This guide is for online store owners, developers, and technical managers who handle payment card data and need to achieve or maintain PCI-DSS compliance. Whether you are approaching your first Self-Assessment Questionnaire (SAQ) or preparing for a Qualified Security Assessor (QSA) audit, the steps below will walk you through the twelve PCI-DSS requirements in a practical, actionable way. Completing this checklist will reduce your risk of a data breach, protect your customers, and demonstrate due diligence to card brands and acquiring banks.
Determine Your PCI-DSS Scope
Scoping is the foundation of every PCI-DSS programme. Your scope includes every system component that stores, processes, or transmits cardholder data (CHD), plus any system that could affect the security of those components. Reducing scope lowers cost, effort, and risk.
- Map every payment flow: identify exactly where card numbers, expiry dates, and CVVs enter, travel through, and leave your environment.
- List all in-scope systems: web servers, application servers, databases, payment terminals, and any third-party integrations (payment gateways, fraud tools, CRMs).
- Use a compliant hosted payment page or payment iframe to offload CHD handling to a PCI-certified third party and shrink your scope to SAQ A where possible.
- Network-segment your Cardholder Data Environment (CDE) from out-of-scope systems using firewalls or VLANs, and document the boundary clearly.
- Confirm that your payment gateway and any other third-party service providers are themselves PCI-DSS compliant; request their current Attestation of Compliance (AOC).
- Document your scope in a data-flow diagram and review it whenever your architecture changes.
Build and Maintain a Secure Network
PCI-DSS Requirements 1 and 2 demand that you install and maintain network security controls and apply secure configurations to all system components. Attackers actively probe for default credentials and misconfigured firewalls, so hardening your network perimeter is non-negotiable.
- Deploy a firewall between the public internet and your CDE; deny all traffic by default and allow only what is explicitly required.
- Place a firewall or ACL between your CDE and any other internal network zones.
- Change all vendor-supplied default passwords and remove or disable unnecessary default accounts on every device and application before deployment.
- Disable all unnecessary services, protocols, and ports on in-scope systems (e.g., Telnet, FTP, unused HTTP services).
- Review firewall and router rule sets at least every six months and remove obsolete rules.
- Maintain an up-to-date network diagram showing all connections between the CDE and other networks, including the internet. Sensagraph continuously checks your exposed services and open ports to flag unexpected attack surface changes.
Protect Stored Cardholder Data
PCI-DSS Requirement 3 mandates that you protect stored account data. The safest strategy is not to store CHD at all. If you must retain data for legitimate business reasons, strong encryption and strict data-retention controls are essential.
- Audit every database, log file, cache, and backup for stored PANs (Primary Account Numbers) and eliminate any unnecessary storage immediately.
- Never store the full magnetic stripe, card verification codes (CVV/CVC/CAV), or PIN data after authorisation — this is an absolute prohibition.
- If you must store PANs, render them unreadable using strong cryptography (e.g., AES-256), one-way hashing, or tokenisation.
- Implement a documented data-retention policy; purge CHD that exceeds your retention period on a scheduled, automated basis.
- Restrict access to cryptographic keys; implement dual control and split knowledge where keys protect CHD.
- Ensure backups containing CHD are encrypted and stored securely with access limited to authorised personnel.
Encrypt Cardholder Data in Transit
PCI-DSS Requirement 4 requires that you protect CHD transmitted over open, public networks. Intercepting unencrypted payment data over the wire is trivially easy for an attacker on the same network or with DNS/BGP leverage. Strong TLS is your first line of defence.
- Enforce TLS 1.2 or 1.3 on all public-facing pages, especially checkout, login, and account management pages; redirect all HTTP traffic to HTTPS.
- Disable SSL, TLS 1.0, and TLS 1.1 across all in-scope systems — these protocols are explicitly prohibited by PCI-DSS.
- Use only strong cipher suites; disable export-grade, NULL, and anonymous ciphers.
- Obtain TLS certificates from a trusted Certificate Authority and configure automatic renewal to prevent certificate expiry.
- Enable HTTP Strict Transport Security (HSTS) with a long max-age and submit your domain to the HSTS preload list.
- Scan your TLS configuration regularly for weak ciphers, expired certificates, and misconfigurations — Sensagraph monitors your SSL/TLS posture continuously and alerts on weaknesses.
- Encrypt CHD on any internal network paths (e.g., between application server and database) that traverse untrusted or shared segments.
Maintain a Vulnerability Management Programme
PCI-DSS Requirements 5 and 6 cover anti-malware controls and secure system and software development practices. Unpatched software and malware are among the most common entry points for payment card data breaches.
