Payment Center
Get in Touch
Client Portal Payment Center
Get in Touch
Insights

PCI Compliance Checklist: A Guide to PCI DSS Requirements

By Citrin Cooperman's Cybersecurity Practice
Published on September 24, 2025 5 minute read
Practical ERP Solutions Background
Table of Contents

In today's digital economy, safeguarding payment card data is not just the best practice, it's a business necessity. The Payment Card Industry Data Security Standard (PCI DSS) was developed to help organizations protect cardholder data and reduce the risk of data breaches. Whether you're a merchant or a service provider, PCI compliance is mandatory if your business stores, processes, or transmits cardholder data, or could affect the security of payment card information.

This guide provides an overview of the PCI DSS requirements, helping organizations understand what compliance entails and how to begin the journey toward securing their payment environments.

What Is PCI DSS?

PCI DSS is a comprehensive security standard developed by the Payment Card Industry Security Standards Council (PCI SSC). This standard applies to all entities that handle cardholder data for major credit card brands such as Visa, Mastercard, American Express, Discover, and JCB.

Why PCI Compliance Matters

Compliance with PCI DSS is crucial not only to avoid fines and potential legal action but also to maintain customer trust and protect sensitive data from cyber threats. A data breach involving payment information can result in significant financial and reputational damage. PCI compliance ensures that entities follow protocols to protect customer payment card data, preventing breaches, identity theft, and fraud.

Overview of the PCI DSS Requirements

The PCI DSS consists of 12 core requirements, grouped into six overarching control objectives. Here’s a high-level summary:

  1. Build and Maintain a Secure Network and Systems

    • Requirement 1: Install and maintain firewalls to protect network security controls.
    • Requirement 2: Apply secure configurations to all system components.
    • Context:
      • Install and Maintain Network Security Controls (REQ 1)
      • Apply Secure Configurations to All System Components (REQ 2)
    • Explanation:
      • Organizations must create and maintain a secure network environment, including wireless environments, to protect payment card data and the card data environment (CDE) from unauthorized access. Processes and mechanisms for installing and maintaining network security controls (NCS) must be defined and understood.
      • This objective ensures that network security controls, for example, firewalls, routers, and other network devices, are properly configured and maintained to prevent external and internal threats. This functionality may also be provided by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology.
      • Changes to network connections and NSCs cannot result in misconfiguration, implementation of insecure services, or unauthorized network connections.
    • Use Cases:
      • An organization configures firewalls to isolate the cardholder data environment (CDE) from the rest of the corporate network, allowing only necessary traffic through strictly defined rules. Use of NSCs to ensure that system components that store cardholder data (such as a database or a file) can only be directly accessed from trusted networks can prevent unauthorized network traffic from reaching the system component.
      • The IT team implements secure configuration standards for all system components, ensuring that default passwords are changed and unnecessary services and ports are disabled on all payment-related devices.
      • The organization utilizes a change management system to ensure that any changes to the network configurations and network connections are tested, approved, and documented and that all PCI requirements are reviewed to confirm compliance remains intact.

  2. Protect Cardholder Data

    • Requirement 3: Protect stored cardholder data.
    • Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks.
    • Context:
      • Protect Stored Account Data (REQ 3)
      • Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks (REQ 4)
    • Explanation:
      • Cardholder data (CHD) is sensitive information that requires strict protection wherever it is stored or transmitted. Storage of CHD must be kept to a minimum and sensitive authentication data including full track data, card verification codes, and personal identification number (PIN) must not be stored after authorization.
      • This objective mandates encrypting cardholder data at rest, in transit, and when displayed, to maintain confidentiality and prevent unauthorized disclosure. Strong key management procedures must be defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse.
    • Use Cases:
      • Stored CHD data is encrypted using industry-approved algorithms, and encryption keys are securely managed with restricted access.
      • Data transmitted over public networks, including wireless, is protected using strong transport layer security (TLS), ensuring cardholder data is encrypted end-to-end during payment processing. Certificates used to safeguard primary account numbers (PAN) during transmission over open, public networks are confirmed as valid and are not expired or revoked. An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained.

