SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

This guide is for online store owners, developers, and technical managers who handle payment card data and need to achieve or maintain PCI-DSS compliance. Whether you are approaching your first Self-Assessment Questionnaire (SAQ) or preparing for a Qualified Security Assessor (QSA) audit, the steps below will walk you through the twelve PCI-DSS requirements in a practical, actionable way. Completing this checklist will reduce your risk of a data breach, protect your customers, and demonstrate due diligence to card brands and acquiring banks.

01

Determine Your PCI-DSS Scope

Scoping is the foundation of every PCI-DSS programme. Your scope includes every system component that stores, processes, or transmits cardholder data (CHD), plus any system that could affect the security of those components. Reducing scope lowers cost, effort, and risk.

  • Map every payment flow: identify exactly where card numbers, expiry dates, and CVVs enter, travel through, and leave your environment.
  • List all in-scope systems: web servers, application servers, databases, payment terminals, and any third-party integrations (payment gateways, fraud tools, CRMs).
  • Use a compliant hosted payment page or payment iframe to offload CHD handling to a PCI-certified third party and shrink your scope to SAQ A where possible.
  • Network-segment your Cardholder Data Environment (CDE) from out-of-scope systems using firewalls or VLANs, and document the boundary clearly.
  • Confirm that your payment gateway and any other third-party service providers are themselves PCI-DSS compliant; request their current Attestation of Compliance (AOC).
  • Document your scope in a data-flow diagram and review it whenever your architecture changes.
02

Build and Maintain a Secure Network

PCI-DSS Requirements 1 and 2 demand that you install and maintain network security controls and apply secure configurations to all system components. Attackers actively probe for default credentials and misconfigured firewalls, so hardening your network perimeter is non-negotiable.

  • Deploy a firewall between the public internet and your CDE; deny all traffic by default and allow only what is explicitly required.
  • Place a firewall or ACL between your CDE and any other internal network zones.
  • Change all vendor-supplied default passwords and remove or disable unnecessary default accounts on every device and application before deployment.
  • Disable all unnecessary services, protocols, and ports on in-scope systems (e.g., Telnet, FTP, unused HTTP services).
  • Review firewall and router rule sets at least every six months and remove obsolete rules.
  • Maintain an up-to-date network diagram showing all connections between the CDE and other networks, including the internet. Sensagraph continuously checks your exposed services and open ports to flag unexpected attack surface changes.
03

Protect Stored Cardholder Data

PCI-DSS Requirement 3 mandates that you protect stored account data. The safest strategy is not to store CHD at all. If you must retain data for legitimate business reasons, strong encryption and strict data-retention controls are essential.

  • Audit every database, log file, cache, and backup for stored PANs (Primary Account Numbers) and eliminate any unnecessary storage immediately.
  • Never store the full magnetic stripe, card verification codes (CVV/CVC/CAV), or PIN data after authorisation — this is an absolute prohibition.
  • If you must store PANs, render them unreadable using strong cryptography (e.g., AES-256), one-way hashing, or tokenisation.
  • Implement a documented data-retention policy; purge CHD that exceeds your retention period on a scheduled, automated basis.
  • Restrict access to cryptographic keys; implement dual control and split knowledge where keys protect CHD.
  • Ensure backups containing CHD are encrypted and stored securely with access limited to authorised personnel.
04

Encrypt Cardholder Data in Transit

PCI-DSS Requirement 4 requires that you protect CHD transmitted over open, public networks. Intercepting unencrypted payment data over the wire is trivially easy for an attacker on the same network or with DNS/BGP leverage. Strong TLS is your first line of defence.

