PCI-DSS v4.0 Compliance Assessment

Evaluate compliance with Payment Card Industry Data Security Standard v4.0 requirements for organizations that store, process, or transmit cardholder data

HealthcareCannabis18 minutes22 questions

1. Network Security

Are firewalls installed and configured to protect cardholder data?*

Requirement 1.1: Firewall configuration standards documented and implemented

Is the cardholder data environment (CDE) segmented from other networks?*

Requirement 1.2: Network segmentation reduces PCI scope

Do you prohibit direct public access between the internet and the CDE?*

Requirement 1.3: DMZ required between internet and CDE

Are vendor-supplied defaults changed for all system components?*

Requirement 2.1: Change default passwords, SNMP strings, unnecessary accounts

2. Account & Access Control

Is multi-factor authentication required for all access to the CDE?*

Requirement 8.3: MFA for all personnel with administrative access

Are unique user IDs assigned to each person with computer access?*

Requirement 8.2: No shared/group accounts permitted

Do you enforce strong password policies (minimum 12 characters)?*

Requirement 8.3.6: Password complexity and rotation requirements

Are inactive user accounts removed or disabled within 90 days?*

Requirement 8.2.6: Deactivate dormant accounts

3. Cardholder Data Protection

Do you store only the minimum cardholder data necessary for business?*

Requirement 3.2: Do not store sensitive authentication data after authorization

Is Primary Account Number (PAN) masked when displayed?*

Requirement 3.3: Display maximum first 6 and last 4 digits

Is PAN rendered unreadable wherever stored (encryption, truncation, tokenization)?*

Requirement 3.4: Strong cryptography required for stored PAN

Is cardholder data transmission encrypted using strong cryptography?*

Requirement 4.2: TLS 1.2+ for transmission over public networks

4. Vulnerability Management

Do you deploy and maintain anti-malware solutions on all systems?*

Requirement 5.1: Anti-virus on systems commonly affected by malware

Are security patches installed within one month of release?*

Requirement 6.2: Critical patches applied within 30 days

Are applications developed in accordance with secure coding guidelines?*

Requirement 6.3: Secure development lifecycle and code review

Do you perform quarterly vulnerability scans by an Approved Scanning Vendor (ASV)?*

Requirement 11.2: External vulnerability scans every 90 days

5. Access Control & Monitoring

Is access to cardholder data restricted to those with business need-to-know?*

Requirement 7.1: Least privilege access principle

Do you track and log all access to cardholder data?*

Requirement 10.2: Audit trails for all individual user access

Are audit logs retained for at least 12 months (3 months immediately available)?*

Requirement 10.5: Log retention and availability

6. Policies & Procedures

Do you maintain an information security policy addressing all PCI-DSS requirements?*

Requirement 12.1: Security policy established, published, maintained

Do all personnel receive security awareness training annually?*

Requirement 12.6: Training on cardholder data security

Do you conduct annual risk assessments?*

Requirement 12.3: Risk assessment at least annually

Please answer all required questions to see your results