IDC Names Securiti a Worldwide Leader in Data Privacy


PCI DSS Compliance Checklist and requirements – 2023

By Securiti Research Team
Published October 12, 2023

Listen to the content

PCI DSS Compliance Checklist: Protecting Customer’s Data

The ecommerce industry experienced a significant boom right after the Covid-19 pandemic hit the world. More and more businesses shifted their operations to online marketplaces, ultimately leading to more online purchases and transactions. This further led to increased data breaches, where the primary target of threat actors was the credit card information of unsuspecting users.

According to a recent study, it is found that credit card details are sold on the dark web for as low as $12–20, whereas information from American Express sells at a bit higher price of $35. To fight off the traditional and emerging threats of the ecommerce industry, it is more crucial than ever for merchants to reinforce the cyber defenses of their credit-card processing environment.

The PCI DSS compliance requirements can play a critical role in fending off various vulnerabilities. Think of PCI DSS as a reinforced fortress around a business’s credit card sensitive data. Just as a fortress provides a well-guarded parameter, PCI DSS provides an optimal, secure ecosystem around credit card data, especially sensitive data.

Read on as we discuss PCI DSS and its compliance checklist to learn how to enforce effective guardrails around credit card data.

What is PCI DSS Compliance?

PCI DSS stands for Payment Card Industry Data Security Standard. The credit card industry has experienced cyber threats right from the initial years of its emergence. As a result, five major credit card companies, namely Visa, Mastercard, American Express, Discover Financial Services, and JCB International, took it upon themselves to draft a set of security standards to guard against cyber vulnerabilities. Hence, PCI DSS came into existence for merchants and organizations looking to protect the data of credit card holders. The standards are further improved, updated, maintained, and imposed by the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS is a set of technical and operational requirements established to protect credit card holders’ data. All merchants, businesses, and service providers that deal with storing, processing, and transferring credit card information must comply with the PCI DSS compliance standards. Essentially, 12 major compliance requirements are grouped into six broad categories. Moreover, PCI DSS demands yearly certification. Achieving those certifications can be challenging as the compliance level is based on the number of annual transactions an organization processes.

PCI DSS Compliance Checklist and requirements – 2023

The latest iteration of the PCI DSS requirements is the PCI DSS v4.0, released in March 2022. Several changes are integrated into the v4.0, but all those iterations are around four primary goals:

  1. Continue to Meet the Security Needs of the Payment Industry
  2. Promote Security as a Continuous Process
  3. Add Flexibility for Different Methodologies
  4. Enhance Validation Methods

An Overview of PCI DSS Compliance Checklist

The PCI DSS compliance checklist includes 12 important requirements, each containing further sub-sections that are extensively defined in the context of approach, objective, and testing procedures. Let’s take a quick look at the key requirements in the PCI DSS compliance checklist.

Install And Maintain Network Security Controls (NSCs)

The first line of defense against cyber threats listed in the PCI DSS requirements is the Network Security Controls (NSCs). The NSCs are a set of tools and mechanisms that help IT security teams protect sensitive data when it moves from one device to another on a corporate network and sometimes on a separate, untrusted network, such as the Internet. These security controls can both be physical, such as a firewall in a physical setting, or virtual, such as software-defined network technology or a cloud access control.

Think of NSCs as a bouncer outside a club that keeps monitoring all the traffic that goes in and out of the club, ensuring that no untrusted or unwanted individual passes through. Similarly, NSCs monitor the incoming and outgoing traffic on a trusted network to ensure sensitive information, such as credit card details, is transmitted to an untrusted network. It also ensures that no untrusted traffic, such as malicious traffic, enters a corporate network.

PCI DSS requires businesses to set up appropriate firewall settings or other security controls to allow only trusted traffic on a cardholder data environment (CDE). The PCI SSC defines CDE as “the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”

Apply Secure Configurations to All System Components

Almost every corporate network is vulnerable to malicious individuals who could be from inside or outside the organization. They often take advantage of the most easily accessible information that is often even publicly available, such as default passwords or settings that could give malicious actors entry to the network or system.

In the context of multi-cloud settings, security misconfigurations are pretty dominant. After all, every cloud service provider has distinct security settings, and many services come with default settings, which means publicly accessible storage buckets, default passwords, unrestricted inbound/outbound ports, etc. To put things into perspective, 65% to 70% of the security challenges that cloud services experience are associated with misconfigurations.