  • Enforce TLS 1.2 or 1.3 on all public-facing pages, especially checkout, login, and account management pages; redirect all HTTP traffic to HTTPS.
  • Disable SSL, TLS 1.0, and TLS 1.1 across all in-scope systems — these protocols are explicitly prohibited by PCI-DSS.
  • Use only strong cipher suites; disable export-grade, NULL, and anonymous ciphers.
  • Obtain TLS certificates from a trusted Certificate Authority and configure automatic renewal to prevent certificate expiry.
  • Enable HTTP Strict Transport Security (HSTS) with a long max-age and submit your domain to the HSTS preload list.
  • Scan your TLS configuration regularly for weak ciphers, expired certificates, and misconfigurations — Sensagraph monitors your SSL/TLS posture continuously and alerts on weaknesses.
  • Encrypt CHD on any internal network paths (e.g., between application server and database) that traverse untrusted or shared segments.
05

Maintain a Vulnerability Management Programme

PCI-DSS Requirements 5 and 6 cover anti-malware controls and secure system and software development practices. Unpatched software and malware are among the most common entry points for payment card data breaches.

  • Deploy anti-malware software on all systems commonly affected by malicious software (all Windows, Linux, and macOS servers in scope); keep definitions up to date.
  • Run anti-malware scans on a scheduled basis and ensure alerts are reviewed promptly.
  • Subscribe to security advisories for every technology in your stack (web server, CMS, plugins, libraries, payment modules) and apply critical patches within one month of release.
  • Inventory all third-party software components and libraries; use a software composition analysis (SCA) tool to detect known vulnerabilities (CVEs).
  • Run internal and external vulnerability scans at least quarterly and after any significant change; use an Approved Scanning Vendor (ASV) for external scans required by PCI-DSS. Sensagraph can run continuous automated scans to surface new vulnerabilities between quarterly assessments.
  • Conduct penetration testing at least annually and after significant infrastructure or application changes; remediate all critical and high findings before re-testing.
  • Implement a Web Application Firewall (WAF) in front of public-facing web applications to detect and block common attacks (SQL injection, XSS, etc.).
  • Follow secure coding practices (OWASP Top 10 mitigations) in all custom application development; perform code reviews before production deployment.
06

Implement Strong Access Control Measures

PCI-DSS Requirements 7, 8, and 9 address who and what can access your CDE — logically and physically. Excessive access privileges are a leading cause of insider breaches and dramatically increase the impact of compromised credentials.

  • Grant access to CHD and system components strictly on a need-to-know, least-privilege basis; document and approve every access right.
  • Assign a unique user ID to every person with access to in-scope systems; never use shared or generic accounts.
  • Enforce multi-factor authentication (MFA) for all access into the CDE — for all users, including administrators, and for all remote-access connections.
  • Set strong password policies: minimum 12 characters, complexity requirements, 90-day maximum age, and lockout after no more than 10 failed attempts.
  • Disable or remove accounts immediately upon personnel termination or role change.
  • Review all user accounts and access privileges at least every six months and remove unnecessary access.
  • Physically restrict access to servers, networking equipment, and printed CHD to authorised personnel only; use access logs, key cards, or visitor badges for server rooms.
  • Destroy physical media containing CHD securely (cross-cut shredding, degaussing) when no longer needed.
07

Monitor and Test Networks Regularly

PCI-DSS Requirements 10 and 11 require comprehensive logging of all access to network resources and CHD, and regular testing of security controls. Without logs you cannot detect breaches, and without testing you cannot confirm controls are working.

  • Enable audit logging on all in-scope system components: record user access, administrative actions, invalid access attempts, use of privilege, and changes to audit logs themselves.
  • Synchronise all system clocks to a single, accurate time source (NTP) to ensure log correlation is reliable.
  • Protect audit logs from modification and unauthorised access; store logs in a separate, hardened log management system.
  • Retain audit logs for at least 12 months, with the most recent three months immediately available for analysis.
  • Review logs daily (automated SIEM alerts are acceptable) and investigate anomalies promptly.
  • Deploy Intrusion Detection or Prevention Systems (IDS/IPS) at the CDE perimeter and on critical internal segments.
  • Perform file-integrity monitoring (FIM) on critical system files, configuration files, and content files; alert on unexpected changes.
  • Run external vulnerability scans every quarter through an ASV; run internal scans quarterly as well. Sensagraph provides continuous automated scanning to catch issues between scheduled assessments.
  • Conduct annual penetration tests covering both network and application layers; document results and remediation actions.
08

Maintain an Information Security Policy

PCI-DSS Requirement 12 requires you to support information security with documented organisational policies and programmes. A policy that lives only in a document drawer provides no protection; it must be communicated, trained on, and enforced.

