PCI Audit – Checklist & Requirements

What is a PCI Audit?

The Payment Card Industry Data Security Standard, known widely as PCI DSS, is a set of security standards intended to ensure that ALL businesses who accept, process, store, or transmit credit card data do so in a safe manner. Established by the main major credit card financial companies back in 2004 (American Express, Discover Financial Services, JCB International, Mastercard and Visa), the standard has evolved over the years and is currently at version 4.0.

Important Note: PCI DSS current version, Version 3.2.1, is being phased out and will be replaced by the newly-released version, PCI DSS version 4.0, in March of 2024. On that date, PCI DSS v4.0 will become the only active version of the standard.

PCI DSS 4.0, released in early 2022, comes with some new controls to meet the dynamic cybersecurity threats and developments. The goals of version 4.0 are:

  • to continue to meet the security needs of the payment industry
  • to promote security as a continuous process
  • to add flexibility for different methodologies
  • and to enhance validation methods.

Understand the controls that make up the PCI DSS and plan your compliance journey with our PCI DSS checklist found below.

PCI Audit – Checklist & Requirements

PCI DSS 4.0: What’s New?

According to Emma Sutcliffe, SVP, Standards Officer of PCI SSC, “Version 4.0 is more responsive to the dynamic nature of payments and the threat environment.” It keeps the core security principles intact while adding a dash of flexibility to accommodate diverse technology setups. These changes are backed by extra guidance to help organizations tackle PCI audit requirements and secure account data today and in the future.

Here’s a quick tour of what’s new:

PCI DSS 4.0: Key Modifications

PCI DSS 4.0 heralds a significant shift in security practices, as highlighted by Emma Sutcliffe, SVP, Standards Officer of PCI SSC. This version is designed to be more responsive to the dynamic nature of payment processes and the evolving threat landscape.

  • Outcome-Based Approach: Moving away from rigid, prescriptive requirements, PCI DSS 4.0 adopts an outcome-based model. This enables organizations to customize their security controls to align with their unique environments while achieving specified security objectives.
  • Customized Validation: A notable departure from previous versions, PCI DSS 4.0 introduces a novel approach that allows organizations to tailor their compliance measures. Unlike the stringent adherence required in earlier iterations, this latest version offers flexibility and customization in PCI compliance audits, empowering businesses to assess and prioritize efforts effectively.
  • Addressing Emerging Risks: Recognizing the dynamic landscape of emerging threats and technologies, version 4.0 ensures that organizations remain current with the latest security measures and best practices with PCI audit certification. This approach safeguards against evolving vulnerabilities.

How Long Does a PCI Audit Take?

The scope, the complexity of the business and IT processes, and the IT maturity level are key drivers in determining the timeframe of PCI compliance. Level 1 service providers should be able to complete the certification process in less than a year. Note that the security posture of the entity can expedite fulfilling the compliance requirements. 

The 12 Requirements Checklist

The PCI DSS is made up of 12 requirements to be assessed and reported according to a very specific reporting format- either by a Report on Compliance (RoC) or a Self assessment Questionnaire (SAQ).

The number of requirements a company is obligated to comply with will vary according to which Merchant Level they operate at, which in turn is determined by the number of credit card transactions they deal with annually, and their security posture in general.

You can determine your Merchant Level here with our deep explanation of merchant levels, SAQ’s and reporting requirements.

The 12 technical and operational control requirements of the PCI DSS were established to ensure data security competence and are accepted as a benchmark for information security. Let’s take a look at the requirements themselves.

  1. Install and maintain a firewall configuration to protect cardholder data

INSTALL A FIREWALL FOR HARDWARE AND SOFTWARE WITH STRICT RULES

The purpose of the firewall is to help control the traffic that pours through your network. It is a basic technological defense when configured to deny any access to your network for the public or untrusted networks and hosts. The only traffic needed would be the protocols necessary for the cardholder data environment.

  1. Do not use vendor-supplied defaults for system passwords and other security parameters

HARDEN YOUR SYSTEMS AND IMPLEMENT SYSTEM CONFIGURATION MANAGEMENT

A basic requirement across information security, using default passwords is a big no-no! It is the simplest tried and trusted way for a bad actor to break into your network and systems by guessing your password, or simply googling to find the default password for your hardware and software. The answer to this is password and configuration management and should be one of your highest security priorities. 

Password and configuration management will include:

  • Ensuring passwords cannot be guessed
  • Ensuring they are strong enough  
  • Ensuring there is no pattern to be deciphered
  • Ensuring passwords are changed with personnel changes 
  • Tracking new hardware and software needing to be configured
  • Ensuring passwords are updated regularly.
  1. Protect stored cardholder data
    DESIGN YOUR CARD FLOW DIAGRAM, LOCATE ALL CARDHOLDER DATA AND ENCRYPT 

Cardholder data can be found in different components of the payment system in an organization, whether it is in electronic storage, in processing, in transit or held in a physical form. Adhering to this requirement will mean locating all the places where cardholder data is found, ensuring you have a diagram noting the flow of this information, and ensuring cardholder data is encrypted where it is held on the system. 

