PCI DSS Compliance Checklist: All 12 Requirements Explained
Any organization that stores, processes, or transmits cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of size or transaction volume. The current version is PCI DSS v4.0.1, published by the PCI Security Standards Council (PCI SSC). Version 3.2.1 was retired on March 31, 2024; full compliance with v4.0 has been required since March 31, 2025.
This checklist breaks down all 12 requirements into actionable items. Use it alongside your formal gap assessment, not as a substitute for it.
TL;DR
- PCI DSS v4.0.1 is the current version; compliance has been mandatory since March 31, 2025.
- The standard's 12 requirements cover network security, access controls, encryption, monitoring, testing, and governance.
- Your merchant level (1 through 4) determines whether you need a QSA on-site audit or can self-assess using a Self-Assessment Questionnaire (SAQ).
- Level 1 merchants (over 6 million Visa or Mastercard transactions per year) require an annual on-site assessment by a Qualified Security Assessor (QSA).
- Selecting the right SAQ type matters: using the wrong form can leave real gaps unassessed.
Who This Is For

This guide is written for IT and security teams at organizations that accept card payments, for compliance officers preparing for a PCI DSS assessment, and for service providers scoping their cardholder data environment. If you are a small e-commerce merchant completing your first SAQ, focus on requirements 3, 4, 6, and 8 first, they address the most common gaps in simpler environments.
In practice, organizations new to PCI DSS most often underestimate two areas: the breadth of their cardholder data environment (CDE) scope, and the documentation burden Requirement 12 imposes. Teams that run a scoping exercise before the gap assessment consistently find systems they did not know were in scope. Starting with a network diagram (Requirement 1) and a data flow map (Requirement 3) before touching any other checklist item tends to produce a more accurate scope and a shorter remediation list.
Merchant Levels and What They Require
Before working through the checklist, confirm your merchant level. Levels are set by individual card brands based on annual transaction volume and can differ between brands.
- Level 1: More than 6 million Visa transactions per year, or any merchant that Visa determines should be Level 1 after a breach. Requires an annual on-site QSA assessment and a Report on Compliance (ROC).
- Level 2: 1 million to 6 million transactions per year. Annual SAQ completed by a qualified internal security assessor; quarterly ASV scans.
- Level 3: 20,000 to 1 million e-commerce transactions per year. Annual SAQ; quarterly ASV scans.
- Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million other transactions per year. Annual SAQ recommended; quarterly ASV scans.
Mastercard uses the same four-tier structure with equivalent thresholds. Always confirm your level with your acquiring bank, which is the enforcement point for compliance validation.
The 12 Requirements: Checklist
The PCI DSS v4.0.1 standard organizes its requirements into six goals. Each goal contains two requirements, for 12 total.
Goal 1: Build and Maintain a Secure Network
Requirement 1: Install and Maintain Network Security Controls
Network security controls (NSCs) form the boundary around your cardholder data environment (CDE). PCI DSS v4.0 expanded the scope of this requirement beyond traditional firewalls to include cloud security groups and software-defined networking.
- Document all network connections into and out of the CDE
- Create and maintain accurate network diagrams showing all cardholder data flows
- Configure NSC rulesets to deny all traffic except what is explicitly required
- Review NSC rulesets at least every six months (increased frequency from annually in v3.2.1)
- Restrict inbound and outbound traffic at the individual system component level
- Assign documented ownership and responsibilities for NSC management
Requirement 2: Apply Secure Configurations to All System Components
Default credentials and configurations are publicly known. Every system component entering the CDE must be hardened before deployment.
- Remove or disable all vendor-supplied default accounts before connecting a system to the network
- Change all default passwords prior to deployment
- Develop and maintain configuration standards for each system type (servers, databases, network devices, applications)
- Encrypt all non-console administrative access using strong cryptography
- Maintain an inventory of all in-scope system components, updated when components change
- Assign only one primary function per server where technically feasible
Goal 2: Protect Account Data
Requirement 3: Protect Stored Account Data
The most effective way to reduce PCI DSS scope is to avoid storing cardholder data. If storage is necessary, the following controls apply.