PCI DSS requires organizations to optimize their security configurations, patch software, remove unnecessary applications, and replace default passwords with more complex ones. This way, organizations can reduce the attack surface significantly.

Protect Stored Account Data

Storing sensitive data creates many opportunities for risk exposures, as it is the most sought-after data by cyber threat actors. PCI DSS’s third compliance requirement is geared towards protecting sensitive data and minimizing its associated risk exposures.

PCI DSS demands that organizations establish data protection controls like masking, truncation, or encryption. This way, even if a cyber threat actor bypasses any security protocol and obtains the data, they wouldn’t be able to decode it or use it for any purpose. Here, organizations can use different techniques like encryption, tokenization, truncation, masking, or hashing.

Anonymization techniques like masking or tokenization are useful, especially for internal or external data sharing. After all, businesses tend to share data with business partners or vendors for revenue or growth opportunities. By masking sensitive data like customers’ PINs or credit card numbers, teams can enable a secure data-sharing ecosystem that meets security standards and global privacy regulations that demand strict controls for international data transfers.

For this requirement, PCI DSS specifically explains that data encryption isn’t required when stored in RAM (Random Access Memory) as long as it is in a volatile or non-persistent state.

Encrypt Transmission of Cardholder Data Over Public Networks

Data transmissions over internal or external networks are protected via cryptographic tunneling protocols. However, PCI DSS signifies that organizations must strive for “strong cryptography”, specifically for transmitting sensitive data over open, public networks.

Cryptographic tunneling protocols are used for secure data transmissions. However, some versions of tunneling protocols like Secure Shell (SSH) and Secure Socket Layer (SSL) have an increased number of vulnerabilities, such as the SSH versions between 5.9 to 7.1 or the SSL version 3.0. Threat actors are well aware of the vulnerabilities in such tunneling protocols, and thus, they can easily breach a weak network to gain access to a cardholder data environment.

Hence, organizations must opt for a more robust security protocol, such as Transport Layer Security (TLS).

Protect All Systems and Networks from Malicious Software

Malicious software, also known as Malware, makes the news headlines occasionally. In fact, the frequency of malware attacks has increased over the past few years, along with its complexity. Malware has many variations, such as ransomware, trojan, keyloggers, rootkits, and spyware, to name a few. All such variations may have different functionalities, but the primary goal of these attacks remains the same: steal user data.

Over the years, threat actors have become more wary and shrewd concerning implementing malware in a target’s network or device and executing it. They can send malware via malicious websites or even mobile applications. In fact, malware can make its way into corporate networks via approved business activities, such as emails (phishing).

PCI DSS compliance requirement demands that organizations establish processes and mechanisms to protect their systems, networks, and applications. This requires anti-malware, anti-virus, and anti-phishing applications to be installed and maintained. Organizations can detect and address these threats by frequently scanning the network or system against these malicious programs.

Develop And Maintain Secure Systems & Software

PCI DSS extends the requirements outlined in the aforementioned standard: Protect all systems and networks from malicious software. Security vulnerabilities are ever-present and tend to occur due to various factors, such as the complexity of the system or application, inherent bugs in the system, configuration errors, or malicious applications. It is critical for organizations to keep their networks, systems, and applications up to date with the latest security patches to fix those vulnerabilities before they could turn into chaos.

PCI DSS further elaborates that organizations must test and evaluate the security patches before installing them to ensure that they don’t conflict with the current configurations. Moreover, bespoke applications that are developed specifically for an organization’s specific functions must go through Software Lifecycle (SLC) processes to prevent vulnerabilities.

Restrict Access to System Components & Cardholder Data

Overprivileged access, administrative access, or excessive access to sensitive data is becoming a growing problem. As the business industry moves to multi-cloud settings, gaining insights into sensitive data access has become fairly challenging. Because of access issues, organizations tend to experience unauthorized access risks, unintentional data leaks, or other insider threats.

PCI DSS requires merchants and businesses to set up processes and mechanisms for protecting cardholder data access. Critical cardholder data must only be accessed by authorized individuals to the extent that they are able to perform their job. Access controls must be reviewed and provided on a need-to-know basis and relevant to the job function.

