The Complete PCI Compliance Checklist for 2025
A practical, requirement-by-requirement PCI DSS v4.0 checklist covering all 12 requirements — designed to help your business assess readiness, identify gaps, and prepare for certification.
How to Use This PCI Compliance Checklist
This checklist maps to all 12 requirements of PCI DSS v4.0 — the current mandatory version as of March 2024. Use it to assess your current compliance posture, identify gaps that need remediation, and prepare for your annual Self-Assessment Questionnaire (SAQ) or QSA audit.
Note that this checklist is a readiness tool, not a substitute for a formal PCI DSS assessment. The full standard contains over 300 individual sub-requirements. This checklist covers the most critical controls across each requirement area.
PCI DSS v4.0: What Changed in 2025?
PCI DSS v4.0 became the only active version in March 2024, with 64 additional future-dated requirements now mandatory from 31 March 2025. If you were last assessed against v3.2.1, you need to address new requirements including enhanced MFA, client-side script security (web skimming), targeted risk analysis, and customised approach options for several requirements. The checklist below incorporates these v4.0-specific items where applicable.
All 12 PCI DSS v4.0 Requirements
Work through each requirement systematically. Items marked apply to most merchant environments — consult a QSA for full sub-requirement coverage in your specific scope.
Install and Maintain Network Security Controls
- Firewall(s) installed and configured to restrict inbound and outbound traffic to the CDE
- Network security controls documented with business justification for all allowed traffic
- Network diagrams current and accurately reflect all CDE connections
- Direct public access to cardholder data environment is prohibited
- Wireless network traffic into the CDE is restricted and monitored
- Firewall rule sets reviewed at least every six months
Apply Secure Configurations to All System Components
- All default passwords changed before any system is placed into production
- Vendor-supplied default accounts disabled or removed where not needed
- System configuration standards documented and applied to all in-scope components
- Unnecessary services, functions, and protocols disabled on all systems
- Non-console administrative access encrypted (SSH, HTTPS, etc.)
- Configuration standards reviewed and updated when new vulnerabilities are identified
Protect Stored Account Data
- Data retention policy in place — cardholder data stored only as long as necessary
- Sensitive authentication data (SAD) not stored after authorisation
- Primary Account Numbers (PANs) masked when displayed — only first 6 / last 4 digits shown
- Stored PANs rendered unreadable using strong encryption (AES-256 or similar)
- Cryptographic key management procedures documented and in place
- Quarterly process to identify and securely delete stored cardholder data beyond retention period
Protect Cardholder Data in Transit
- Strong cryptography (TLS 1.2 or higher) used for all transmission of cardholder data over open networks
- TLS 1.0 and 1.1 disabled across all systems
- SSL is not used anywhere in the CDE
- Trusted certificates in use — no untrusted or self-signed certificates in production
- Cardholder data not transmitted via end-user messaging (email, SMS, chat)
- Inventory of trusted certificate authorities maintained
Protect All Systems Against Malware
- Anti-malware solution deployed on all systems commonly affected by malicious software
- Anti-malware definitions updated automatically and regularly
- Periodic scans enabled — or continuous real-time protection in place
- Anti-malware solution cannot be disabled by end users
- Phishing-resistant controls in place (v4.0) — user awareness training on phishing conducted regularly
- Removable media scanned for malware when connected to any in-scope system
Develop and Maintain Secure Systems and Software
- Security patches applied within one month of release for critical vulnerabilities
- Secure development lifecycle (SDL) in place for in-house developed applications
- Web-facing applications protected against OWASP Top 10 vulnerabilities
- Web Application Firewall (WAF) deployed for all public-facing web applications
- Change control process in place for all changes to system components
- Script inventory maintained for all payment pages — unauthorised scripts blocked (v4.0 req. 6.4.3)
- HTTP security headers implemented on all payment pages to prevent web skimming (v4.0)
Restrict Access to System Components and Cardholder Data
- Access to cardholder data restricted to individuals with a documented business need
- Access control model documented — deny-by-default unless explicitly granted
- All privileges assigned based on least-privilege / need-to-know principle
- Access rights reviewed at least every six months and adjusted when roles change
- Third-party and vendor access to CDE restricted and monitored
Identify Users and Authenticate Access to System Components
- Unique user IDs assigned to all users — no shared credentials permitted
- Passwords meet minimum length of 12 characters (v4.0) and complexity requirements
