Learning Center
PCI
PCI Compliance in a Year

PCI Compliance in a Year

Use this to simplify and divide tasks into monthly checklists.

PCI compliance can seem overwhelming if your organization tries to tackle everything all at once. This handout simplifies and divides tasks into monthly checklists.

Interactive PCI Compliance in a Year Checklist

Download PDF Here

OVERVIEW:

This handout aims to assist those who are new to PCI compliance. This suggested guideline is based on the PCI Council’s Prioritized Approach to help direct and organize your PCI tasks into a year-round task list. This is not a comprehensive handout and PCI compliance should be addressed based on how your organization handles cardholder data. A complete list of control requirements can be found here.

PCI Compliance In A Year:

  1. PROTECT AND SECURELY DELETE CARDHOLDER DATA
  2. PERFORM A RISK ASSESSMENT
  3. MAINTAIN ACCURATE NETWORK DIAGRAMS
  4. EVALUATE YOUR FIREWALL AND NETWORK
  5. UTILIZE STRONG ENCRYPTION AND ANTIVIRUS
  6. INVENTORY YOUR DEVICES
  7. SECURE YOUR PAYMENT CARD SYSTEMS
  8. MONITOR ACCESS TO YOUR SYSTEMS
  9. STRENGTHEN PHYSICAL SECURITY
  10. ASSESS YOUR TECHNOLOGY
  11. TRAIN YOUR EMPLOYEES
  12. UPDATE AND MAINTAIN YOUR COMPLIANCE

MONTH 1

PROTECT AND SECURELY DELETE CARDHOLDER DATA

How you store and delete data is vitally important to protecting customer cardholder information. Use the first month to store and dispose of data more securely.

  • Ensure you meet cardholder data requirements by not storing the following data types post authorization:
    • The magnetic stripe (track data) on the back of a card
    • Data contained on a card chip
    • A card’s PIN/PIN block
    • CVC/CVV
  • Evaluate whether or not you need to store other card information, such as:
    • Cardholder name
    • Primary account number (PAN)
    • Expiration date
    • Service Code
  • If cardholder data is stored for business or legal reasons, the PAN must be hashed, truncated, or encrypted
  • Identify and document every location cardholder data is stored
  • Create a data retention and disposal policy that:
    • Limits data storage amount
    • Specifies how long data should be stored, based on your business needs and legal requirements
    • Contains specific requirements for retaining cardholder data
    • Addresses your process for securely deleting data
    • Identifies data that doesn’t meet retention requirements
  • Add your data retention and disposal policy to your company policy and procedures
  • Securely delete unnecessary cardholder information by:
    • Shredding, incinerating, or pulping hard-copies of cardholder data
    • Securing data storage containers that are to be destroyed
    • Rendering cardholder data unrecoverable on electronic media

MONTH 2

PERFORM A RISK ASSESSMENT

PCI Data Security Standard (DSS) requires that all entities annually perform a formal risk assessment that identifies vulnerabilities, threats, and risks to their organization, especially their cardholder data environment (CDE). This requirement helps organizations identify, prioritize, and manage information security risks.

  • Implement a risk-assessment process that identifies:
    • Critical assets
    • Vulnerabilities
    • Threats
    • Risks
  • Assess vulnerabilities and threats
  • Perform your risk-assessment annually and when you experience:
    • An acquisition
    • A merger
    • Relocation
    • Or any other significant change
  • Organize your risks into a prioritized list of security issues
  • Create a risk management plan based on your prioritized list
  • Implement your risk management plan

MONTH 3

MAINTAIN ACCURATE NETWORK DIAGRAMS

Accurate network diagrams are vital because they demonstrate and document how your systems interact with card data. Systems in your network that store, process, or transmit card data need to be properly secured and separated from other systems on your network.

  • Create a network diagram that shows how cardholder data:
    • Enters your network
    • Flows through your network
    • Leaves your network
  • Decide what your card flow diagram needs by asking yourself:
    • How is my network constructed?
    • Is there one firewall at the edge of my card-processing environment?
    • Is my network segmented internally?
    • Does my environment have a multi-interface firewall?
    • Do I have multiple firewalls?
    • What device(s) am I using for transactions?
      • A virtual terminal?
      • POS system?
    • What happens to the card data after a transaction?
    • Is cardholder data encrypted?
      • When is data encrypted?
    • Do I store card data before it’s sent to the processor for approval?
    • How does settlement occur?
    • How is data authorized and returned by the processor?
    • Is card data backed up on my system?
      • Are my backups encrypted?
      • Is my backup server at a different data location?
    • Where might card data be transferred or moved in processes not part of authorization and settlement?
  • Maintain your diagram throughout the year
    • After changes to your CDE, identify if you need to add any additional flows (e.g., new payment process, website, or locations)

MONTH 4

EVALUATE YOUR FIREWALL AND NETWORK

Protecting your systems and networks can help you be prepared in the event of a security breach. Analyze your firewall and implement a DMZ to protect against unauthorized access to your internal network.

