Protecting customer payment data is about building trust and keeping your business running effectively. The average global breach cost reached $4.88 million in 2024 so maintaining high standards is important.

The Payment Card Industry Data Security Standard (PCI DSS) checklist turns an intimidating standard into clear steps any business can follow to safeguard cardholder information. Below, we’ll explain what the checklist requires and how to maintain compliance over time.

What’s in this article?

• What is PCI DSS compliance?
  
• What does the PCI DSS compliance checklist include?
  
• How do you monitor and test networks for PCI compliance?
  
• How can companies maintain a secure cardholder data environment?
  
• What steps should you take to prepare for PCI DSS compliance?
  
• How do you maintain PCI DSS compliance over time?
  
• How Stripe Payments can help
  

What is PCI DSS compliance?

The PCI DSS is the rule book for protecting credit and debit card information. It was created in 2004 by American Express, Discover, JCB, Mastercard, and Visa to minimize fraud and breaches. Today, it’s the baseline security standard for any business that stores, processes, or transmits card data.

PCI DSS compliance is mandatory. If your business accepts credit or debit cards, it falls under the PCI DSS—whether it’s a single-location shop, a fast-growing software-as-a-service (SaaS) company, or a global enterprise. Service providers that move or store card data on behalf of others must comply too. The exact reporting steps differ depending on your transaction volume, but the security requirements apply across the board.

The PCI DSS isn’t a law, but it’s enforced through your contracts with banks and payment processors. If you don’t comply, you could face fines, costly audits, or lawsuits, or even lose the ability to process card payments.

What does the PCI DSS compliance checklist include?

The PCI DSS is built on 12 requirements.

1. Install and maintain firewalls

Your first line of defense is a well-configured firewall that blocks unwanted traffic. Review rules regularly and eliminate anything unnecessary. Custom rules are important.

2. Avoid default passwords and settings

Devices and software often ship with widely known defaults. Change them immediately, disable unused accounts, and shut down services you don’t need.

3. Protect stored cardholder data

If you don’t need to store card data, don’t. If you must, encrypt it with strong algorithms, mask or truncate where possible, and securely manage encryption keys. Purge data when it’s no longer needed.

4. Encrypt data in transit

Any time card details move across open networks, they must be encrypted. Use modern protocols such as Transport Layer Security (TLS) 1.2 or higher. Older protocols such as Secure Sockets Layer (SSL) are less effective. Never send card numbers over email or unencrypted channels.

5. Defend against malware

Every system that could be hit by malicious software needs antimalware protection that’s kept current and configured to run automatically. PCI DSS v4.0 goes further by encouraging advanced detection tools, not just traditional antivirus protection.

6. Patch systems and applications

Vulnerabilities are a hacker’s entry point. Keep an up-to-date inventory of assets, subscribe to security bulletins, and apply patches quickly. Follow secure coding practices if you build your own applications.

7. Limit data access by role

Apply the principle of least privilege. Only employees who truly need access to card data should have it. Use role-based controls, revoke access promptly when roles change, and consider just-in-time access for sensitive tasks.

8. Uniquely authenticate users

Every individual gets a unique ID. Don’t allow shared logins. Require strong passwords and multifactor authentication for all access to systems in the cardholder data environment (CDE). This is a firm requirement under PCI DSS v4.0.

9. Control physical access

Protect the places where card data exists physically: server rooms, payment terminals, paper records, and backups. Use ID badges, door locks, and camera surveillance. Destroy records you no longer need.

10. Track and monitor access

Turn on detailed logging for systems that touch cardholder data. Record who did what and when. Store at least a year’s worth of logs—the last three months should be easily accessible—and regularly review them for anything unusual.

11. Regularly test security

Run quarterly vulnerability scans. If you have an online business, choose an Approved Scanning Vendor qualified by the PCI Security Standards Council. Perform penetration tests annually, at a minimum. Scan internally after any major changes. Testing allows you to catch problems before attackers can use them to gain access.

12. Maintain security policies and train staff

Compliance depends on people as much as systems. Establish a formal security policy, update it annually, and train staff regularly so everyone knows how to protect payment data.

Think of your PCI DSS compliance checklist as a playbook. Configure, encrypt, limit, monitor, test, and train, then repeat as your business grows.

How do you monitor and test networks for PCI compliance?

The PCI DSS also requires that you prove your controls work every day. That involves monitoring and testing.

Logging and monitoring

Systems that touch cardholder data must generate detailed logs: who accessed what, when, and what actions were taken. You must store at least a year of logs, with the last three months immediately available. You also need to review the logs. Many businesses use automated alerts to flag suspicious activity, such as an admin account that logs in at odd hours.

Vulnerability scanning

The PCI DSS mandates quarterly vulnerability scans of your internet-facing systems, performed by an Approved Scanning Vendor. Internal scans should also be scheduled, especially after major system changes. These scans look for known weaknesses such as outdated software and misconfigured firewalls that attackers could exploit.

