PCI DSS v4.0 Checklist

The Complete PCI Compliance Checklist for 2025

A practical, requirement-by-requirement PCI DSS v4.0 checklist covering all 12 requirements — designed to help your business assess readiness, identify gaps, and prepare for certification.

PCI DSS v4.0
All 12 requirements
Readiness tool
QSA-validated
StandardPCI DSS v4.0
12 Requirements
~75 checklist items in this guide
1–2
Network
3–4
Data
5–6
Vuln Mgmt
7–12
Access & Policy
Aligned to PCI SSC v4.0 framework
Print-ready
Use as your gap-assessment template
Trusted by compliance teams across ANZ
SparkDatacomInland RevenueVodafoneHumm GroupCCLFidelityIllionPlan BXplore
Get started

How to Use This PCI Compliance Checklist

This checklist maps to all 12 requirements of PCI DSS v4.0 — the current mandatory version as of March 2024. Use it to assess your current compliance posture, identify gaps that need remediation, and prepare for your annual Self-Assessment Questionnaire (SAQ) or QSA audit.

Note that this checklist is a readiness tool, not a substitute for a formal PCI DSS assessment. The full standard contains over 300 individual sub-requirements. This checklist covers the most critical controls across each requirement area.

v4.0 update

PCI DSS v4.0: What Changed in 2025?

PCI DSS v4.0 became the only active version in March 2024, with 64 additional future-dated requirements now mandatory from 31 March 2025. If you were last assessed against v3.2.1, you need to address new requirements including enhanced MFA, client-side script security (web skimming), targeted risk analysis, and customised approach options for several requirements. The checklist below incorporates these v4.0-specific items where applicable.

The checklist

All 12 PCI DSS v4.0 Requirements

Work through each requirement systematically. Items marked apply to most merchant environments — consult a QSA for full sub-requirement coverage in your specific scope.

1

Install and Maintain Network Security Controls

  • Firewall(s) installed and configured to restrict inbound and outbound traffic to the CDE
  • Network security controls documented with business justification for all allowed traffic
  • Network diagrams current and accurately reflect all CDE connections
  • Direct public access to cardholder data environment is prohibited
  • Wireless network traffic into the CDE is restricted and monitored
  • Firewall rule sets reviewed at least every six months
2

Apply Secure Configurations to All System Components

  • All default passwords changed before any system is placed into production
  • Vendor-supplied default accounts disabled or removed where not needed
  • System configuration standards documented and applied to all in-scope components
  • Unnecessary services, functions, and protocols disabled on all systems
  • Non-console administrative access encrypted (SSH, HTTPS, etc.)
  • Configuration standards reviewed and updated when new vulnerabilities are identified
3

Protect Stored Account Data

  • Data retention policy in place — cardholder data stored only as long as necessary
  • Sensitive authentication data (SAD) not stored after authorisation
  • Primary Account Numbers (PANs) masked when displayed — only first 6 / last 4 digits shown
  • Stored PANs rendered unreadable using strong encryption (AES-256 or similar)
  • Cryptographic key management procedures documented and in place
  • Quarterly process to identify and securely delete stored cardholder data beyond retention period
4

Protect Cardholder Data in Transit

  • Strong cryptography (TLS 1.2 or higher) used for all transmission of cardholder data over open networks
  • TLS 1.0 and 1.1 disabled across all systems
  • SSL is not used anywhere in the CDE
  • Trusted certificates in use — no untrusted or self-signed certificates in production
  • Cardholder data not transmitted via end-user messaging (email, SMS, chat)
  • Inventory of trusted certificate authorities maintained
5

Protect All Systems Against Malware

  • Anti-malware solution deployed on all systems commonly affected by malicious software
  • Anti-malware definitions updated automatically and regularly
  • Periodic scans enabled — or continuous real-time protection in place
  • Anti-malware solution cannot be disabled by end users
  • Phishing-resistant controls in place (v4.0) — user awareness training on phishing conducted regularly
  • Removable media scanned for malware when connected to any in-scope system
6