Limiting the instances where cardholder data is stored on your system and how long you retain it for will reduce the risk significantly and is part of this requirement.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with PCI DSS
  1. Encrypt transmission of cardholder data across open, public networks

ENCRYPT CARDHOLDER DATA IN TRANSMISSION AND USE SECURE LINES

As noted previously, cardholder data that is found on your system must be encrypted. This also applies to when it is in transit. You will want to avoid sending data over SSL and early versions of TLS which are not considered safe enough for sending data.  

  1. Use and regularly update anti-virus software and anti-malware programs

CREATE A VULNERABILITY MANAGEMENT PLAN AND UPDATE ANTI-VIRUS SOFTWARE

Maintain an up-to-date malware program and regularly update anti-virus software. Have a system in place to alert you of new vulnerabilities discovered for your system components, within a greater vulnerability management plan. Ensure you have email scanning, and train employees to be aware of phishing methods and not to click suspicious links of any kind, no matter the source. 

  1. Develop and maintain secure systems and applications

CONSISTENTLY UPDATE AND PATCH SYSTEMS, ESTABLISH SOFTWARE DEVELOPMENT PROCESSES 

This is a broad requirement covering everything from vulnerability patching, secure coding practices and change management plans, to software development processes and regularly updating your systems. 

  1. Restrict access to cardholder data by business need to know

IMPLEMENT ACCESS CONTROL SYSTEM, RESTRICT ACCESS TO CARDHOLDER DATA

Though it may seem obvious, this control stipulates restricting access to cardholder data. Access management should specify and record who has access to the data environment, and clearly assign roles and responsibilities, creating a role-based access control system. This level of transparency and limited access will greatly reduce the risk of internal and external compromise. 

  1. Assign a unique ID to each person with computer access

USE UNIQUE ID CREDENTIALS FOR ALL AND CONFIGURE MULTI-FACTOR AUTHENTICATION

Each person with access to a computer in the company should be assigned a unique ID number with a private password (not default!) so you can monitor who is logging in, when, and what they are doing. This is essential in both deterring and uncovering any unauthorized insider compromise.

  1. Restrict physical access to cardholder data

CONTROL AND TRACK PHYSICAL ACCESS AND TRAIN EMPLOYEES

Physical access to areas where system components holding cardholder data are found must be highly restricted. Systems must be in place to protect data systems and to alert you on intrusions, tampering or even just unauthorized access of these areas. Personnel should have unique key cards that log and track a physical audit trail for restricted parts of the building. As in most areas where employees pose a risk, security training and clear instructions will go far in helping to support this control.

  1. Track and monitor all access to network resources and cardholder data

IMPLEMENT LOG MANAGEMENT, ALERTS AND SYSTEM RULES

Establish log management, and log management system rules, to keep track of and be alerted to any anomalies in the system. The quicker your ability to spot suspicious activity, the quicker you can react and minimize damage. Logging mechanisms also allow you to analyze activity over time and have a point of reference to recognize anomalies.

  1. Regularly test security systems and processes

CLEARLY UNDERSTAND ENVIRONMENT AND TEST REGULARLY

Security controls are only useful if they work! Find out how effective your controls are by monitoring your systems and testing to see if they function as intended. This control also involves vulnerability management and staying ahead of viruses and malware, all of which may send a functioning system over to the uneffective side.

  1. Maintain a policy that addresses information security for all personnel

RISK ASSESSMENT, INCIDENT RESPONSE PLAN AND DOCUMENT EVERYTHING

Information security policies are the backbone of your security plans and help to keep a record of procedures and controls, useful for analysis and reference. This control includes implementing a risk assessment process, creating an incident response plan, and ensuring there are policies and procedures recorded for everything. Your policies should address all employees and reflect your company’s commitment to PCI DSS compliance. 

The PCI DSS Checklist for 2022

  • Consider your card payment environment and establish which systems and components are within scope for the PCI audit.
  • Establish your merchant level or service provider status and determine your PCI DSS reporting requirements.
  • Draw up a diagram of exactly where cardholder data interacts with your system in any form, whether its storage, transmission or passing through your website.
  • Take an inventory of IT assets and business processes for payment card processing and analyze for vulnerabilities.
  • Take a risk assessment to identify gaps in security. (This can also help you to establish a continuous security plan that will make compliance with any standard easier and achievable.)
  • Work through the appropriate number of PCI requirements, according to your merchant level, and measure your compliance against each.
  • Remediate. 
  • Prepare for reporting.
  • Submit report.

Using an automated compliance management software can be invaluable to ensure you cover all the requirements and track your progress. Remediation can also be achieved with ease through automated remediation insights, assignments and tracking using a modern compliance solution. Choose a software like Centraleyes that offers full preparation for each of the SAQ’s or RoC of the PCI DSS and will pave the way from start to finish for a successful compliance journey. Watch a demo now and see why our customers enjoy complying with PCI DSS version 4.0. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Does your company need to be compliant with PCI DSS?
Skip to content