close
lumiform
LumiformMobile audits & inspections
Get AppGet App

PCI Compliance Assessment Checklist Template

Rated 5/5 stars on Capterra

Say goodbye to paper checklists!

Lumiform enables you to conduct digital inspections via app easier than ever before
  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 5,000 expert-proofed templates

Digitalize this paper form now

Register for free on lumiformapp.com and conduct inspections via our mobile app

  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 4000 expert-proofed templates
Rated 5/5 stars on Capterra
App StorePlay Store

PCI Compliance Assessment Checklist Template

Storage of sensitive authentication data (SAD)

Is your system storing this data? If so, are you aware of it?

Did you check for inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors?

Default system settings and passwords were changed when the system was installed?

Unnecessary and insecure services removed or secured when the system was installed?

Checked for poorly coded web applications that could result in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website?

Checked for missing and outdated security patches?

Checked for adequate logging protocols?

Checked for adequate monitoring? (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems)?

POS Vendor System's Security (Ask POS Vendor)

Have default settings and passwords been changed on the systems and databases that are part of the POS system?

Do you access my POS system remotely?

Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system?

Is my POS software validated to the Payment Application Data Security Standard (PA-DSS)?

Does my POS software store sensitive authentication data, such as track data or PIN blocks?

Does my POS software store primary account numbers (PANs)?

Will you document the list of files written by the application with a summary of each file's contents to verify that the above-mentioned, prohibited data is not stored?

Does my POS software enforce complex and unique passwords for all user access?

Can you confirm that you do not use common or default passwords for access to my system and other merchant systems you support?

Have all the systems and databases that are part of the POS system been patched with all applicable security updates?

Is the logging capability turned on for the systems and databases that are part of the POS system?

If prior versions of my POS software stored sensitive authentication data, has this feature been removed during current updates to the POS software? Was a secure wipe utility used to remove this data?

Cardholder Data

Payment brand rules allow for the storage of primary account number (PAN), expiration date, cardholder name, and service code.

Is the storage of this data absolutely necessary for the business and its purpose? State why the data should be stored or eliminated.

Is the risk of having the data compromised worth the effort to store it?

Are the additional PCI DSS controls that need to be applied to protect the data worth the continued storage of this data?

Are the ongoing maintenance efforts to remain PCI DSS compliant overtime worth the continued storage of this data?

The cardholder data that NEEDS to be stored are properly consolidated and isolated through proper network segmentation

Full name and signature of Compliance Officer in-charge

Confirmation

Full name and signature of Compliance Officer in-charge

Share this template: