Checklist IT/Security PCI-DSS

PCI-DSS Merchant Onboarding Security Checklist

This checklist ensures new merchants comply with PCI-DSS requirements before processing payment card data. Each item is mapped to specific PCI-DSS control objectives and must be verified and documented during onboarding. Security teams should complete this checklist for every merchant integration to maintain compliance and reduce breach risk.

  • Requirement 1.1: Verify merchant has a documented firewall configuration policy and network diagram showing all systems handling cardholder data.
  • Requirement 2.1: Confirm all default passwords have been changed on network devices, servers, and administrative interfaces before deployment.
  • Requirement 2.4: Document and restrict network access to cardholder data environment; verify segmentation or isolation is in place.
  • Requirement 3.2: Validate that encryption keys used for payment processing are generated, stored, and managed according to PCI-DSS standards.
  • Requirement 3.4: Verify merchant uses strong cryptography (TLS 1.2+) for all cardholder data transmission in transit.
  • Requirement 4.1: Confirm all systems transmitting cardholder data use approved encryption protocols and no outdated SSL/TLS versions are enabled.
  • Requirement 6.2: Verify all custom applications handling payment data have undergone secure code review or static application security testing before deployment.
  • Requirement 6.5.10: Confirm broken access control mechanisms have been tested and fixed; validate authorization controls function correctly.
  • Requirement 8.1.1: Document unique user IDs for all system users accessing cardholder data; disable shared or generic accounts.
  • Requirement 8.2.3: Verify passwords meet minimum length (minimum 7 characters) and complexity requirements; implement password policy enforcement.
  • Requirement 8.2.4: Confirm user authentication credentials are encrypted during transmission and storage; validate no passwords are stored in plaintext.
  • Requirement 8.3: Verify multi-factor authentication (MFA) is enabled for all remote access to systems containing cardholder data.
  • Requirement 10.2: Document and test that all user access to cardholder data is logged with timestamps, user IDs, and actions performed.
  • Requirement 10.3: Confirm access logs are protected from deletion or modification; validate log retention meets policy requirements (minimum 1 year).
  • Requirement 11.2: Schedule and document quarterly vulnerability scans; verify remediation of identified vulnerabilities before production deployment.
  • Requirement 11.3: Perform penetration testing of the cardholder data environment prior to going live; document all findings and remediation.
  • Requirement 12.1: Obtain merchant's written information security policy and confirm it addresses all PCI-DSS requirements.
  • Requirement 12.3: Verify merchants have designated a qualified security administrator with defined roles and responsibilities for PCI-DSS compliance.
  • Requirement 12.6: Obtain signed acknowledgment that merchant understands PCI-DSS requirements and agrees to maintain compliance.