Free Resource: PCI Compliance Checklist for Government Organizations

February 27, 2023

The standards for PCI compliance can be complicated, especially when trying to decipher the legal, technical and banking language surrounding this topic. 

CORE aims to make it easier for government organizations to meet PCI compliance and to remove the complexity surrounding program’s requirements. One way we can do that is to provide a PCI compliance checklist (in addition to using a PCI Compliant Software for Every Payment). 

Here’s your PCI DSS compliance checklist. This resource is specifically for PCI DSS v4.0.

For more information surrounding PCI (payment card industry) compliance including its 6 objectives and 12 requirements, find the information following the checklist.

Requirement 1: Install and maintain network security controls

  • Install a firewall to protect cardholder data and prevent unauthorized access.
  • Configure standardized criteria for firewalls, routers, network switches, and other hardware. 
  • Log and document all processes and use visuals to showcase data streams that flow between networks and systems.
  • Review documentation and configuration standards every six months and update as needed.

Requirement 2: Apply secure configurations to all system components

  • Harden the network by customizing secure configurations (passwords, etc.) to system components.
  • Change operating system password.
  • Review POS terminals and ensure passwords are updated.
  • Check service set identifier (SSID) passwords.
  • Change all software passwords that provide security to the process.
  • Modify application account passwords.
  • Update system account passwords.
  • Change all remaining default passwords on devices, software, tools, and more.

Requirement 3: Protect stored account data

  • Implement strong encryption for stored account data. 
  • Manage keys safely and securely.
  • Mask or truncate primary account numbers (in every area when they aren’t used for business purposes).
  • Reduce storage of unnecessary cardholder data.
  • Formalize all procedures associated with data retention and destruction.
  • Destroy unnecessary cardholder data.
  • Use automated processes to limit the need for manual data entry.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

  • Take inventory of all areas where cardholder information is sent over public networks. 
  • Verify adequate encryption is in use.
  • Accept only trusted certificates and keys.
  • Document all processes (including encryption controls, configuration standards, and acceptance of trusted keys and certificates).

Requirement 5: Protect all systems and networks from malicious software

  • Document and maintain all policies associated with antivirus measures.
  • Ensure current antivirus software is kept up-to-date.
  • Perform periodic virus scans.
  • Generate audit logs of antivirus activity and identify any potentially vulnerable areas of your network.
  • Ensure current antivirus software cannot be disabled by users and is actively running at all times.

Requirement 6: Develop and maintain secure systems and software

  • Install security patches and updates regularly.
  • Establish a standardized and scheduled process to identify security vulnerabilities.
  • Employ trusted outside sources to verify the security of systems and software.
  • Document processes and procedures and regularly review them to identify potential vulnerabilities.

Requirement 7: Restrict access to system components and cardholder data 

  • Document a policy for access control.
  • Establish access privileges based on need, existing privileges, and job classification.
  • Review system privileges and documentation regularly to ensure all are up to date.

Requirement 8: Identify users and authenticate access to system components

  • Document policies for managing user IDs
    • Creating, modifying, and revoking access
    • Passwords
    • Authentication methods
    • Lockout duration
    • Guidance on credentials
  • Remove inactive accounts over 90 days old.
  • Update user passwords over 90 days old (and ensure they meet security standards).

Requirement 9: Restrict physical access to cardholder data

  • Implement security controls in your facility.
  • Leverage a visitor security program.
  • Periodically inspect POS devices for substitution or tampering.
  • Document policies for managing physical media, identifying new onsite individuals, revoking terminated personnel, and more.

Requirement 10: Log and monitor all access to system components and cardholder data

  • Log and track access to devices that host stored cardholder data.
  • Conduct periodic PCI compliance audits on individual access to cardholder information, invalid access attempts, and access to audit logs.
  • Regularly review policies and procedures associated with providing access to system components and cardholder data.

Requirement 11: Test the security of systems and networks regularly

  • Remain current on new vulnerabilities in an evolving cybersecurity landscape.
  • Conduct quarterly vulnerability scans. 
  • Perform annual penetration tests (simulate a real-world attack) to understand vulnerabilities and potential risks.

Requirement 12: Support information security with organizational policies and programs

  • Assign information security roles and responsibilities to appropriate individuals.
  • Train all teams on cardholder information security awareness.
  • Perform background screening of potential employees (in compliance with local law).
  • Test and review your incident response plan at least annually.

What Is PCI Compliance?

The PCI DSS (typically, simply called PCI) program originated to help merchants protect cardholder data and other sensitive information while storing, transmitting, or processing credit and debit cards. 

The standard is governed by the PCI Security Standards Council, which is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. The function of PCI for government agencies is to provide clear guidelines on capturing, processing, and storing citizens’ sensitive data.

All entities that store, process, or transmit credit card transactions are required to abide by PCI compliance guidelines.

What Are the 6 PCI Objectives?

The mission of PCI DSS is summarized in its six specific objectives, which each tie into the 12 PCI requirements. Here are the six goals of PCI DSS:

  1. Build and maintain a secure network and systems.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

What Are the 12 PCI Requirements?

The 12 PCI requirements are valuable when diving into these objectives further and understanding how they affect government organizations.

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.
  3. Protect stored account data.
  4. Protect cardholder data with strong cryptography during transmission over open, public networks.
  5. Protect all systems and networks from malicious software.
  6. Develop and maintain secure systems and software.
  7. Restrict access to system components and cardholder data on a need-to-know basis.
  8. Identify users and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Log and monitor all access to system components and cardholder data.
  11. Test the security of systems and networks regularly.
  12. Support information security with organizational policies and programs.

What Are the Consequences of Being Out of PCI Compliance?

The numerous controls, requirements, and objectives of PCI DSS tell a story that government organizations already know—PCI compliance is a complicated process. 

Today’s citizens have evolved their expectations, so government departments and agencies are rushing to meet their needs. This leaves teams time-poor when it comes to meeting all compliance requirements. Those tasked with maintaining compliance learn that cybercriminals will exploit any weakness, so staying up-to-date with your PCI compliance checklist is essential. 

If your organization violates the guidelines, you’ll be at risk of paying a PCI non-compliance fee. These can range anywhere from thousands to hundreds of thousands of dollars per month. The fines can increase according to the length of time your organization is out of compliance. 

Maintain Your Government’s PCI Compliance With CORE

Citizens rely heavily on your security practices. Your municipality needs the right platform to help remain compliant and maintain trust.

CORE provides secure PCI-compliant hosted payment and engagement solutions. Our platform’s solution is cutting-edge and designed to protect you and your citizens’ critical financial information. We even integrate seamlessly with your existing tech stack to ensure no crucial data falls through the cracks. Contact us today to find out how we can help your government organization comply with the PCI Compliance checklist.

Ready to Deliver Best-in-Class Payments?

The Definitive Guide to Modernizing the Government Payment Experience shared best practices to better engage your citizens.