Access policies and controls must be implemented for not only cardholder data but also the systems where the data resides.

Identify Users and Authenticate Access to System Components

This is an extension of the above-outlined PCI DSS requirement. Organizations shouldn’t just limit the access process to only the aforementioned access controls. In fact, they must optimize it to protect the cardholder data environment better.

PCI DSS obligates merchants to implement processes and mechanisms for identifying users and authenticating them before they access cardholder data. User identification is associated with an identifier assigned to a user or process. This can be a unique identifier, username, or application ID. By assigning unique identities to users, businesses can better identify and track access to sensitive systems and data, and they are also better able to distinguish between multiple users.

Another important component of this requirement is authentication, i.e., proof or verification of the relevant user. Since it is apparent that even the strongest of passwords are sometimes bypassed, it is important to reinforce access with authentication, like multi-factor authentication controls.

Restrict Physical Access to Cardholder Data

Data protection shouldn’t be limited to cloud settings. In fact, it needs to be extended to physical settings as well. Therefore, requirement number 9 emphasizes the need for physical security controls around physical data centers, servers, and resources. It includes gate passes, badge readers, and monitoring devices like cameras. PCI DSS outlines three areas where the compliance requirement applies: sensitive areas, CDE, and facility.

Log and Monitor All Access to System and Cardholder Data

Logging mechanisms can play a significant role in detecting, preventing, or mitigating potential data breaches. Hence, PCI DSS requires merchants to maintain logging and tracking mechanisms on all system components and on the cardholder data environment (CDE). These controls can help merchants monitor and track user activities and alert security teams of any suspicious activity that could lead to data compromise.

For instance, one day, a log shows that a user has accessed the account from an untrusted network or any outside environment. The user then accesses or downloads a large volume of customers' credit card information. This alert is enough for security teams to realize foul play and immediately act accordingly.

Therefore, all logs must be kept on any users’ access to CDE and tracked and monitored to investigate security breaches.

Regularly Test Security Systems And Networks

PCI DSS emphasizes the fact that securing systems, processes, and data isn’t a one-off activity. Malicious individuals continuously develop more complex cyber-attacks and leverage newly discovered vulnerabilities. To keep them at bay, it is crucial for organizations to maintain a continuous process of monitoring and testing the security of their data systems or data environment. This includes testing, monitoring, and addressing internal or external vulnerabilities, wireless access points (WAPs), unauthorized changes to payment pages, and network intrusions.

Support Infosec with Organizational Policies and Programs

The final requirement of PCI DSS addresses the people involved in managing cardholder data. PCI DSS requires that the policies must be provided in writing, and every person involved with managing cardholder data must be given training and made aware of the responsibilities of data protection of customers.

How Securiti Data Command Center Can Help

It is crucial for organizations to comply with the PCI DSS requirements and protect their cardholders’ data against fraud, breaches, and other cyber threats. To ensure compliance, organizations must assess their security policies and controls, find gaps in them, and implement necessary changes accordingly. However, it is easier said than done, especially for managing petabyte-scale data in a multi-cloud setting.

Securiti Data Command Center is built to help hyperscale organizations meet global standards and data privacy laws while ensuring the protection of customers’ data and trust.

Organizations can leverage Securiti Data Command Center to gain insights into credit card details spread across their on-premise, public, private, hybrid, or multi-cloud environments. By leveraging those insights and integrated regulatory intelligence, organizations can strategize and implement effective security, privacy, governance, and compliance controls around their data.

Request a demo to see the Data Command Center in action.

Frequently Asked Questions (FAQs)

PCI DSS is a mandatory standard as it allows merchants and businesses to protect customers’ credit card information from various cyber threats, including malware attacks, unauthorized access, data leaks, etc.

PCI DSS applies to every merchant that deals in storing, processing, and sharing the credit card information of customers or users. The scope of definition extends to include businesses, service providers, contractors, and other third parties that are also involved with the management of cardholders’ data.

SOX stands for ​​Sarbanes-Oxley Act. The compliance framework was enacted in 2002 when corporate accounting scandals were highlighted. SOX primarily focuses on establishing rules and policies regarding accounting and financial reporting, while PCI DSS solely focuses on protecting users' credit card information.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend