🌐
Req. 1–2
Network Security Controls
PCI DSS v4.0 Requirements 1–2 mandate network security controls that separate the cardholder data environment (CDE) from untrusted networks, and the elimination of vendor-supplied default credentials before system deployment.
Q1 · Domain 1
Network firewall/segmentation controls separate the cardholder data environment (CDE) from all other networks?
Q2 · Domain 1
All vendor-supplied default passwords and security settings changed before system deployment?
Q3 · Domain 1
Accurate network diagram maintained showing all connections to and from the CDE?
Q4 · Domain 1
Outbound traffic from CDE restricted to only business-justified communications?
Q5 · Domain 1
Wireless networks assessed and unauthorised wireless access points identified and blocked?
🔐
Req. 3–4
Cardholder Data Protection
PCI DSS Requirements 3–4 require organisations to protect stored cardholder data (CHD) through strong cryptography and to ensure that Primary Account Numbers (PANs) are rendered unreadable. All CHD transmission over open public networks must use strong encryption.
Q1 · Domain 2
Cardholder data discovery process identifies all locations where CHD is stored across the environment?
Q2 · Domain 2
Primary Account Numbers (PANs) encrypted at rest using strong cryptography (AES-256)?
Q3 · Domain 2
PANs masked when displayed and sensitive authentication data not stored post-authorisation?
Q4 · Domain 2
Strong cryptography (TLS 1.2 or higher) used for all CHD transmission over open public networks?
Q5 · Domain 2
Cryptographic key management procedures cover generation, distribution, storage, and rotation?
🔑
Req. 7–9
Access Control
PCI DSS Requirements 7–9 restrict access to system components and cardholder data to only those individuals whose job requires it, ensure unique user identification, and protect physical access to CDE components.
Q1 · Domain 3
Access to CDE restricted on a strict need-to-know and least privilege basis?
Q2 · Domain 3
Unique user IDs assigned to all users — no shared or group accounts permitted for CDE access?
Q3 · Domain 3
Multi-factor authentication required for all non-console access to the CDE?
Q4 · Domain 3
Physical access to CDE hardware (servers, POS terminals, network equipment) controlled and logged?
Q5 · Domain 3
All remote access to the CDE secured with MFA and sessions fully logged?
📊
Req. 10–11
Monitoring & Testing
PCI DSS Requirements 10–11 require logging of all access to network resources and cardholder data, daily log review, quarterly internal vulnerability scanning, and annual external penetration testing by a qualified assessor.
Q1 · Domain 4
All access to network resources and cardholder data logged with timestamps and user identity?
Q2 · Domain 4
Log monitoring alerts reviewed daily, or automated SIEM deployed with real-time alerting?
Q3 · Domain 4
Internal vulnerability scans conducted at least quarterly and after significant changes?
Q4 · Domain 4
External penetration testing conducted at least annually by a qualified internal or external assessor?
Q5 · Domain 4
File integrity monitoring (FIM) deployed on critical CDE files and system components?
📋
Req. 12
Security Policy & Compliance Management
PCI DSS Requirement 12 mandates a comprehensive information security policy, annual security awareness training, an incident response plan covering payment card breach scenarios, and validation of third-party service provider PCI DSS compliance.
Q1 · Domain 5
Information security policy reviewed at least annually and communicated to all personnel?
Q2 · Domain 5
Security awareness training covering payment card security delivered to all staff upon hire and annually?
Q3 · Domain 5
Incident response plan covers payment card data breach scenarios with defined roles and timelines?
Q4 · Domain 5
Annual PCI DSS self-assessment questionnaire (SAQ) or QSA audit completed and reviewed with management?
Q5 · Domain 5
All third-party service providers handling CHD validated as PCI DSS compliant annually?