Our updated interactive PCI Compliance IT Checklists outlines the most important aspects to achieve PCI compliance, breaking down the twelve different requirements of the PCI DSS. Each of the twelve requirements is broken down into what you'll need to do and have in place for PCI compliance.
With our interactive PDF, you'll be able to track your progress and make assignments for the twelve PCI requirements.
Using this checklist, you'll better ensure that you're not leaving gaps in your security and compliance efforts.
Who this IT Checklist is for:
CISO
IT manager/professional
Risk/compliance officer
PCI level 4 manager
Anyone responsible for implementing PCI compliance
Here's an example IT checklist page from the PDF:
*This checklist does not include every requirement and aspect of the PCI DSS. Please refer to the full standard if you have further questions or need to follow additional requirements.
The information described in this checklist is presented as a reference and is not intended to replace security assessments, tests, and services performed by qualified security professionals. Users are encouraged to consult with their companies’ IT professionals to determine their needs to procure security services tailored to those needs.
PCI Requirement 1 Checklist:
1. Firewall Implementation and Review
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Firewall(s)
“Deny All” rule for all other inbound and outbound traffic (1.2.1.b)
Documented business justification for each port or protocol allowed through the firewall (1.1.6a)
THINGS YOU WILL NEED TO DO
Limit traffic into the CDE to that which is necessary. (1.2.1.a)
Position firewall(s) to prohibit direct inbound and outbound traffic from the CDE. (1.3)
Create secure zone(s) for any card data storage, which must be separate from DMZ. (1.3.6)
Explicitly authorize outbound connections from the CDE. (1.3.4)
Document all firewall policies and procedures. (1.2.1.a, 1.2.1.b, 1.2.3, 1.3, 1.3.3, 1.3.5, 1.3.6)
THINGS YOU MAY NEED TO DO
Install a firewall between wireless networks and the CDE (wireless only). (1.2.3)
PCI Requirement 2 Checklist:
2. Configuration Standards
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
A secure way to access and manage systems in your environment (2.3)
An inventory of all hardware and software used in your CDE
Documented configuration standards for all types of systems in your CDE
THINGS YOU WILL NEED TO DO
Assign system administrator and knowledgeable personnel the responsibility of configuring system components. (2.2.4)
Implement a system hardening guide that covers all system components of your CDE. (2.2.a) Disable and uninstall any unnecessary programs, services, guest accounts, scripts, drivers, features, subsystems, file systems, and web servers. Document which services and programs are allowed. (2.2.2, 2.2.3, 2.2.5)
Change vendor-supplied default usernames and passwords. Remove or disable unnecessary default accounts before installing a system on the network (e.g., operating systems, security software, POS terminals, routers, firewalls, SNMP). (2.1.a, 2.1.b, 2.1.1.b, 2.1.1.c, 2.1.1.d, 2.1.1.e)
Document security policies and operation procedures for managing vendor defaults and other security settings. Inventory all systems within scope of the payment application environment and keep inventory up to date. (2.4, 2.5)
THINGS YOU MAY NEED TO DO
Use technologies, such as VPN, for web-based management and other nonconsole administrative access. Ensure all traffic is encrypted according to current standards. (2.1.1.d, 2.3)
If wireless Internet is enabled in your CDE, change wireless default settings including encryption keys, passwords, and SNMP community strings. (2.1.1)
Enable only one primary function per server (e.g., logging server, web server, DNS). (2.2.1)
PCI Requirement 3 Checklist:
3. Securing Cardholder Data
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
A documented data retention policy
A data flow diagram
THINGS YOU WILL NEED TO DO
Have employees acknowledge their training and understanding of the policy. (3.1, 3.6.8, 3.7)
Eliminate storage of sensitive authentication data after card authorization. (3.2.d, 3.2.1, 3.2.2, 3.2.3)
Mask out PAN on customer receipts. (3.3)
Understand guidelines for handling and storing cardholder data.