Develop and Maintain Secure Systems and Software

  • Security patches applied within one month of release for critical vulnerabilities
  • Secure development lifecycle (SDL) in place for in-house developed applications
  • Web-facing applications protected against OWASP Top 10 vulnerabilities
  • Web Application Firewall (WAF) deployed for all public-facing web applications
  • Change control process in place for all changes to system components
  • Script inventory maintained for all payment pages — unauthorised scripts blocked (v4.0 req. 6.4.3)
  • HTTP security headers implemented on all payment pages to prevent web skimming (v4.0)
7

Restrict Access to System Components and Cardholder Data

  • Access to cardholder data restricted to individuals with a documented business need
  • Access control model documented — deny-by-default unless explicitly granted
  • All privileges assigned based on least-privilege / need-to-know principle
  • Access rights reviewed at least every six months and adjusted when roles change
  • Third-party and vendor access to CDE restricted and monitored
8

Identify Users and Authenticate Access to System Components

  • Unique user IDs assigned to all users — no shared credentials permitted
  • Passwords meet minimum length of 12 characters (v4.0) and complexity requirements
  • Multi-factor authentication (MFA) enforced for all non-console access into the CDE
  • MFA enforced for all remote access to the network
  • Inactive accounts disabled after 90 days maximum
  • Terminated user accounts disabled or removed immediately upon termination
  • Service accounts inventoried, documented, and reviewed regularly
9

Restrict Physical Access to Cardholder Data

  • Physical access controls in place for all areas storing, processing, or transmitting cardholder data
  • Visitor access logged and visitors accompanied at all times in sensitive areas
  • All physical media containing cardholder data stored securely
  • Physical media destroyed securely when no longer needed (cross-cut shred, degauss, or incinerate)
  • Point-of-sale (POS) terminals inspected regularly for tampering or skimming devices
10

Log and Monitor All Access to Network Resources and Cardholder Data

  • Audit logs enabled for all in-scope system components
  • Logs capture: user ID, event type, date/time, success/failure, origin, and affected component
  • Logs protected from modification — stored on a separate, secure log server
  • Logs reviewed daily — automated tools used to flag anomalies and suspicious activity
  • Logs retained for at least 12 months, with 3 months immediately available for analysis
  • Accurate time synchronisation in place across all in-scope systems (NTP)
11

Test Security of Systems and Networks Regularly

  • Quarterly internal and external vulnerability scans conducted by an ASV (for external scans)
  • Scans repeated until clean results are achieved before the quarter ends
  • Annual penetration test conducted — both network and application layer
  • Penetration test includes testing of segmentation controls (if segmentation is used to reduce scope)
  • Intrusion detection / intrusion prevention system (IDS/IPS) deployed and monitored
  • Change detection (file integrity monitoring) in place for critical system files and configuration
12

Support Information Security with Organisational Policies and Programmes

  • Comprehensive information security policy in place, reviewed annually
  • Security awareness training conducted at hire and at least annually thereafter
  • Acceptable use policy for end-user technologies documented and signed by all users
  • Incident response plan in place and tested at least annually
  • Inventory of all hardware and software components in scope maintained
  • All third-party service providers (TPSPs) with access to CDE listed in a register
  • Written agreements with all TPSPs confirming their PCI DSS responsibilities
  • Targeted risk analysis conducted for all requirements using the customised approach (v4.0)
Practitioner tips

Tips for Working Through Your PCI Compliance Checklist

Tip 1

Start With Scope Reduction

Before addressing any checklist item, map your cardholder data flows and reduce your CDE scope as much as possible. Every system you remove from scope eliminates multiple checklist items instantly.

Tip 2

Prioritise by Risk

Not all requirements carry equal weight. Requirements 3 (data storage), 8 (authentication), and 10 (logging) are most frequently cited in breach investigations — address these first.