Penetration testing

Conduct penetration tests at least once a year. These are simulated attacks carried out by professionals who think like hackers. Unlike automated scans, penetration tests explore how different vulnerabilities can create real risk. They help you see your environment the way an attacker would.

Continuous validating

PCI compliance means following an ongoing cycle: configuring systems, scanning them, remediating issues, and retesting. The point is to catch problems before they become breaches and to show that your controls hold up under scrutiny.

How can companies maintain a secure cardholder data environment?

Securing cardholder data is about creating an environment where risks are reduced at every layer. The PCI DSS calls this the CDE, and keeping it secure means paying attention to scope, storage, access, and architecture.

Here’s how to protect your CDE.

Define and minimize scope

First, figure out exactly where card data flows in your systems. Outline applications, databases, terminals, and networks that touch or transmit it. Then, shrink that footprint: if a system doesn’t need to handle card data, take it out of scope.

Don’t store what you don’t need

Every piece of stored card data is a liability. Retain only what you need, and set automated processes to purge old data. Use masking and truncation where possible so even if data surfaces, it’s useless to attackers.

Tokenize and encrypt

When you must handle card numbers, replace them with tokens that have no exploitable value outside your systems. Encrypt cardholder data both at rest and in transit, and manage encryption keys with the same rigor you’d apply to data protection: limit access, rotate keys regularly, and log their use.

Segment your network

Keep the CDE isolated from the rest of your systems. Network segmentation ensures that if one area is compromised, attackers won’t gain a straight path to payment data.

Restrict and monitor access

Apply strict access controls: role-based permissions, multifactor authentication, and a log of every access attempt. Review privileges often and remove access promptly when it’s no longer needed.

A protected CDE requires regular review, updates, and testing. By tightening the scope, encrypting effectively, and limiting exposure, you can build an environment resilient to mistakes and attacks.

What steps should you take to prepare for PCI DSS compliance?

Before you fill out a questionnaire or schedule an audit, you need a clear picture of how your business handles card data and where the risks lie. That turns PCI DSS compliance from an abstract standard into a concrete project plan with scope, evidence, and accountability defined from the start.

Here’s how to prepare.

Scope

Identify every system, application, and network that touches cardholder data. Create a data flow diagram that shows exactly how card information moves through your environment, from the point of entry (e.g., website, terminal, app) to where it’s processed or stored. Anything that interacts with card data falls into scope.

Asset inventory

List all hardware, software, and service providers involved in payments. This helps you understand what needs to be secured and where third-party responsibilities come into play.

Gap analysis

Compare your current controls to the 12 PCI DSS requirements. A gap analysis reveals missing policies, outdated configurations, or unpatched systems and gives you a prioritized road map for remediation.

Validation path

Businesses typically validate through a Self-Assessment Questionnaire. But large businesses often need a formal Report on Compliance from a Qualified Security Assessor. The route you take depends on your transaction volume and how you process payments.

Timeline and roles

Build in time for remediation, documentation, testing, and training. Assign clear responsibilities so tasks don’t slip through the cracks.

How do you maintain PCI DSS compliance over time?

Compliance is a recurring cycle. Long-term PCI compliance means weaving security into your daily operations.

Here’s what that entails.

Schedule recurring checks

Schedule quarterly vulnerability scans, annual penetration tests, policy reviews, and regular risk assessments. Document each activity so you have a paper trail for auditors and for your own accountability.

Host repeated trainings

People are part of the system. Hold regular security awareness sessions so employees know how to spot card skimmers, phishing attempts, and signs of tampering. Update training when standards or your own processes change.

Watch vendors

Third-party providers are often part of your payment flow. Review their compliance statuses regularly and ensure contracts reflect security obligations.

Be ready to respond

Maintain an incident response plan: know who to call, how to isolate systems, and how to notify stakeholders. You need to be able to act quickly if something goes wrong.

How Stripe Payments can help

Stripe Payments provides a unified, global payment solution that helps any business—from scaling startups to global enterprises—accept payments online, in person, and around the world.

Stripe Payments can help you:

• Optimize your checkout experience: Create a frictionless customer experience and save thousands of engineering hours with prebuilt payment UIs, access to 125+ payment methods, and Link, a wallet built by Stripe.

• Expand to new markets faster: Reach customers worldwide and reduce the complexity and cost of multicurrency management with cross-border payment options, available in 195 countries across 135+ currencies.

• Unify payments in person and online: Build a unified commerce experience across online and in-person channels to personalize interactions, reward loyalty, and grow revenue.

• Improve payment performance: Increase revenue with a range of customizable, easy-to-configure payment tools, including no-code fraud protection and advanced capabilities to improve authorization rates.

• Move faster with a flexible, reliable platform for growth: Build on a platform designed to scale with you, with 99.999% uptime and industry-leading reliability.

Learn more about how Stripe Payments can power your online and in-person payments, or get started today.