THINGS YOU MAY NEED TO DO
If PAN data is stored for business or legal reasons, details must be masked, truncated, or secured by strong cryptography. (3.4)
PAN storage should be accessible by as few employees as possible for business or legal reasons. This includes limited access to cryptographic keys, removable media, or hardcopy of stored details. (3.4.1, 3.5, 3.5.2, 3.5.3, 3.5.4, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7)
PCI Requirement 4 Checklist:
4. Transmitting Cardholder Data
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
An in-house policy to ensure you do not send unprotected PANs via end-user messaging technologies (4.2.b)
THINGS YOU WILL NEED TO DO
Check all related device configuration for proper encryption. Check with vendors to make sure supplied POS/POI devices are encrypting data appropriately. (Appendix A2)
Validate that POS/POI devices are not susceptible to any known exploits. Devices and software used to process credit cards need to be PCI DSS compliant. (Appendix A2.1)
Review all locations where CHD is transmitted or received. Examine system configurations. Review all devices and systems to ensure you use appropriate encryption within your CDE. You must safeguard sensitive cardholder data during transmission over open, public networks. (4.1, 4.1.1)
Use only trusted keys and certificates. Check inbound/outbound transmissions and verify that encryption keys and certificates are valid. Use secure configurations and proper encryption strengths. Do not support insecure versions or configurations. This means you will continually need to check for the latest encryption vulnerabilities and update as needed. (4.1)
Review and implement documented encryption standard best practices (4.1.1)
Review and implement policies and procedures for sending and receiving credit card data. (4.2.b)
Examine system configuration and adjust encryption configuration as needed. (4.1, 4.1.1)
THINGS YOU MAY NEED TO DO
Make sure TLS is enabled cardholder data is transmitted or received through web-based services. (4.1.a, 4.1.e)
If you are a service provider supporting older POS/POI terminals, review your Risk Mitigation and Migration Plan for environments that still need to use SSL and early TLS. (Appendix A2.2)
Prohibit the use of WEP–an insecure wireless encryption standard. (4.1.1)
PCI Requirement 5 Checklist:
5. Anti-Virus Updates
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO DO
Deploy anti-virus software on commonly affected systems (5.1, 5.2)
Protect all systems against malware and regularly update anti-virus software or programs. (5.1, 5.2.b)
Ensure anti-virus programs can detect, remove, and protect against all known types of malicious software. (5.1.1)
Maintain and evaluate audit logs with IT staff. (5.2.c)
Set anti-virus program to scan automatically. (5.2.b)
Make sure anti-virus program is updated automatically (with definitions kept current). (5.2.a, 5.2.b)
Ensure anti-virus program cannot be disabled or altered by users (i.e., admin access only). (5.3)
Document and review malware procedures; review with necessary staff. (5.4)
Examine system configurations and periodically evaluate malware threats to system. (5.1.2)
PCI Requirement 6 Checklist:
6. Software Updates
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Vendor supported programs, operating systems, and devices (6.2)
An update server (i.e., repository for systems to get updates)
A change management process
THINGS YOU WILL NEED TO DO
Have a process in place to keep up to date with the latest identified security vulnerabilities and their threat level. (6.1, 6.5.6)
Install all vendor-supplied security patches on all system components. (6.2.a)
Ensure all security updates are installed within one month of release. (6.2.b)
THINGS YOU MAY NEED TO DO
Set up a manual or automatic schedule to install the latest security patches for all system components.
PCI Requirement 7 Checklist:
7. Establish Access Control
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Written policy detailing access controls for systems in the CDE (7.1, 7.3)
REQUIRED FEATURES
Documented access control policies based on job classification and function (7.1, 7.1.1, 7.1.2, 7.1.3)
Roles and privilege levels defined (7.1, 7.1.1)
“Deny all” rule in place for access control systems (7.2.3)
THINGS YOU WILL NEED TO DO
Detail a written policy to include access to cardholder data based on job roles with privilege level, and approval/documentation of employee access. (7.1, 7.1.4)
Document policies in place with each employees’ role/access and train employees on their specific access level. (7.1, 7.3)
THINGS YOU MAY NEED TO DO
Implement access controls on any systems where cardholder data is stored and handled. (7.2.1)
Configure access controls to only allow authorized parties and deny all others without prior approval or access. (7.2.2, 7.2.3)
PCI Requirement 8 Checklist:
8. ID Credentials
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Multi-factor authentication for all remote access (8.3)
THINGS YOU WILL NEED TO DO
Monitor all remote access accounts used by vendors, business partners, or IT support personnel when the account is in use. (8.1.5.b)
Disable all remote access accounts when not in use. (8.1.5.a)
Enable accounts used for remote access only when they are needed. (8.1.5.a)
Implement a multi-factor authentication solution for all remote access sessions.
Configure multi-factor authentication with at least two of the following methods (8.3):
Something you know (e.g., password and username)
Something you have (e.g., one-time password)
Something you are (e.g., fingerprint or retinal scan)
PCI Requirement 9 Checklist:
9. Improving Physical Security
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Policies and procedures that limit the access to your physical media and devices used for processing
THINGS YOU WILL NEED TO DO
Restrict access to any publicly accessible network jacks. (9.1.2)
Keep physical media secure and maintain strict control over any media being moved within the facility and outside of it. (9.5, 9.5.1, 9.6.a)
Keep electronic media in a secure area with limited access (e.g., a locked office clearly marked “Management Only”) and require management approval before the media is moved from its secure location. (9.6.1, 9.6.3, 9.7)
Use a secure courier when sending media through the mail so the location of the media can be tracked. (9.6.2)
Destroy media in a way that it cannot be reconstructed; if the media is separated prior to destruction, keep the media in a locked container with a clear label of “To Be Shredded” or something similar. (9.8, 9.8.1)
Maintain a list of all devices used for processing, and train all employees to inspect devices for evidence of tampering. Training should include a process for verifying the identity of outside vendors wanting access to the machine, a process for reporting suspicious behavior around the machine, and a system to ensure employees know not to replace devices without management approval. (9.9.2, 9.9.3)
THINGS YOU MAY NEED TO HAVE
A set process to train employees about proper device management and a way to report any suspicious behavior around the processing device.
