PCI DSS Compliance Checklist and Guide

Security and compliance are two of the biggest challenges when you’re dealing with customers’ sensitive data — especially when you’re processing credit card payments. PCI DSS compliance was put in place to ensure businesses are doing everything in their power to protect customers’ credit card data.

Unfortunately, achieving and maintaining PCI DSS compliance isn’t as simple as installing antivirus software. There are several things you need to do to maintain compliance, from routine security system tests to encrypting credit card data. To help you get started, we’ve put together a PCI DSS compliance checklist that includes everything you need to know.

What Is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of information security rules created by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC was formed by American Express, Discover Financial Services, JCB International, Mastercard, and Visa Inc. in 2006.¹ 

The PCI DSS compliance rules specifically deal with how businesses handle the credit card data of their customers. When you’re accepting credit card payments and storing and processing credit card data, that data has to be protected every step of the way. PCI DSS compliance involves using firewalls and other cybersecurity measures to protect against data breaches, but that’s only part of achieving compliance.

There are 12 PCI DSS requirements you have to meet to achieve compliance.² Fulfilling many of these requirements is a multi-step process, which is why achieving PCI DSS compliance can be a difficult task.

While the requirements were outlined by the PCI SSC, the PCI SSC does not actually enforce compliance. Instead, payment brands and acquiring banks are responsible for enforcing PCI DSS compliance. For example, Visa might act as an enforcer when a smaller retailer fails to maintain PCI DSS compliance.

There are four PCI DSS compliance levels based on the number of card transactions you process each year. If you process a large number of card transactions annually, your specific PCI DSS compliance requirements may vary.

Why Is PCI DSS Compliance Important?

PCI DSS compliance is important because it ensures businesses are protecting the sensitive credit card data of their customers. Every time a customer makes a purchase online, their credit card data is transmitted over a network connection in the form of encrypted packets. This encryption is what protects customers from having their credit card data stolen, but that’s only one small aspect of protecting credit card data.

PCI DSS compliance combines encryption with a long list of other security measures to ensure businesses are protecting their customers. In addition to using encryption, firewalls, and strong passwords, you also need to make sure nobody has physical access to credit card data. This makes achieving PCI DSS compliance a challenge, but it also provides essential protection for customers.

Non-compliance also comes with several potential consequences, including fines and penalties, data breach compensation costs, legal action, revenue loss, and damage to your reputation. Maintaining PCI DSS compliance helps you avoid these issues while creating a better customer experience, so customers can confidently patronize your business without worrying about data breaches.

PCI DSS Compliance Checklist

In order to achieve PCI DSS compliance, you have to complete a PCI DSS compliance checklist that includes the 12 requirements outlined by the PCI SSC. Here are the 12 requirements you’ll need to meet:

1. Maintain appropriate internal and external network and communication segmentation
2. Maintain strong passwords that aren’t vendor-supplied default passwords
3. Protect cardholder data
4. Encrypt transmitted data across any network, public or private
5. Use and maintain antivirus software
6. Maintain secure systems and applications through regular updates
7. Restrict data access by “need to know”
8. Assign unique IDs to everyone with access to systems
9. Restrict physical access to cardholder data
10. Monitor and log access to network resources and cardholder data
11. Perform regular scans and tests to identify vulnerabilities
12. Maintain documented security policies²

Now that you know the 12 PCI DSS requirements, let’s talk about how you can maintain compliance with PCI DSS with Gigamon. Ongoing requirements may vary based on the PCI DSS compliance level you’re trying to reach. You can use this checklist to make sure you’re taking all the necessary steps to achieve PCI DSS compliance.

1. Determine your PCI DSS compliance level

The first thing you need to do is look at the four PCI DSS compliance levels to see where your business fits in. Here’s a quick breakdown of the four levels of PCI DSS compliance:

• Level 1: Businesses that process over 6 million transactions each year
• Level 2: Businesses that process 1 million to 6 million transactions each year
• Level 3: Businesses that process 20,000 to 1 million transactions each year
• Level 4: Businesses that process fewer than 20,000 transactions each year

Figure out how many transactions you’re processing yearly and use that to determine your PCI DSS requirements. For example, you have to complete a Report on Compliance (RoC) annually to meet level 1 requirements.

