discovered security vulnerabilities should be assigned a risk ranking of “high,” “medium,” or “low,” and appropriate mitigation measures should be prioritized accordingly.
  • Conduct a Comprehensive Risk Assessment: After conducting a comprehensive risk assessment, equipment and software for processing or handling sensitive payment card information can be deployed.
  • Apply Patches in a Timely Manner: It is important to remember to apply patches in a timely manner, including patches for databases, point-of-sale terminals, and operating systems, as required by PCI DSS standards.

 

7.Restrict Cardholder Data as Necessary:

PCI DSS requires strict access control for payment card data. Access should only be granted on a need-to-know basis, with documented policies based on job function and seniority. 

To control access, organizations should implement the following measures:

  • Maintain an Up-to-Date Log: Keep an eagle eye on an up-to-date log of all users and their access level to cardholder data.
  • Physical Security Requirements: Don’t forget to dot your i’s and cross your t’s when it comes to physical security requirements of PCI DSS.
  • Review User Access: Review user access with a fine-tooth comb and establish written policies defining privileges based on job functions and classifications.

 

8.Assign User Access Identification:

So basically, if you want to access cardholder data, you need your own username and password that’s hard to guess. And if you’re no longer allowed to access that data, your access has to be deleted. Oh, and sharing usernames and passwords is a no-go.

  • Minimum Length: Passwords must have a minimum length of seven characters and contain both numbers and letters.
  • Change Frequency: Passwords must be changed every 90 days by users.
  • Password History: The new password must differ from the previous four passwords.
  • Unique Passwords: When passwords are generated for a user, for instance, for a new user or when a password reset is required, the password must be unique to the user and changed after first use.
  • Account Lockout: When a user’s account is locked, the lock remains active for 30 minutes or until reset by a system administrator.
  • No Vendor-Supplied Defaults: Vendor-supplied defaults are not permitted.
  • Encryption: Passwords must be encrypted during transmission and storage.

In addition to unique access, PCI DSS requirements mandate the use of multi-factor authentication (MFA) mechanisms. This ensures that in the event of an internal data breach, activity can be traced back to specific users with near 100 percent certainty.

9.Restrict Physical Access to Data:

Cardholder data is stored not only in the cloud but also in physical locations such as servers, data centers, and computer rooms. To comply with PCI DSS Requirement 9, organizations must implement physical security controls to restrict access to these areas. These controls include:

  • Badge Readers and Key-Controlled Locks: These should be used to restrict physical access to sensitive areas.
  • Video Cameras: These should be used to monitor sensitive areas.
  • Access Logs: These should be maintained to distinguish between employees and visitors.
  • Automatic Server Locking and Timeout Systems: These can ensure that login screens are locked when not in use.
  • Physical Access Restrictions: This requirement covers physical access to servers, paper files, and workstations that handle or transmit cardholder data.
  • Entry and Exit Monitoring: Entry and exit ways should be monitored using video cameras and general electronic monitoring.
  • Recordings and Access Logs: Recordings and access logs must be retained for at least 90 days.
  • Portable Media Protection: Portable media containing cardholder data must be physically guarded and destroyed when no longer necessary for business.

Compliance with these physical security measures, along with digital security measures, ensures PCI DSS compliance.

 

PCI DSS Auditor

10.Track and Monitor Network Access:

Basically, if a company’s customer information is ever hacked or something weird happens, they need to be able to figure out what caused it. Keeping good records of who accessed customer info and when is super important. There are rules (called PCI DSS Requirement 10) that say companies have to keep records of certain activities, like who was accessing customer info.

  • Individual Access to Cardholder Data: This includes tracking individual access to cardholder data.
  • Invalid Access Attempts: This includes tracking invalid access attempts.
  • Access to Audit Logs: This includes tracking access to audit logs.
  • Other Transactions: This includes tracking other transactions.
  • Monitoring and Review: Activity should be logged, monitored, and regularly reviewed.
  • Network Activity Logs: These should be kept and sent to a centralized server for daily review.
  • Security Information and Event Monitoring (SIEM) Tool: This can be used to log system activity and monitor for suspicious activity.
  • Audit Trail Records: These must be kept, time-synchronized, and maintained for at least one year as per PCI compliance requirements.

By implementing measures such as proper logging mechanisms and monitoring with video cameras and access logs, organizations can reduce the risk of theft or damage to cardholder data. Compliance with these measures, along with digital security measures, ensures PCI DSS compliance.

11.Ongoing Systems and Process Testing:

Once you’ve made sure your system is secure, keep an eye out for any new vulnerabilities or threats by testing your system components regularly. Don’t forget to check for any unauthorized wireless devices, as that’s a popular way for attackers to get access to cardholder data. 

PCI DSS Requirement 11 requires organizations to regularly scan for weaknesses and perform penetration tests to keep both internal and external networks safe, so stay on top of those measures too.

  • Quarterly Vulnerability Scans: These scans should be conducted on a quarterly basis.
  • Penetration Tests: These tests mimic a real-world attack to reveal areas of weakness in the environment. They should be conducted annually and after any significant change is made to the environment.
  • Periodic Wireless Analyzer Scanning: This must be performed on a quarterly basis to detect unauthorized access points.
  • External IPs and Domains: These must be scanned by a PCI Approved Scanning Vendor (ASV).
  • Internal Vulnerability Scans: These should be conducted quarterly.
  • Application and Network Penetration Test: A comprehensive test should be conducted annually.

 

12.Create and Maintain an InfoSec Policy:

Requirement 12 for PCI DSS is all about making sure that your company has a solid plan for keeping everyone’s information safe. It’s important to have a policy that everyone follows and takes seriously. This policy should cover things like who’s in charge of tech stuff and what everyone needs to do to keep everything secure.

  • Scope: The policy must apply to all employees, management, and relevant third parties.
  • Review: The policy must be reviewed annually and updated as necessary.
  • Distribution: The policy must be distributed to all internal and third-party users, with all users acknowledging and reading the policy.
  • Training: The policy must include user awareness training and employee background checks to prevent unauthorized access to cardholder data.
  • Security Awareness Training Programs: The organization must implement security awareness training programs for all employees.
  • Regular Security Policy Reviews: The organization must conduct regular security policy reviews to ensure that the policy remains up-to-date and effective.
  • Established Risk Assessment Processes: The organization must have established risk assessment processes in place to identify and mitigate security risks.
  • Incident Response Programs: The organization must have incident response programs in place to respond to security incidents.
  • Technology Usage Policies: The organization must have technology usage policies in place to govern the use of technology assets.

If organizations follow these requirements, they can protect cardholder data and make sure their information security policies are effective. 

But if they don’t follow these requirements, it can have serious consequences. If there’s a data breach and investigators find out they weren’t following the requirements, they can be fined up to $10,000 a month. Plus, their reputation can be damaged from not taking the precautions recommended by PCI DSS. So, it’s better to play it safe and be compliant with PCI requirements.

Conclusion:

To sum up, PCI DSS v4.0 is making compliance easier and more adaptable for businesses. Be sure to stay informed by checking the FAQ section on the PCI Security Standards website. If you’re just starting your compliance journey, talk to your security team to figure out where you’re meeting requirements and where you need to improve. Consider working with a PCI compliance partner like VISTA InfoSec to get extra help. Their experts can help you meet all the requirements and keep your customers’ information secure. With their customer-focused approach, you can feel confident that your business is protected.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.