- Define and enforce data retention and disposal policies with specific retention periods
- Do not store sensitive authentication data (SAD) after authorization, including full track data, CVV/CVC, and PINs
- When displaying a primary account number (PAN), mask it to show no more than the first six and last four digits
- Render stored PANs unreadable using strong one-way hashing, truncation, index tokens, or strong cryptography
- Document key management procedures covering key generation, distribution, storage, retirement, and destruction
- Rotate encryption keys at the end of their defined cryptoperiod or upon evidence that key integrity is compromised
Storing CVV/CVC codes after transaction authorization is a direct PCI DSS violation, regardless of how the data is encrypted. Any system retaining this data requires immediate remediation.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission
Card data sent over open or public networks is vulnerable to interception. Strong cryptographic protocols must be used for any transmission.
- Use TLS 1.2 or higher for all transmissions of cardholder data over public networks (TLS 1.0 and 1.1 are prohibited)
- Confirm that certificates used are valid, current, and issued by a trusted certificate authority
- Verify that only trusted keys and certificates are accepted
- Do not transmit unprotected PANs via end-user messaging technologies such as email, SMS, or chat
- Maintain an inventory of all trusted keys and certificates, including expiration dates
Goal 3: Maintain a Vulnerability Management Program
Requirement 5: Protect All Systems and Networks from Malicious Software
Anti-malware controls must be applied to all systems that are commonly targeted by malicious software within the CDE.
- Deploy anti-malware on all systems commonly affected by malware
- Configure anti-malware mechanisms to update automatically
- Enable real-time monitoring and perform periodic scans on covered systems
- Retain anti-malware logs and protect them from unauthorized modification
- Implement anti-phishing mechanisms to detect and protect against phishing attacks (added in PCI DSS v4.0)
- Conduct periodic risk evaluations for systems not commonly affected by malware to confirm they remain low risk
Requirement 6: Develop and Maintain Secure Systems and Software
Software vulnerabilities are among the most common entry points for attackers. PCI DSS requires both a patching process and secure development practices.
- Install critical security patches within one month of release
- Establish a vulnerability management process that ranks vulnerabilities by risk
- Develop all custom software following secure coding guidelines, referencing the OWASP Top 10
- Protect public-facing web applications against known attacks through a web application firewall (WAF) or documented code review
- Manage all scripts loaded in the consumer's browser on payment pages: maintain an authorized inventory, verify integrity via subresource integrity (SRI) hashes or equivalent, and justify each script's presence (Requirement 6.4.3, added in PCI DSS v4.0)
- Maintain an inventory of all bespoke and third-party software components and their versions
Requirement 6.4.3 was one of the most operationally demanding additions in v4.0. Many organizations had never systematically inventoried JavaScript loaded on their checkout pages. Start by auditing every
tag on payment pages, including tags injected by tag managers.
Goal 4: Implement Strong Access Control Measures
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need
Access to cardholder data must follow the principle of least privilege. Only personnel whose role requires access should have it.
- Define access needs for each role that interacts with the CDE
- Set default access control to deny-all unless explicitly authorized
- Restrict access to system components and cardholder data to documented business-need roles
- Review all user accounts and access privileges at least every six months
Requirement 8: Identify Users and Authenticate Access to System Components
Every person accessing the CDE must use a unique identifier. Shared or generic accounts make incident investigation impractical and are prohibited.
- Assign a unique ID to every person with access to system components
- Require multi-factor authentication (MFA) for all access into the CDE, PCI DSS v4.0 extended this beyond remote access to include all CDE access
- Set minimum password length to at least 12 characters (increased from 7 in v3.2.1)
- Change passwords/passphrases at least every 90 days, or use continuous dynamic security analysis to detect anomalous account activity as an alternative
- Lock accounts after no more than 10 consecutive failed authentication attempts
- Set session idle timeout to 15 minutes or fewer
Requirement 9: Restrict Physical Access to Cardholder Data
Physical controls prevent unauthorized individuals from accessing systems or paper-based records in the CDE.