- Multi-factor authentication (MFA) enforced for all non-console access into the CDE
- MFA enforced for all remote access to the network
- Inactive accounts disabled after 90 days maximum
- Terminated user accounts disabled or removed immediately upon termination
- Service accounts inventoried, documented, and reviewed regularly
Restrict Physical Access to Cardholder Data
- Physical access controls in place for all areas storing, processing, or transmitting cardholder data
- Visitor access logged and visitors accompanied at all times in sensitive areas
- All physical media containing cardholder data stored securely
- Physical media destroyed securely when no longer needed (cross-cut shred, degauss, or incinerate)
- Point-of-sale (POS) terminals inspected regularly for tampering or skimming devices
Log and Monitor All Access to Network Resources and Cardholder Data
- Audit logs enabled for all in-scope system components
- Logs capture: user ID, event type, date/time, success/failure, origin, and affected component
- Logs protected from modification — stored on a separate, secure log server
- Logs reviewed daily — automated tools used to flag anomalies and suspicious activity
- Logs retained for at least 12 months, with 3 months immediately available for analysis
- Accurate time synchronisation in place across all in-scope systems (NTP)
Test Security of Systems and Networks Regularly
- Quarterly internal and external vulnerability scans conducted by an ASV (for external scans)
- Scans repeated until clean results are achieved before the quarter ends
- Annual penetration test conducted — both network and application layer
- Penetration test includes testing of segmentation controls (if segmentation is used to reduce scope)
- Intrusion detection / intrusion prevention system (IDS/IPS) deployed and monitored
- Change detection (file integrity monitoring) in place for critical system files and configuration
Support Information Security with Organisational Policies and Programmes
- Comprehensive information security policy in place, reviewed annually
- Security awareness training conducted at hire and at least annually thereafter
- Acceptable use policy for end-user technologies documented and signed by all users
- Incident response plan in place and tested at least annually
- Inventory of all hardware and software components in scope maintained
- All third-party service providers (TPSPs) with access to CDE listed in a register
- Written agreements with all TPSPs confirming their PCI DSS responsibilities
- Targeted risk analysis conducted for all requirements using the customised approach (v4.0)
Tips for Working Through Your PCI Compliance Checklist
Start With Scope Reduction
Before addressing any checklist item, map your cardholder data flows and reduce your CDE scope as much as possible. Every system you remove from scope eliminates multiple checklist items instantly.
Prioritise by Risk
Not all requirements carry equal weight. Requirements 3 (data storage), 8 (authentication), and 10 (logging) are most frequently cited in breach investigations — address these first.
Document Everything
PCI DSS is as much about evidence as it is about controls. Policies, procedures, logs, scan results, and approval records must all be documented and retained. “We do it” is not acceptable — you must be able to prove it.
Don’t Ignore v4.0 New Requirements
The 64 future-dated requirements that became mandatory in March 2025 include several technically complex items — particularly around web skimming (req. 6.4.3), MFA (req. 8.4), and targeted risk analysis. Address these early to avoid last-minute pressure.
Manage Third-Party Risk
Requirement 12.8 and 12.9 require you to manage the compliance of all third-party service providers with access to your CDE. Obtain their current AOC annually and document the division of PCI responsibilities.
Treat Compliance as Continuous
PCI DSS compliance is a point-in-time assessment of a continuous programme. Build quarterly scan scheduling, annual pen test booking, policy review dates, and staff training into your operational calendar from day one.
Want a QSA to Review Your Checklist?
30 minutes with a practising QSA who’ll walk through your readiness, identify the highest-priority gaps, and recommend the most efficient path to validation — no commitment, no sales pitch.
Frequently Asked Questions about the PCI Compliance Checklist
Is this checklist suitable for all PCI merchant levels?
How often should I review this checklist?
What is the difference between this checklist and the SAQ?
What are the most commonly failed checklist items?
Can a QSA help me work through this checklist?
Want a QSA to Review Your Checklist?
Our certified QSAs can validate your checklist and identify the gaps that matter most — before they cost you at audit time.
Continue your PCI journey
All PCI services →What is PCI Compliance?
The complete business guide to PCI DSS — what it is, what’s required, and how to get there.
Read the guidePCI Compliance Assistance
QSA-led, end-to-end PCI compliance assistance — from gap assessment to certified AOC.
View serviceSAQ Selector
Find the right SAQ for your business in under 60 seconds. 9 outcomes, no signup.
Open the selector







