Checklist IT/Security PCI-DSS

PCI-DSS Self-Assessment Preparation Checklist

This checklist guides IT and Security teams through preparation for PCI-DSS Self-Assessment Questionnaire (SAQ) completion. Use this to validate your organization's compliance posture across all 12 requirements before formal assessment. Each item references the specific PCI-DSS requirement it addresses and provides concrete verification steps to ensure your controls are documented, tested, and operational.

  • Network Segmentation Documented (Req 1.1.2): Verify firewall configuration standards are documented and diagram network architecture showing cardholder data environment (CDE) boundaries. Test firewall rules block unauthorized access.
  • Default Credentials Removed (Req 2.1): Audit all systems, network devices, and applications for factory defaults. Document removal of unnecessary accounts and password changes on all devices with administrative access.
  • Configuration Standards Established (Req 2.2.4): Create and maintain hardening standards for all system types. Verify each system in scope matches documented baseline configurations.
  • Malware Protection Deployed (Req 5.1): Confirm antivirus/anti-malware software is installed on all systems capable of supporting it. Verify it cannot be disabled and logs are retained for review.
  • Security Patches Current (Req 6.2): Document patch management process with timelines. Verify all systems have current security patches; identify and remediate any systems outside patch windows.
  • Change Management Process Implemented (Req 6.5.1): Establish written change management procedures including approval, testing, and documentation requirements. Review last 12 months of changes for compliance.
  • Code Review/Secure Development (Req 6.5.6): Document code review processes for custom applications handling cardholder data. Maintain evidence of security testing and vulnerability remediation.
  • Encryption in Transit Configured (Req 4.1): Verify strong encryption (TLS 1.2+) protects all cardholder data in transmission. Test external and internal data flows with network analysis tools.
  • Encryption at Rest Implemented (Req 3.4): Document encryption standards for stored cardholder data. Verify key management procedures are in place and encryption is verified through testing.
  • Access Control Lists Defined (Req 7.1.1): Create role-based access control matrix mapping job functions to required system access. Audit current user accounts against matrix and remediate over-privileged accounts.
  • User Access Reviews Performed (Req 7.2): Document user access review process. Confirm reviews occurred at least annually and within last 90 days, with documented approvals and remediation.
  • Unique User Identification Enforced (Req 8.1.1): Verify all users accessing CDE have unique credentials. Check logs contain unique user IDs and disable shared/generic accounts.
  • Strong Authentication Implemented (Req 8.3): Confirm multi-factor authentication (MFA) is required for all remote administrative access. Test MFA functionality and verify logs capture authentication events.
  • Password Policy Enforced (Req 8.2.3, 8.2.4): Verify password policies require minimum 8 characters, complexity, and history. Confirm systems prevent password reuse and enforce expiration testing.
  • Physical Access Controls Verified (Req 9.1): Review physical security measures protecting equipment in CDE. Confirm entry points have adequate access controls and monitoring (cameras, key cards, logs).
  • Audit Logging Enabled (Req 10.2): Verify all access to cardholder data is logged with user ID, timestamp, and action. Test log retention for minimum 1 year and 90 days online accessibility.
  • Log Review Process Established (Req 10.3): Document procedures for daily review of logs from all systems. Maintain evidence of log reviews with dates and reviewer signatures.
  • Security Awareness Training Completed (Req 12.6.1): Confirm all personnel with cardholder data access completed PCI-DSS training within last 12 months. Maintain training records and completion documentation.
  • Incident Response Plan Documented (Req 12.10.1): Develop and maintain incident response plan addressing breach scenarios. Verify plan is communicated and test response procedures annually.
  • Vulnerability Scanning Scheduled (Req 11.2.1): Confirm quarterly external vulnerability scans are performed by approved ASV. Review scan results and maintain evidence of remediation for identified vulnerabilities.