logo
Sign UpSign InTry for free
PCI DSS COMPLIANCE CHECKLIST

PCI DSS compliance checklist

A practical PCI DSS 4.0.1 compliance checklist covering scope, merchant level, the Self-Assessment Questionnaire, vulnerability scanning, penetration testing, and Attestation of Compliance - with the annual cycle rendered as a BPMN process map.

Official source:

Read the official PCI Security Standards Council site
Download the checklist (PDF)Download DOCX
Who must comply with PCI DSS 4.0.1

Who PCI DSS 4.0.1 applies to

Merchants, payment service providers, and any entity that stores, processes, or transmits cardholder data - globally, contractually enforced by the card brands.

Jurisdiction: Global - any entity handling payment card data. Full name: Payment Card Industry Data Security Standard 4.0.1.

PCI DSS 4.0.1 Checklist

The PCI DSS 4.0.1 compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Identify and isolate the cardholder data environment (CDE) to minimise scope.

  2. STEP 2

    Determine your merchant level (1–4) based on annual card-transaction volume.

  3. STEP 3

    Identify the applicable Self-Assessment Questionnaire (SAQ) type (A, A-EP, B, C, D, P2PE).

  4. STEP 4

    Implement and document the 12 PCI DSS requirements within scope.

  5. STEP 5

    Run quarterly external vulnerability scans by an Approved Scanning Vendor (ASV).

  6. STEP 6

    Run quarterly internal vulnerability scans.

  7. STEP 7

    Conduct annual penetration testing (network + application).

  8. STEP 8

    Maintain an inventory of all CDE system components, software, and personnel.

  9. STEP 9

    Document and review user access controls, change management, and incident response procedures.

  10. STEP 10

    Complete and submit the Attestation of Compliance (AOC) to your acquirer or card brand.

FILLABLE PDF PREVIEW

PCI DSS 4.0.1 compliance checklist

Payment Card Industry Data Security Standard 4.0.1

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Identify and isolate the cardholder data environment (CDE) to minimise scope.

Determine your merchant level (1–4) based on annual card-transaction volume.

Identify the applicable Self-Assessment Questionnaire (SAQ) type (A, A-EP, B, C, D, P2PE).

Implement and document the 12 PCI DSS requirements within scope.

Run quarterly external vulnerability scans by an Approved Scanning Vendor (ASV).

+ 5 more checkboxes in the downloaded PDF
PCI DSS 4.0.1 Process Map

PCI DSS 4.0.1 as a process map

The annual PCI DSS compliance cycle, from scoping through SAQ submission. Most failures happen in the scoping step - over-broad scope drives audit cost; over-narrow scope means a missing system shows up at AOC time.

Open in editor

PCI DSS compliance process

A PCI DSS compliance process rendered as a BPMN 2.0 process map. Covers merchant level / SAQ determination, scoping the cardholder data environment, completing the SAQ, ASV scanning, annual penetration testing, and submitting the Attestation of Compliance.

  1. Identify the cardholder data environment (CDE) and confirm scope.
  2. Determine merchant level (1–4) and applicable Self-Assessment Questionnaire (SAQ) type.
  3. Complete the appropriate SAQ and remediate gaps against PCI DSS requirements.
  4. Schedule quarterly Approved Scanning Vendor (ASV) vulnerability scans.
  5. Run annual penetration testing of the CDE.
  6. Submit the Attestation of Compliance (AOC) to the acquirer or card brand.
PCI DSS 4.0.1 FAQ

Frequently asked questions

What is the difference between PCI DSS 3.2.1 and 4.0?

PCI DSS 4.0.1 is the current version. v4.0 (effective 31 March 2024) was retired on 31 December 2024 and replaced by v4.0.1 (published 11 June 2024) - a minor errata release. The 51 future-dated requirements introduced in v4.0 became mandatory on 31 March 2025. v4.0.1 introduces the customised-approach option, expanded multi-factor authentication, and more granular requirements for service providers. PCI DSS 3.2.1 was retired with the v4.0 transition.

Do I need a QSA?

Merchants Levels 2–4 generally self-assess via SAQ. Level 1 merchants and most service providers require an annual Report on Compliance (ROC) prepared by a Qualified Security Assessor (QSA). Card brands and acquirers can impose stricter requirements based on history.

How does scope reduction help?

Every system that stores, processes, or transmits cardholder data - or is connected to one that does - is in scope. Network segmentation, tokenisation, and P2PE all reduce the in-scope footprint, which directly reduces the cost and risk of compliance. SAQ-A (e-commerce with all card data handled by a PCI-validated third party) is dramatically simpler than SAQ-D.

How often do I need a penetration test?

External and internal penetration testing at least annually, and after any significant change to the CDE. Service providers have an additional obligation under PCI DSS Requirement 11.4.6: penetration testing on segmentation controls every 6 months (not general internal pen testing - specifically the controls that isolate the CDE from other networks).

More Compliance Checklists

Other compliance checklists

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the PCI DSS 4.0.1 checklist into a working process

Open the PCI DSS 4.0.1 process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.