- Use physical access controls (badge readers, biometric locks, key locks) to restrict CDE entry
- Distinguish between on-site personnel and visitors through visible identification
- Authorize and log all visitor access to the CDE; retain visitor logs for at least three months
- Secure all media containing cardholder data, including paper and portable electronic media
- Destroy media containing cardholder data that is no longer needed using cross-cut shredding, incineration, or verified secure digital wiping
- Protect POS devices against tampering and substitution with a documented inspection program
Goal 5: Regularly Monitor and Test Networks
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Logging and monitoring are the primary means of detecting active breaches and reconstructing incidents after the fact.
- Implement audit trails that link all access to system components to individual users
- Log all actions taken by individuals with administrative privileges
- Capture the following fields in every audit trail entry: user identification, event type, date/time stamp, success or failure indicator, origination, and affected resource
- Synchronize all critical system clocks using a trusted time service (NTP or equivalent)
- Protect audit trails so they cannot be deleted or altered
- Review logs and security events daily; PCI DSS v4.0 recommends automated log correlation tools to make this operationally feasible
- Retain audit trail history for at least 12 months, with the most recent three months immediately available for analysis
Requirement 11: Test Security of Systems and Networks Regularly
Testing validates that controls function as intended. Policies alone are not sufficient evidence of compliance.
- Run internal vulnerability scans quarterly; remediate all critical and high-risk findings and rescan to confirm remediation
- Run external vulnerability scans quarterly through an Approved Scanning Vendor (ASV)
- Perform penetration testing at least annually and after any significant infrastructure or application changes; tests must cover both internal and external surfaces
- Deploy intrusion detection or intrusion prevention systems (IDS/IPS) to monitor all traffic entering and leaving the CDE
- Implement file integrity monitoring (FIM) on critical files, configuration files, and executables
- Conduct targeted risk analyses to define the frequency of periodic log reviews and other controls where PCI DSS v4.0 grants scheduling flexibility
Goal 6: Maintain an Information Security Policy
Requirement 12: Support Information Security with Organizational Policies and Procedures
Technical controls alone are not sufficient. Requirement 12 covers the governance and operational practices that tie the other 11 requirements together.
- Establish, publish, and maintain a written information security policy reviewed at least annually and communicated to all affected personnel
- Perform a formal information security risk assessment at least annually and after significant changes to the environment
- Implement a security awareness program for all personnel; include phishing simulation training
- Conduct background screening before hiring personnel who will have access to the CDE
- Maintain a documented incident response plan, test it at least annually, and ensure designated response personnel are trained
- Manage all third-party service providers (TPSPs) with access to cardholder data: maintain a register of TPSPs, confirm their PCI DSS compliance status annually, and include PCI DSS requirements in contracts
SAQ Selection Guide

If your organization is Level 2, 3, or 4, you must complete the correct Self-Assessment Questionnaire. Using the wrong SAQ may mean you are not assessing the controls that actually apply to your environment. The PCI SSC document library contains the current SAQ forms and their eligibility instructions.