Tip 3

Document Everything

PCI DSS is as much about evidence as it is about controls. Policies, procedures, logs, scan results, and approval records must all be documented and retained. “We do it” is not acceptable — you must be able to prove it.

Tip 4

Don’t Ignore v4.0 New Requirements

The 64 future-dated requirements that became mandatory in March 2025 include several technically complex items — particularly around web skimming (req. 6.4.3), MFA (req. 8.4), and targeted risk analysis. Address these early to avoid last-minute pressure.

Tip 5

Manage Third-Party Risk

Requirement 12.8 and 12.9 require you to manage the compliance of all third-party service providers with access to your CDE. Obtain their current AOC annually and document the division of PCI responsibilities.

Tip 6

Treat Compliance as Continuous

PCI DSS compliance is a point-in-time assessment of a continuous programme. Build quarterly scan scheduling, annual pen test booking, policy review dates, and staff training into your operational calendar from day one.

Complimentary · No Obligation

Want a QSA to Review Your Checklist?

30 minutes with a practising QSA who’ll walk through your readiness, identify the highest-priority gaps, and recommend the most efficient path to validation — no commitment, no sales pitch.

Walk-through of your current posture
Top 5 gaps to address first
SAQ vs. ROC recommendation
Effort & timeline estimate
Book Your Free Review
QSA-led call 30-min commitment 1 business-day response
FAQ

Frequently Asked Questions about the PCI Compliance Checklist

Is this checklist suitable for all PCI merchant levels?
Yes. All 12 PCI DSS requirements apply to every merchant regardless of level — what differs between levels is the validation method (SAQ vs. QSA audit) and the specific sub-requirements that apply based on your payment acceptance method. A Level 4 merchant using a fully hosted payment page will have far fewer applicable controls than a Level 1 merchant storing cardholder data, but both must demonstrate compliance with the applicable requirements.
How often should I review this checklist?
PCI DSS requires annual validation, but compliance is a continuous programme. You should review your control status quarterly — aligned with your ASV scan cycle — and any time there is a significant change to your environment, such as a new payment system, infrastructure migration, or significant organisational change. Some controls (like log reviews and patch management) must be verified daily or monthly.
What is the difference between this checklist and the SAQ?
This checklist is a readiness and gap identification tool — it helps you understand your current posture and what you need to fix before formal validation. The Self-Assessment Questionnaire (SAQ) is the official PCI SSC validation document you complete to formally attest your compliance to your acquiring bank. There are nine different SAQ types depending on how you accept payments, each containing different subsets of PCI DSS requirements.
What are the most commonly failed checklist items?
Based on our QSA experience, the most commonly failed areas are: Requirement 8 (weak or shared passwords, missing MFA), Requirement 6 (missing security patches, no WAF, unmanaged web scripts), Requirement 10 (insufficient log retention or review processes), Requirement 12 (incomplete policies, untested incident response plan), and Requirement 3 (unnecessary storage of sensitive cardholder data).
Can a QSA help me work through this checklist?
Absolutely. Our certified QSAs can conduct a structured gap assessment using the full PCI DSS v4.0 requirements — going far beyond this summary checklist to assess every sub-requirement against documented evidence. The output is a detailed gap report with a prioritised remediation plan, realistic effort estimates, and clear guidance on what to do next. This is the most efficient way to prepare for formal PCI certification.
Get a second opinion

Want a QSA to Review Your Checklist?

Our certified QSAs can validate your checklist and identify the gaps that matter most — before they cost you at audit time.

QSA-led · ANZ · EU · NA · 1 business-day response

Continue your PCI journey

All PCI services →
Guide

What is PCI Compliance?

The complete business guide to PCI DSS — what it is, what’s required, and how to get there.

Read the guide
Service

PCI Compliance Assistance

QSA-led, end-to-end PCI compliance assistance — from gap assessment to certified AOC.

View service
Free tool

SAQ Selector

Find the right SAQ for your business in under 60 seconds. 9 outcomes, no signup.

Open the selector