2. Create a team

Now that you know what level of PCI DSS compliance you’re expected to achieve, you can put together a team to streamline the process. Ideally, you want to include staff from various departments when you’re putting this team together — including data security, IT, and legal. This team will be responsible for achieving and maintaining PCI DSS compliance, so choose wisely.

3. Complete a Self-Assessment Questionnaire (SAQ)

The next step is completing a Self-Assessment Questionnaire (SAQ) to evaluate your current compliance with PCI DSS standards. There are several different SAQs to choose from based on how you process and store credit card data. Online retailers who accept credit card payments and store information may want to use PCI SAQ D, while businesses that use a third-party payment application may consider SAQ C.

Once you’ve determined which SAQ is right for your business, complete the questionnaire to get a better understanding of your strengths and weaknesses in terms of PCI DSS compliance.

4. Secure your network

After you complete your SAQ, it’s time to implement appropriate network segmentation to secure your network, of which a firewall is a part. Deploying network segmentation helps protect against data breaches, and you’re responsible for maintaining a secure network to maintain PCI compliance. Even if the service providers you work with are PCI DSS compliant, you still need to install and maintain network segmentation.

5. Implement strong passwords

When you initially create an account, that account will be assigned a default password. Changing this vendor-supplied default password to a strong password is an essential step in achieving PCI compliance. For more tips and guidelines on creating strong passwords to secure accounts, check out the NIST password guidelines.

6. Implement access controls

In most organizations, a large majority of employees don’t need access to sensitive credit card data. Anyone who doesn’t absolutely need access to credit card data shouldn’t have access — otherwise you’re only creating an unnecessary risk. Make sure nobody has access to credit card information who doesn’t absolutely need it, and assign unique user IDs to everyone who does have access. Unique user IDs allow you to monitor and log employee activity, and that enhanced visibility results in more secure card data.

7. Encrypt credit card data

At the end of the day, any unencrypted data that’s transmitted over any network, including the internet, is at risk. Because of this, PCI DSS requirements state that all cardholder data that’s transmitted either internally or externally should be protected by encryption. There’s no specific encryption tool you have to use according to PCI standards, but you can use the PCI point-to-point encryption (P2PE) search tool to find approved P2PE solutions.

8. Protect stored data

Storing credit card data comes with countless risks, but it’s a requirement for many businesses. If you have to store credit card data, you need to do everything in your power to protect that data. This means using firewalls and other cybersecurity tools to protect against data breaches, as well as restricting access to servers and devices that contain sensitive data.

9. File an Attestation of Compliance (AoC)

The final step is to file an Attestation of Compliance (AoC) to verify your PCI compliance. Your AoC is automatically generated by PCI when you complete your SAQ. Filing your AoC gives PCI details about your PCI DSS compliance and the steps you’ve taken to secure customer credit card data.

How Gigamon Can Help with PCI DSS Compliance

Network visibility is an essential part of achieving and maintaining PCI DSS compliance, and Gigamon can help. Gigamon Application Metadata Intelligence (AMI) can help reduce planning and deployment times and streamline periodic PCI audits. You can use AMI to identify vulnerable protocols and ports, monitor certificates used for PCI controls, and more. That’s why Gigamon AMI and PCI 4.0 DSS compliance are a perfect match. Gigamon visibility and telemetry ensure guardrails are in place, such as appropriate encrypted communications, network segmentation, and which services and networks are in scope of compliance.

Achieving and maintaining compliance is easier with the power of Gigamon AMI. Visit the Gigamon AMI page to see how application metadata can help you achieve PCI compliance. If you have questions, contact our sales team to learn more.

References

1. “About Us.” PCI Security Standards Council. 2024. https://www.pcisecuritystandards.org/about_us/
2. “PCI DSS Quick Reference Guide.” PCI Security Standards Council. 2018. https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today