  • Make sure your firewall meets PCI requirements
  • Review your firewall and router
    • Build firewall and router configurations that restrict connection between untrusted external networks
    • Restrict inbound and outbound traffic to only what is necessary
    • Secure and synchronize your router configuration files
  • Install perimeter firewalls between all wireless networks and your CDE
    • Configure these firewalls to deny unauthorized traffic
  • Prohibit direct public access between the internet and your CDE
  • Implement a DMZ that limits inbound traffic to only authorized services, protocols, and ports
    • Limit inbound Internet traffic to IP addresses within your network perimeter
    • Ensure you can block forged or spoofed IP addresses from entering your network
    • Double-check that any systems that store cardholder data are placed in an internal network zone and separate from your DMZ
  • Install personal firewall software on:
    • Company-owned computers and employee-owned computers that can access CDE outside of your network
      • Double-check personal firewalls are actively running and can’t be turned off
  • Remove all unnecessary:
  • Scripts
  • Drivers
  • Features
  • Subsystems
  • File systems
  • Web servers
  • Document your security procedure for managing firewalls
  • Add a section on firewall management to your company policy and procedures

MONTH 5

UTILIZE STRONG ENCRYPTION AND ANTIVIRUS

Card data and encryption keys must be protected to comply with PCI requirements. Leaving encryption keys unprotected is like storing your house key by leaving it in your front door lock, so it’s critical to use a solid encryption key management process.

  • Use strong, industry-accepted cryptography
  • Ensure wireless networks that transmit cardholder data use encryption best practices
  • Update your antivirus software
    • Deploy antivirus software on personal computers and servers
    • Ensure your antivirus software:
      • Detects, removes, and protects against all known types of malicious software
      • Performs periodic scans
      • Generates audit logs
      • Cannot be disabled by users
  • Evaluate the security of your PAN
    • Display no more than the first six and last four digits of your PAN
    • Ensure your PAN is unreadable anywhere it is stored, including:
      • Portable digital media
      • Backup media
      • Logs
  • Protect your PAN by utilizing:
    • Encryption
    • Hashing
    • Truncation
    • Tokenization
  • Restrict access to your cryptographic keys to the fewest personnel necessary
    • Store your cryptographic keys securely
  • Retire or replace encryption keys as needed
  • Add a section on encryption to your company policy and procedures

MONTH 6

INVENTORY YOUR DEVICES

Identifying and protecting devices that can access your CDE is imperative for maintaining your PCI DSS compliance.

  • Maintain an up-to-date list of devices that includes the following information:
    • Make and model of the device
    • Serial number
    • Unique ID
  • Periodically inspect devices for:
    • Tampering
    • Substitution
  • Train personnel to detect and avoid attempted tampering
  • Maintain an Incident Response Plan
    • Review and test your plan
    • Modify and evolve your plan as needed
  • Designate personnel who can be available on a 24/7 basis to respond to security alerts
    • Provide appropriate training to staff in charge of security
    • Include alerts from:
      • Firewalls
      • Intrusion detection systems (IDS)
      • Intrusion prevention systems (IPS)
      • File integrity monitoring (FIM) systems

MONTH 7

SECURE YOUR PAYMENT CARD SYSTEMS

If systems in your cardholder data environment are not secure, hackers can easily compromise your system to obtain cardholder data. Evaluating your applications is essential to protecting your CDE.

  • Develop configuration standards for all your system components
    • Use industry-standard hardening such as:
      • Center for Internet Security (CIS)
      • International Organization for Standardization (ISO)
      • SysAdmin Audit Network Security (SANS) Institute
      • National Institute of Standards Technology (NIST)
  • Identify security vulnerabilities
    • Assign a risk ranking (i.e., low, medium, high)
  • Implement a process to detect system vulnerabilities
  • Review your custom code to identify any potential coding vulnerabilities
    • Have someone other than the original coder review custom code
    • Ensure you follow secure coding practices
  • Review public-facing web applications
    • Address new threats and vulnerabilities
    • Install an automated solution that detects and prevents web attacks, such as a web application firewall (WAF)
  • Ensure security logs are:
    • Configured
    • Being generated
  • Enable audit trails
  • Create a payment card application policy section that includes:
    • Installing any security patches within one month of release
    • Using secure authentication
    • Removing any development/test user IDs before releasing an application
  • Add your payment card application policy section to your company policy and procedures

MONTH 8

MONITOR ACCESS TO YOUR SYSTEMS

Monitoring access privileges allows you to mitigate against and identify unauthorized access to your CDE.