  3. Maintain a Vulnerability Management Program

    • Requirement 5: Protect all systems and networks from malicious software.
    • Requirement 6: Develop and maintain secure systems and software.
    • Context:
      • Protect All Systems and Networks from Malicious Software (REQ 5)
      • Develop and Maintain Secure Systems and Software (REQ 6)
    • Explanation:
      • Security threats constantly evolve, requiring organizations to proactively identify and fix vulnerabilities. This objective involves regularly scanning (i.e., internal & external scans, endpoint security scans) for security weaknesses and promptly applying patches to reduce exposure to potential exploits.
      • Automated mechanisms must be implemented to prevent systems from becoming an attack vector for malware. Processes, training, and automated mechanisms must be in place to detect and protect personnel against phishing attacks.
      • Processes and mechanisms for developing and maintaining secure systems and software (including bespoke and custom software) are defined and understood. Software development personnel must remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop.
    • Use Cases:
      • Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood. Scans by malware solutions are performed at a frequency that addresses the entity’s risk.
      • The entity maintains awareness of evolving malware threats to ensure that any systems not protected from malware are not at risk of infection.
      • The security team performs regular automated vulnerability scans on all systems in scope and tracks remediation progress until all critical vulnerabilities are resolved.
      • Patch management policies ensure timely application of security patches to operating systems and applications to mitigate known vulnerabilities before exploitation.
      • Changes to all system components are managed securely and public-facing web applications are protected in real time against attacks.
      • Secure coding practices are implemented to prevent or mitigate common software attacks and related vulnerabilities.

  4. Implement Strong Access Control Measures

    • Requirement 7: Restrict access to system components and cardholder data by business need to know.
    • Requirement 8: Identify users and authenticate access to system components.
    • Requirement 9: Restrict physical access to cardholder data.
    • Context:
      • Restrict Access to System Components and Cardholder Data by Business Need to Know (REQ 7)
      • Identify Users and Authenticate Access to System Components (REQ 8)
      • Restrict Physical Access to Cardholder Data (REQ 9)
    • Explanation:
      • This objective enforces role-based access, unique user IDs, and strong authentication methods to limit and control who can access cardholder data including electronic and hard copy. Access and privileges to sensitive payment systems and areas must be restricted to authorized individuals only. Systems and processes must be implemented to limit access based on the need to know and according to job responsibilities. Procedures must be in place to manage all non-employee access to sensitive areas.
    • Use Cases:
      • User accounts with access to cardholder data are assigned based on least privilege principles, ensuring users only have the minimum access needed to perform their jobs.
      • All users are assigned a unique ID before access to system components or cardholder data is allowed.
      • Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.
      • Application and system account privilege assignments are verified periodically by management as correct, and nonconformities are remediated.
      • An automated access control system is in use and the access control system is set to “deny all” by default to ensure that only assigned access and privileges can be used.
      • Multi-factor authentication is required for all remote and administrative access to systems within the cardholder data environment to strengthen identity verification. MFA systems are resistant to attack and strictly control any administrative overrides.
      • When passwords/passphrases are used, industry standards, regarding password complexities, reuse of passwords, password change frequencies are applied. Passwords/passphrases used by application and system accounts cannot be used indefinitely and are structured to resist brute-force and guessing attacks.
      • Appropriate facility entry controls are in place to restrict physical access to network jacks, wireless access points, and systems in the CDE. Point of interaction (POI) are inspected, inventoried, and secured. Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.
      • Media with cardholder data is securely stored, accessed, distributed, and destroyed.

  5. Regularly Monitor and Test Networks

    • Requirement 10: Log and monitor all access to system components and cardholder data.
    • Requirement 11: Test security of systems and networks regularly.
    • Context:
      • Log and Monitor All Access to System Components and Cardholder Data (REQ 10)
      • Test Security of Systems and Networks Regularly (REQ 11)
    • Explanation:
      • Continuous monitoring helps detect suspicious activity and weaknesses in security controls early. This objective requires ongoing network monitoring, log reviews, and periodic penetration testing to identify and respond to threats effectively. Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs on all system components and in the CDE allows thorough tracking, alerting, and analysis when something does go wrong.
    • Use Cases:
      • Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and understood.
      • Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. Access to audit logs is strictly controlled. Time-synchronization mechanisms support consistent time settings across all systems.
      • Failures of critical security control systems are analyzed, contained, and resolved, and security controls restored to minimize impact. Resulting security issues are addressed, and measures taken to prevent recurrence.
      • Intrusion detection systems (IDS) and/or intrusion prevention systems are deployed to continuously monitor network traffic for suspicious activity targeting payment systems. Alerts generated by these mechanisms are responded to by personnel, or by automated means that ensure that system components cannot be compromised as a result of the detected activity.
      • Change- and tamper-detection mechanisms are implemented to ensure that Unauthorized changes on payment pages are detected and responded to.
      • File integrity monitoring tools are utilized to ensure that Critical files cannot be modified by unauthorized personnel without an alert being generated.
      • An inventory of authorized wireless access points is maintained, including a documented business justification. Unauthorized wireless access points are identified and addressed.
      • Quarterly scans, both internal and external, are performed and any vulnerabilities identified are corrected and re-scanned.
      • A penetration testing methodology is defined, documented, and implemented. Periodic penetration tests are conducted by internal or external teams to identify security weaknesses before attackers can exploit them. If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.
      • Multi-tenant service providers must support their customers’ need for technical testing either by providing access or evidence that comparable technical testing has been undertaken.