| SAQ Type | Environment Description | Typical Fit |
|---|---|---|
| SAQ A | Card data entry fully outsourced to a PCI-compliant third party; merchant has no electronic storage, processing, or transmission on merchant systems. For e-commerce, the payment page is hosted entirely by the third party (e.g., a redirect or iFrame). | Small e-commerce merchants using a hosted payment page |
| SAQ A-EP | E-commerce only; merchant's website receives the order but payment data fields are provided directly by a PCI-compliant third party. The merchant's server does not directly receive card data but scripts on the page could affect the payment form. | E-commerce merchants with direct-post or JavaScript-based checkout |
| SAQ B | Card data captured only via imprint machines or standalone, dial-out terminals; no electronic storage of cardholder data. | Small brick-and-mortar merchants with simple dial-out terminals |
| SAQ B-IP | Standalone IP-connected PTS-approved terminals that do not transmit card data to merchant systems; no electronic storage. | Brick-and-mortar merchants with IP-connected terminals certified under the PCI PTS standard |
| SAQ C | Payment application connected to the internet; no electronic storage of cardholder data; no card processing via e-commerce channel. | Retail or restaurant merchants using point-of-sale systems with internet connectivity |
| SAQ C-VT | Merchants who manually key transactions through a virtual terminal hosted by a PCI-compliant third party on an isolated PC; no electronic storage. | Phone-order merchants using a third-party virtual terminal |
| SAQ D (Merchant) | All merchants that do not qualify for SAQ A, A-EP, B, B-IP, C, or C-VT. Covers all 12 requirements. | Any merchant that stores cardholder data or has complex environments |
| SAQ D (Service Provider) | All service providers defined by a payment brand as eligible to complete an SAQ. Covers all 12 requirements. | Third-party service providers not subject to a full ROC |
| SAQ P2PE | Merchants using a PCI SSC-listed P2PE solution; reduced scope because cardholder data is encrypted before it enters merchant systems. | Merchants with a validated Point-to-Point Encryption solution |
Your acquiring bank has final authority on which SAQ applies to your account. When in doubt, confirm with them before completing a form.
Frequently Asked Questions
What is the difference between PCI DSS v3.2.1 and v4.0?
PCI DSS v4.0 introduced several substantive changes compared to v3.2.1. The key operational changes include: MFA is now required for all access into the CDE, not only remote access; minimum password length increased from 7 to 12 characters; anti-phishing controls are now required; Requirement 6.4.3 requires organizations to inventory and integrity-check all scripts on payment pages; and a "customized approach" option was added, allowing organizations to meet the intent of a requirement through alternative controls subject to QSA validation. Version 3.2.1 was retired on March 31, 2024. Organizations had until March 31, 2025 to achieve full v4.0 compliance.
Does outsourcing payment processing eliminate my PCI DSS obligations?
No. Using a PCI-compliant payment processor reduces your scope significantly, but you remain responsible for confirming your provider's compliance status annually, securing the data handoff, ensuring your checkout pages have not been tampered with (relevant to Requirement 6.4.3), and completing the appropriate SAQ. Your acquiring bank can tell you which SAQ applies given your processing setup.
How often must I validate compliance?
Annual validation is required for all merchant levels. Level 1 merchants complete an annual on-site QSA assessment producing a Report on Compliance. Levels 2 through 4 complete an annual SAQ. All levels that process over a threshold defined by their acquiring bank must also complete quarterly external vulnerability scans through an Approved Scanning Vendor.
What triggers a Level 1 classification beyond transaction volume?
Visa and Mastercard both reserve the right to classify any merchant as Level 1 following a confirmed account data compromise, regardless of transaction volume. Other card brands have equivalent provisions. A breach that affects any number of accounts can result in a mandatory upgrade to the most stringent validation tier.
How long does initial PCI DSS compliance take?
Timeline depends on your current security posture, your organization's size, and how much remediation work the gap assessment identifies. A small merchant completing SAQ A for the first time may work through the process in a few weeks. A Level 1 merchant undertaking a first QSA assessment typically requires several months of preparation, gap remediation, and control implementation before the formal assessment can begin. There is no standard timeline because the work required is different for every environment.
Sources used
- Payment Card Industry Data Security Standard (PCI DSS), accessed 2026-05-12
- PCI Security Standards Council (PCI SSC), accessed 2026-05-12
- Qualified Security Assessor (QSA), accessed 2026-05-12
- Visa merchant levels, accessed 2026-05-12
- Mastercard uses the same four-tier structure, accessed 2026-05-12
- PCI DSS v4.0.1 standard, accessed 2026-05-12
- OWASP Top 10, accessed 2026-05-12
- Approved Scanning Vendor (ASV), accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