  • Create and maintain a formal information security policy that addresses all twelve PCI-DSS requirements; review and update it at least annually and when the environment changes.
  • Conduct a formal risk assessment at least annually to identify threats, vulnerabilities, and risks to CHD.
  • Establish a usage policy for all critical technologies (laptops, mobile devices, remote access tools, email) covering acceptable use and consequences of violations.
  • Deliver security awareness training to all staff at hire and at least annually thereafter; include specific guidance on cardholder data handling.
  • Screen potential employees before hiring, particularly for roles with access to CHD.
  • Maintain and annually test an Incident Response Plan (IRP) that covers suspected or confirmed CHD breaches; include roles, responsibilities, and communication procedures.
  • Manage all third-party service providers with a written agreement acknowledging their responsibility for CHD security; maintain a list of all service providers and monitor their compliance status annually.
  • Complete and submit your annual Self-Assessment Questionnaire (SAQ) or engage a QSA for a Report on Compliance (ROC) as required by your merchant level; file your Attestation of Compliance (AOC) with your acquiring bank.

Frequently asked questions

It depends on how you handle card data. SAQ A applies if you fully outsource card processing to a PCI-compliant third party (e.g., a hosted payment page) and never touch card data yourself. SAQ A-EP applies if you use a third-party payment processor but your website directly receives card data (e.g., a JavaScript-based form that posts data to the processor). SAQ D covers merchants who store, process, or transmit cardholder data on their own systems. Contact your acquiring bank or a QSA to confirm the correct SAQ for your specific setup.

PCI-DSS requires external vulnerability scans through an Approved Scanning Vendor (ASV) at least quarterly and after any significant network change. Internal vulnerability scans are also required quarterly. Penetration testing must be conducted at least annually and after significant changes to infrastructure or applications. Running continuous automated scans in between these scheduled assessments helps you catch and remediate new vulnerabilities before they are exploited.

No. Using a compliant payment gateway reduces your scope and simplifies compliance, but it does not make you automatically compliant. You are still responsible for securing your own systems, protecting any cardholder data you handle or store, maintaining secure configurations, controlling access, and meeting all other PCI-DSS requirements applicable to your merchant level.

A Qualified Security Assessor (QSA) is a company certified by the PCI Security Standards Council to assess merchant and service provider compliance and produce a Report on Compliance (ROC). An Approved Scanning Vendor (ASV) is a company certified to perform external vulnerability scans of internet-facing systems and provide official scan reports required by PCI-DSS. Larger merchants (Level 1) typically need both a QSA for the ROC and an ASV for quarterly scans; smaller merchants may only need an ASV scan alongside their self-completed SAQ.

Absolutely not. PCI-DSS explicitly prohibits storing sensitive authentication data — including card verification codes (CVV, CVC, CAV, CID) — after authorisation, even if the data is encrypted. Storing these codes is one of the most serious PCI-DSS violations and dramatically increases breach risk. If your application or database contains these codes, remove them immediately and investigate how they were captured.

The most effective way to reduce scope is to use a fully hosted payment page or a certified payment iframe provided by your payment gateway, so that card data is entered directly on the gateway's PCI-certified servers and never touches your environment. Combine this with network segmentation to isolate any payment-related systems, use tokenisation instead of storing raw card numbers, and ensure no CHD passes through your web server logs or application layers. This can reduce your compliance requirements to SAQ A, the simplest and least burdensome questionnaire.