A secure location to keep media, including a second secure location, if business practice is to separate media no longer needed.
PCI Requirement 10 Checklist:
10. Logging and Log Management
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
An automated audit log tracking all security-related events for all system components
Audit logs that track:
Any action taken by an individual with root or administrative privileges (10.2.2)
Failed log-in attempts (10.2.4)
Changes to accounts–including elevation of privileges, account additions, and account deletions (10.2.5)
Identification of user, what the event type was, date and time of the event, whether the event was a success or failure, where the event originated from, and the name of affected data, system component, or resource (10.3.1-10.3.6)
THINGS YOU WILL NEED TO DO
Have a process in place to review logs and security events at least daily, in addition to any system component reviews, as defined by your organization for risk management strategy or other policies. (10.6.1.b, 10.6.2.b)
Have a process in place to respond to anomalies and exceptions. (10.6.3.b)
Keep all audit log records for at least one year and keep the last three months’ logs readily available for analysis. (10.7.b, 10.7.c)
A process for detecting and identifying wireless access points on a quarterly basis. The method should be able to identify all of the following wireless access points:
WLAN cards inserted into system components
Mobile devices used to create wireless access points (by USB or other means)
Wireless devices attached to a network port or device (11.1.a, 11.1.b, 11.1.c)
An inventory of authorized wireless access points with listed business justifications (11.1.1)
A change-detection mechanism installed within the CDE to detect unauthorized modifications to critical system files, configuration files, or content files (11.5.a)
THINGS YOU WILL NEED TO DO
Run quarterly internal vulnerability scans using a qualified internal resource or external third party (in either case, organizational independence must exist), and then re-scan all scans until high-risk (as defined in requirement 6.1) vulnerabilities are resolved. (11.2.1)
Run quarterly external vulnerability scans (through an ASV) and then re-scan until all scans obtain a passing status (i.e., no vulnerability scores over 4.0). (11.2.2)
Run internal and external scans, using a qualified resource, after any significant change to the network, and re-scan until resolved:
For external scans: No vulnerabilities scoring 4.0 or higher exist (11.2.2)
For internal scans: All high-risk vulnerabilities are resolved (11.2.3)
Configure your change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; configure the tools to perform critical file comparisons at least weekly. (11.5.b)
Have a process in place to respond to alerts generated by your change detection mechanism. (11.5.1)
THINGS YOU MAY NEED TO DO
If wireless scanning is used to identify wireless access points, scans must be run at least quarterly. (11.1.c)
If automated monitoring is used, monitoring should generate alerts to notify personnel. (11.1.d)
Create a plan of action in your business’s incident response plan for responding to the detection of unauthorized wireless access points, and take action if unauthorized wireless access points are found. (11.1.2)
If network segmentation exists, penetration testing procedures must confirm that segmentation is operational and isolates all out-of-scope systems from systems in your CDE. (11.3.4.a)
PCI Requirement 12 Checklist:
12. Corporate Policy and Documentation
Assigned to:
Assignment date:
Review date(s):
THINGS YOU WILL NEED TO HAVE
Written compliance and security policies
Charter for PCI DSS compliance program
Service providers must perform quarterly reviews to confirm policies and procedures are being followed
THINGS YOU WILL NEED TO DO
Ensure that each employee working in the CDE completes annual security awareness training. (12.6, 12.6.1)
THINGS YOU MAY NEED TO DO
Create a company policy documenting all critical devices and services within the payment processing environment. Some examples include laptops, tablets, email and Internet usage, remote access, and wireless access technologies. This policy should include acceptable uses and storage of these technologies. The general purpose of this policy is to thoroughly explain each employee’s role in the CDE. Review your policy and lists annually. (12.1-12.4)
Create and document an approval process for allowing employee access to technologies. Keep lists readily available and review them annually. (12.1-12.4)
Create an incident response plan in the event that cardholder data is compromised (12.10.1). Your plan should include the following:
Roles and contact strategies in the event of compromise
Specific incident response procedures
Business continuity and recovery procedures
Data backup processes
Analysis of legal requirements in reporting possible compromise
Critical systems coverage and response plans
Notification of merchant processor and payment card brands
Create and update a current list of third-party service providers (e.g., your IT provider, credit card machine vendor, and credit card receipt shredder)
The following will need to be completed annually regarding your service providers (12.8, 12.8.1):
Establish a process for engaging with third-party providers. Best practice would be to contact them by phone rather than taking inbound calls. Work by appointment with service providers onsite. (12.8.3)
Obtain or update a written agreement from third-party providers acknowledging their responsibility for the cardholder information they possess. Ensure they are following PCI compliance requirements themselves. (12.8.2)
Establish a process for engaging new providers, including research prior to selecting a provider.
.svg)