- Deploy anti-malware software on all systems commonly affected by malicious software (all Windows, Linux, and macOS servers in scope); keep definitions up to date.
- Run anti-malware scans on a scheduled basis and ensure alerts are reviewed promptly.
- Subscribe to security advisories for every technology in your stack (web server, CMS, plugins, libraries, payment modules) and apply critical patches within one month of release.
- Inventory all third-party software components and libraries; use a software composition analysis (SCA) tool to detect known vulnerabilities (CVEs).
- Run internal and external vulnerability scans at least quarterly and after any significant change; use an Approved Scanning Vendor (ASV) for external scans required by PCI-DSS. Sensagraph can run continuous automated scans to surface new vulnerabilities between quarterly assessments.
- Conduct penetration testing at least annually and after significant infrastructure or application changes; remediate all critical and high findings before re-testing.
- Implement a Web Application Firewall (WAF) in front of public-facing web applications to detect and block common attacks (SQL injection, XSS, etc.).
- Follow secure coding practices (OWASP Top 10 mitigations) in all custom application development; perform code reviews before production deployment.
Implement Strong Access Control Measures
PCI-DSS Requirements 7, 8, and 9 address who and what can access your CDE — logically and physically. Excessive access privileges are a leading cause of insider breaches and dramatically increase the impact of compromised credentials.
- Grant access to CHD and system components strictly on a need-to-know, least-privilege basis; document and approve every access right.
- Assign a unique user ID to every person with access to in-scope systems; never use shared or generic accounts.
- Enforce multi-factor authentication (MFA) for all access into the CDE — for all users, including administrators, and for all remote-access connections.
- Set strong password policies: minimum 12 characters, complexity requirements, 90-day maximum age, and lockout after no more than 10 failed attempts.
- Disable or remove accounts immediately upon personnel termination or role change.
- Review all user accounts and access privileges at least every six months and remove unnecessary access.
- Physically restrict access to servers, networking equipment, and printed CHD to authorised personnel only; use access logs, key cards, or visitor badges for server rooms.
- Destroy physical media containing CHD securely (cross-cut shredding, degaussing) when no longer needed.
Monitor and Test Networks Regularly
PCI-DSS Requirements 10 and 11 require comprehensive logging of all access to network resources and CHD, and regular testing of security controls. Without logs you cannot detect breaches, and without testing you cannot confirm controls are working.
- Enable audit logging on all in-scope system components: record user access, administrative actions, invalid access attempts, use of privilege, and changes to audit logs themselves.
- Synchronise all system clocks to a single, accurate time source (NTP) to ensure log correlation is reliable.
- Protect audit logs from modification and unauthorised access; store logs in a separate, hardened log management system.
- Retain audit logs for at least 12 months, with the most recent three months immediately available for analysis.
- Review logs daily (automated SIEM alerts are acceptable) and investigate anomalies promptly.
- Deploy Intrusion Detection or Prevention Systems (IDS/IPS) at the CDE perimeter and on critical internal segments.
- Perform file-integrity monitoring (FIM) on critical system files, configuration files, and content files; alert on unexpected changes.
- Run external vulnerability scans every quarter through an ASV; run internal scans quarterly as well. Sensagraph provides continuous automated scanning to catch issues between scheduled assessments.
- Conduct annual penetration tests covering both network and application layers; document results and remediation actions.
Maintain an Information Security Policy
PCI-DSS Requirement 12 requires you to support information security with documented organisational policies and programmes. A policy that lives only in a document drawer provides no protection; it must be communicated, trained on, and enforced.
- Create and maintain a formal information security policy that addresses all twelve PCI-DSS requirements; review and update it at least annually and when the environment changes.
- Conduct a formal risk assessment at least annually to identify threats, vulnerabilities, and risks to CHD.
- Establish a usage policy for all critical technologies (laptops, mobile devices, remote access tools, email) covering acceptable use and consequences of violations.
- Deliver security awareness training to all staff at hire and at least annually thereafter; include specific guidance on cardholder data handling.
- Screen potential employees before hiring, particularly for roles with access to CHD.
- Maintain and annually test an Incident Response Plan (IRP) that covers suspected or confirmed CHD breaches; include roles, responsibilities, and communication procedures.
- Manage all third-party service providers with a written agreement acknowledging their responsibility for CHD security; maintain a list of all service providers and monitor their compliance status annually.
- Complete and submit your annual Self-Assessment Questionnaire (SAQ) or engage a QSA for a Report on Compliance (ROC) as required by your merchant level; file your Attestation of Compliance (AOC) with your acquiring bank.