‹ Back

15 Step PCI Compliance Checklist: Get yourself ready with the basics

 

 

 

 

Understanding the process of a Payment Card Industry Data Security Standard (PCI DSS) assessment is fundamental to a smooth and successful outcome. Adequate preparation can significantly mitigate potential challenges and reduce the concerns often associated with external compliance audits. This guide outlines the typical stages of a PCI DSS assessment, providing clarity on what to anticipate and how to prepare effectively.  

 

Embracing the principle of "Be Prepared" is invaluable for your PCI DSS assessment journey. Investing in proactive preparation not only fosters a more efficient process but also instills confidence. It is crucial to ensure that foundational elements are in place before the assessor begins their evaluation, thereby avoiding the scenario where significant gaps are identified at the outset. Essential basic requirements that should be completed and readily accessible include:  

 

1. A validated scope that clearly defines what is included and verifies that elements deemed out of scope are genuinely excluded.  

2. Documentation of data repositories, detailing where payment card data is stored and how it is protected.  

3. Completion of an annual risk assessment.  

4. Current high-level network diagrams.  

5. Connectivity diagrams.  

6. A dataflow diagram illustrating how cardholder data moves within your environment.  

7. A comprehensive systems inventory.  

8. Established policies and procedures relevant to PCI DSS.  

9. A list of critical hardware and software components.  

10. Results of the annual external penetration test, including initial test reports, documentation of any remediation performed, and evidence of a subsequent passing retest.  

11. Results of the annual internal penetration test, including initial test reports, documentation of any remediation performed, and evidence of a subsequent passing retest.  

12. If applicable as a service provider, results of required periodic segmentation testing.  

13. Results of external vulnerability tests, including four quarterly tests conducted at 90-day intervals, documentation of remediation, and evidence of passing retests.  

14. Results of internal vulnerability tests, including four quarterly tests conducted at 90-day intervals, documentation of remediation, and evidence of passing retests.  

15. A list of subject matter experts within your organization who can provide information related to the PCI DSS requirements.  

 

Most assessors will prioritize verifying the completion of these fundamental items. Failure to have these basics in order will likely result in a non-compliant assessment outcome.  

 

At a high level, achieving PCI DSS compliance fundamentally relies on three core components:

• Implementing adequate policies and procedures.  

• Ensuring compliant applied configurations, processes, and results.  

• Providing verifiable proof to the assessor that documented practices are being followed.  

 

Evidence collection for your PCI DSS assessment commences with these key initial items, followed by the documentation of all other requirements, submitted through secure methods. This evidence is utilized by the assessor to complete the official PCI DSS Report on Compliance (ROC) template. Providing core documentation, such as policies and procedures, early in the process can facilitate the assessment while you gather remaining evidence. It is important to note that certain requirements necessitate direct observation by the assessor for validation.  

 

The Onsite Visit

 

Following the initial evidence gathering, the assessor will schedule an onsite visit. The onsite phase serves multiple critical objectives:

 

• Firstly, it is essential for verifying physical security controls, as these requirements necessitate direct observation and walkthroughs by the assessor.

• Secondly, the onsite presence significantly compresses the request and response cycle.

 

This acceleration is crucial because demonstrating compliance to specific requirements can otherwise involve extended delays when conducted remotely.  

 

During the onsite visit, the assessor may inquire about your compliance measures, allowing you to directly demonstrate your implementation for immediate validation. Certain PCI DSS compliance requirements explicitly necessitate direct observation by the assessor for validation. The PCI DSS Report on Compliance (ROC) template includes explicit instructions for the assessor to "Observe" during this process. Complementing observation are interview requirements; the ROC mandates interviewing relevant personnel to gather information for specific compliance points. Conducting these interviews during the onsite visit facilitates efficient completion, avoiding potential delays and scheduling complexities associated with coordinating multiple remote meetings over an extended period.  

 

Report Writing and Finalization

 

Subsequently, the assessor will proceed with writing the Report on Compliance (ROC) based on the collected evidence and observations. All findings are meticulously documented within the ROC template. Should the assessor require additional information, they will contact you for input. This interaction provides an opportunity to address potential findings proactively before the final ROC is issued.  

 

If a non-compliant requirement is identified during the evidence gathering, onsite assessment, and analysis phases, the assessor will typically allow for a defined remediation period. Successfully addressing these non-compliant items within this timeframe enables the assessor to re-assess them for proper remediation and compliance. However, it is crucial to understand that not all issues can be remediated. Certain historical evidence, such as a missed vulnerability scan from a previous period, cannot be retroactively corrected, although it may potentially qualify for a compensating control. Similarly, a fundamental process failure, such as the absence of a defined change management process during the assessment period, cannot be remediated in retrospect.  

 

Mandatory Quality Assurance

 

The final stage involves a crucial Quality Assurance (QA) process where the collected evidence and the narratives within the PCI DSS Report on Compliance (ROC) template are reviewed by an independent party. This review ensures accuracy and completeness and may lead to further requests from the assessor for additional evidence. Such requests are a standard part of the validation process and should not be a cause for concern.  

 

The finalized ROC is a critical "point in time" document reflecting the organization's compliance status at the time of assessment. Upon completion of the QA phase, the assessment is officially finalized. You will receive the comprehensive ROC, intended primarily for your internal records and use, along with the Attestation of Compliance (AoC). The AoC serves as a summary document for demonstrating your compliance status to external entities, such as acquiring banks and business partners, who typically only require the AoC as proof of your validated compliance. A key point of caution: you should generally not distribute your full ROC to outside firms seeking to verify your compliance; the AoC is designed for this purpose.  

 

Ideally, a PCI DSS assessment, from initiation to finalization, should be completed within approximately three months. However, the process can extend beyond this timeframe, frequently due to the challenges organizations face in efficiently amassing the required evidence, particularly when limited personnel are involved. This underscores the importance of integrating compliance activities into daily operations.  

The concept of "Business As Usual" (BAU), strongly promoted by the PCI Security Standards Council (PCI SSC), encourages organizations to embed PCI DSS requirements into their regular day-to-day processes. By making compliance an ongoing activity rather than a reactive effort, the annual assessment transforms from a significant, disruptive event into a more manageable and routine demonstration of your established security posture.  

 

Implementing Governance, Risk, and Compliance (GRC) tools can significantly facilitate this BAU approach and streamline the evidence gathering process. While there is an initial effort in configuring a GRC tool, the long-term benefits include reduced manual effort during assessments and a lower overall impact on resources. Leveraging such tools can contribute to a more efficient and less burdensome assessment cycle.  

Regardless of the specific methodology or tools used, completing the PCI assessment within a reasonable timeframe is crucial. Assessments extending beyond four to five months can compromise the validity and accuracy of the findings as the evidence ages. Prolonged assessment timelines often indicate that an entity may not be adequately prepared, lacks sufficient focus on the process, or has underlying compliance deficiencies that require significant effort to address.  

Sources and related content

.