The PCI DSS Compliance Checklist

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data.

Data breaches can damage a company’s reputation. PCI compliance ensures that you're taking the strongest precautions to protect your customers' vital payment data and protecting your business from a breach. Use our handy checklist to help you navigate the road to PCI DSS compliance.

Vanta makes it easy to prove your PCI DSS compliance. To help clarify your path towards compliance, we created this PCI DSS checklist. If you’d like to avoid this long and tedious process, our PCI DSS compliance solution can help.


Determine if your business needs to be PCI compliant

While not a legal requirement, PCI compliance is considered a necessity for anyone who processes, stores, or transmits payment information.

Large enterprise companies will often require PCI compliance before considering a vendor RFP or signing a contract.


Determine if your business is a merchant or service provider

A merchant directly accepts customer payments for goods and services.

A service provider may not directly accept payments, but comes into contact with payment data.


Determine your level

Merchants are classified as Levels 1 through 4.

Level 1 Merchants process more than 6 million transactions annually.
Level 2-4 Merchants process transactions below this threshold.

Service providers are classified in two levels.

Level 1 service providers process over 300,000 transactions per year.
Level 2 service providers process fewer than 300,000 transactions per year.

Complete the requirements for your level

Level 1 Merchants and Level 1 Service Providers must take on the PCI assessment cost of an onsite audit performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to deliver a Report on Compliance (ROC).

Level 2, 3, or 4 Merchants and Level 2 Service Providers complete a Self-Assessment Questionnaire (SAQ) via a qualified internal resource or team, purchase a vulnerability scan, and sign an Attestation of Compliance (AOC) form.


Understand the costs of PCI compliance

Two types of costs you could incur include costs to implement the PCI DSS standards,and costs to certify or document your compliance.

Costs vary from one business to another based on the size of your organization, the sizeof your network, your organization’s current security readiness, the number oftransactions you process annually, and other factors.

Level 1 Merchants and Level 1 Service Providers must pay for an onsite audit.
Level 2, 3, or 4 Merchants and Level 2 Service Providers will have minimal costs.

Become PCI DSS compliant

Follow the 12 specific requirements of PCI DSS compliance:

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

Consider streamlining PCI DSS compliance with automation

Transform manual data collection and observation processes into automated and continuous system monitoring.

Download this checklist for easy reference

Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get PCI DSS compliant quickly and confidently with Vanta.