close
lumiform
Lumiform Mobile audits & inspections
Get App Get App
Lumiform / Templates / PCI Assessment Checklist

PCI Assessment Checklist

A PCI assessment checklist is a standardized list of questions used to evaluate a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS). The checklist covers various areas such as network security, access control, and data protection to ensure that a company's handling of payment card information meets the required standards.

Downloaded 10 times

Rated 5/5 stars on Capterra

Say goodbye to paper checklists!

Lumiform enables you to conduct digital inspections via app easier than ever before
  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 5,000 expert-proofed templates

Digitalize this paper form now

Register for free on lumiformapp.com and conduct inspections via our mobile app

  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 4000 expert-proofed templates
Rated 5/5 stars on Capterra
App Store Play Store

PCI Assessment Checklist

Storage of sensitive authentication data (SAD)

Is your system storing this data? If so, are you aware of it?
Did you check for inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors?
Default system settings and passwords were changed when the system was installed?
Unnecessary and insecure services removed or secured when the system was installed?
Checked for poorly coded web applications that could result in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website?
Checked for missing and outdated security patches?
Checked for adequate logging protocols?
Checked for adequate monitoring? (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems)?

POS Vendor System's Security (Ask POS Vendor)

Have default settings and passwords been changed on the systems and databases that are part of the POS system?
Do you access my POS system remotely?
Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system?
Is my POS software validated to the Payment Application Data Security Standard (PA-DSS)?
Does my POS software store sensitive authentication data, such as track data or PIN blocks?
Does my POS software store primary account numbers (PANs)?
Will you document the list of files written by the application with a summary of each file's contents to verify that the above-mentioned, prohibited data is not stored?
Does my POS software enforce complex and unique passwords for all user access?
Can you confirm that you do not use common or default passwords for access to my system and other merchant systems you support?
Have all the systems and databases that are part of the POS system been patched with all applicable security updates?
Is the logging capability turned on for the systems and databases that are part of the POS system?
If prior versions of my POS software stored sensitive authentication data, has this feature been removed during current updates to the POS software? Was a secure wipe utility used to remove this data?

Cardholder Data

Payment brand rules allow for the storage of primary account number (PAN), expiration date, cardholder name, and service code.
Is the storage of this data absolutely necessary for the business and its purpose? State why the data should be stored or eliminated.
Is the risk of having the data compromised worth the effort to store it?
Are the additional PCI DSS controls that need to be applied to protect the data worth the continued storage of this data?
Are the ongoing maintenance efforts to remain PCI DSS compliant overtime worth the continued storage of this data?
The cardholder data that NEEDS to be stored are properly consolidated and isolated through proper network segmentation
Full name and signature of Compliance Officer in-charge

Confirmation

Full name and signature of Compliance Officer in-charge
Share this template:
This template is also available in:

es

es

left-arrow Previous template
Next template right-arrow

Ensuring Payment Card Security with a PCI Assessment Checklist


A PCI assessment checklist is a vital tool that helps companies ensure that their handling of the payment card information is compliant with the Payment Card Industry Data Security Standards (PCI DSS). The checklist covers various areas such as network security, access control, and data protection to evaluate a company's compliance with the PCI DSS.


By using a PCI assessment checklist, companies can identify potential areas of non-compliance and take appropriate measures to address them. The checklist also helps ensure that companies are protecting customer data and mitigating the risk of data breaches, which can be costly both financially and reputationally.


The PCI assessment checklist can be customized to suit the needs of individual companies and industries, ensuring that the evaluation is tailored to the specific requirements of the organization. The checklist can also help companies stay up-to-date with changes to the PCI DSS and maintain ongoing compliance with the standards.


Please note that this checklist template is a hypothetical appuses-hero example and provides only standard information. The template does not aim to replace, among other things, workplace, health and safety advice, medical advice, diagnosis or treatment, or any other applicable law. You should seek your professional advice to determine whether the use of such a checklist is appropriate in your workplace or jurisdiction.