  • Define job roles by identifying who needs access to what level of cardholder data
    • Include the level of privilege required, such as user or administrator
    • Restrict access to the minimum level necessary
    • Work with management to require documented approval for privileges
  • Train employees about the following password best practices:
    • Use strong passwords
    • Protect their passwords
    • Not reuse passwords
    • Change passwords when a password could have been compromised
    • Not use group, shared, or generic IDs and passwords
  • Test at least quarterly for unauthorized wireless access points
    • Identify authorized and unauthorized wireless access points
      • Maintain an inventory of authorized wireless access points
  • Use file integrity monitoring tools to be alerted of unauthorized modifications
  • Add a section on passwords and privileges to your company policy and procedures

MONTH 9

STRENGTHEN PHYSICAL SECURITY

Strict physical security policies can protect your CDE and employees from being targeted by threat actors.

  • Use video cameras or access controls to monitor individual physical access to any sensitive areas
    • Review collected data often
    • Store for at least three months, depending on local laws
  • Implement physical security controls to restrict public access to:
    • Wireless access points
    • Gateways
    • Handheld devices
    • Networking hardware
    • Telecommunication lines
  • Assign your staff badges to restrict access based on least privilege
  • Use best practices for visitors such as:
    • Give visitors an identification badge
    • Obtain visitor badges before they exit your facility
    • Utilize a visitor log
      • Include visitor name
      • Company/firm
      • Staff who have authorized visitor badge
    • Retain visitor log for a minimum of three months
  • Maintain strict control over your internal and external media distribution
    • Classify media by sensitivity
    • Send media by secured courier or other secure delivery methods
      • Ensure media can be tracked
    • Securely store sensitive media
    • Conduct a media inventory
    • Destroy media when it is no longer needed
  • Add your physical security policy to your company policy and procedures

MONTH 10

ASSESS YOUR TECHNOLOGY

If your employees are well-informed on what is an acceptable use of your technology and you have a solid inventory of technologies, you can better predict security gaps in your environment.

  • Define your critical technology, such as:
    • Remote access to wireless technology
    • Laptops
    • Tablets
    • Removable electronic media
    • E-mail usage
    • Internet usage
  • Ensure your critical technology policy section requires:
    • Explicit approval by authorized parties
    • Authentication for using technology
    • List of all personnel devices and access levels
    • A method to quickly and accurately determine:
      • Technology owners
      • Contact information
      • Inventory (e.g., labels, coding, purpose)
    • Acceptable use of technology
    • Acceptable network locations
    • List of company-approved products and applications
    • Automatic disconnect after a period of inactivity
  • Add your critical technology policy to your company policy and procedures

MONTH 11

TRAIN YOUR EMPLOYEES

Now that you have added specific data and physical security sections to your company policies and procedures, it is time to ensure your staff is adequately trained.

  • Distribute your company policies and procedures
  • Assign an individual or a team to:
    • Update your company policies and procedures
    • Monitor and analyze security alerts
    • Create and distribute your incident response plan
    • Manage user accounts
    • Train personnel regularly on your company policies and procedures, including:
      • New hires
      • Annual company-wide training
        • Require personnel to acknowledge they have read and understood your policy
        • Highlight new additions to your policy

MONTH 12

UPDATE AND MAINTAIN YOUR COMPLIANCE

PCI DSS compliance must be a continual, year-round effort. Thoroughly reviewing your policies and plans throughout the year is the best way to protect your CDE.

  • Maintain your firewall and router configuration standards, including:
    • Approve and test all network connection changes to your firewalls and routers
    • Review firewall and router rule sets every six months
  • Review your security policy annually
    • Update when you experience environment changes
  • Document your quarterly review process to include:
    • Results of your review
    • Signatures of those responsible for your PCI DSS compliance program
  • Identify authorized and unauthorized wireless access points on a quarterly basis
  • Ensure a minimum possible access to cardholder data
  • Require accountability for maintaining PCI DSS compliance
  • Validate your annual PCI compliance
    • Submit your SAQ
    • Conduct an annual assessment
Handout
Episode
Updated
January 29, 2021
Posted
January 28, 2021
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000