  6. Maintain an Information Security Policy

    • Requirement 12: Support information security with organizational policies and programs.
    • Context:
      • Support Information Security with Organizational Policies and Programs (REQ 12)
    • Explanation:
      • Clear policies and procedures guide the organization’s approach to securing cardholder data. This objective ensures organizations document and communicate security policies and provide employee training to uphold PCI DSS compliance.
      • Risks to the cardholder data environment are formally identified, evaluated, and managed. Suspected and confirmed security incidents that could impact the CDE are responded to immediately
      • PCI DSS compliance is managed, security awareness education and is required annually, at a minimum. Personnel are screened to reduce risks from insider threats. Service providers must perform a review at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures.
      • PCI DSS scope is documented and validated annually (semi-annually for SPs) and after any change to the CHD or CDE.
      • Third-party service providers (TPSP) due diligence practices as well as monitoring for TSPS compliance are implemented to manage risk to information assets associated with TPSP relationships.
      • Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months. This applies to all cryptographic cipher suites and protocols used to meet PCI DSS requirements, including, but not limited to, those used to render PAN unreadable in storage and transmission, to protect passwords, and as part of authenticating access.
      • Hardware and software technologies in use are reviewed at least once every 12 months to ensure the entity’s hardware and software technologies are up to date and supported by the vendor. An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
      • An incident response plan exists, is reviewed annually, and is ready to be activated in the event of a suspected or confirmed security incident.
    • Use Cases:
      • The organization maintains documented security policies, including information security, acceptable use policies, incident response plans covering the handling and protection of cardholder data and devices and systems supporting the payment process. Policies are reviewed and updated annually.
      • A well-defined scoping methodology is implemented and performed annually prior to the annual PCI DSS assessment.
      • Targeted risk assessments (TRAs) are performed for each requirement that allows the entity to determine the frequency of the requirement activity.
      • All employees receive mandatory security awareness training related to PCI DSS requirements to ensure understanding and compliance across the organization.
      • Annual penetration testing (internal and external) is performed annually.

A Checklist to Achieve and Maintain PCI DSS Compliance

  1. Identify the card data environment (CDE) including all people, processes, technologies, and devices that directly or indirectly could affect the security of the payment card data and the CDE. This scoping must be completed annually and any time there is a significant change to the CDE.
  2. Conduct a gap analysis to assess current security practices against applicable PCI DSS requirements.
  3. Use the results of the gap analysis to guide remediation efforts, ensuring that technical and procedural controls are in place.
  4. Work with a Qualified Security Assessor (QSA) to ensure accurate scoping and adequate testing is performed. If a formal Report on Compliance (ROC) is required, a QSA must be engaged.
  5. Implement business-as-usual (BAU) processes as part of the overall security strategy to ensure that the security controls implemented to secure payment card data and the CDE continue to be applied correctly and are functioning properly as normal course of business.
  6. Establish ongoing monitoring and training programs to support sustainment of compliance.

Final Thoughts

PCI DSS assessments are an annual regulatory obligation mandated by the card brands for all entities that engage in the acceptance of payment card data as a form of payment. The PCI DSS requirements are more than a regulatory obligation; they are a blueprint for building a secure and resilient payment infrastructure. By understanding and implementing each requirement, businesses can significantly reduce their exposure to cardholder-related cyber risks and demonstrate a strong commitment to protecting customer data.

If your organization handles cardholder data, now is the time to evaluate your PCI compliance posture and take the necessary steps to secure your environment. For more information, contact Kevin Ricci or the Cybersecurity team at Citrin Cooperman.

Related Topics

Cybersecurity
PCI DSS Compliance
Risk Solutions
Risk Advisory and Compliance

Latest Article Cards

Insights Published October 03, 2025

Leveraging Data Analytics to Boost Restaurant Performance

Read More
Insights Published October 03, 2025

The State of Healthcare in 2025

Read More
Insights Published October 03, 2025

One Platform to Rule All Data: How Microsoft Fabric Revolutionizes Analytics

Read More
Insights Published October 03, 2025

Fundraising Events: Revenue, Recognition, and Regulatory Realities for Not-for-Profits

Read More