PCI Defined 
Am I Compliant?
Am I Compliant?
Determining if your organization is compliant with PCI DSS is not all that difficult. The following check list of items is a quick survey you can take to verify your current state of compliance. Obviously, the true test is to answer the SeDetermining if your organization is compliant with PCI DSS can be very tricky. However, the following checklist can provide you with a quick way to see if you might be in a “NOT compliant” state. This checklist is not meant as a substitute for the Security Council’s PCI DSS standards; but, it might give you a better indication of what areas will need to be addressed in achieving PCI compliance.
If you answer ‘No’ or ‘Not Sure’ to any of the following questions, then odds are you are Not currently in Compliance with PCI DSS. Click Here to grab a copy of this Checklist from our Downloads Area, and e-mail it back to us at: compliance-info[at]accucode[dot]com.
| Question | Yes | No | Not Sure |
|---|---|---|---|
| Have you installed and maintain a firewall configuration to protect cardholder data? | |||
| Have you removed vendor-supplied defaults for system passwords and other security parameters? |
|
||
| Do you protect stored cardholder data? | |||
| Do you store full magnetic strip cardholder data? |
|
||
| Do you store CAV2/CVC2/CID cardholder data? | |||
| Do you store PIN/PIN Block cardholder data? |
|
||
| Do you encrypt transmission of cardholder data across open, public networks? | |||
| Do you use and regularly update anti-virus software on all systems? |
|
||
| Do you develop and maintain secure systems and applications? | |||
| Do you restrict access to cardholder data by business need-to-know? |
|
||
| Do you assign a unique ID to each and every person with computer access? | |||
| Do you restrict physical access to cardholder data, such as network jacks, wireless access points, gateways and handheld devices, and include video camera surveillance to monitor access to sensitive areas and store said video for at least three months? |
|
||
| To you track and monitor all access to network resources and cardholder data? | |||
| Do you regularly test security systems and processes? |
|
||
| Do you maintain written policies that address all areas of information security, such as explicity management approval, authentication, acceptable use of technology, remote access policies, new hire education policies and incident response plans? | |||
| Do you successfully scan all external facing IP addresses quarterly, with a certified ASV? |
|
||
| Do you scan your internal network quarterly (penetration testing)? | |||
| Do you have a drawn network diagram? |
|
||
| If you have a wireless network, do you regularly test for rouge access points by using a wireless analyzer or deploying a wireless IDS/IPS, and is WPA/WPA2 enacted as the encryption protocol? | |||
| Do you have a formal Change Management process for all change requests to the network? |
|
||
| If you capture payments via third party (hosted ecommerce, etc), are they PCI DSS compliant, and has their application been properly tested and do they follow application development practices according to guidlines such as OWASP? | |||
| Do you have a formal employee PCI education program and does each asset review program annually? |
|
||
| Do you have an established process for linking all access to a system component  to each individual user, and logging items such as date and time, all actions taken by user, success or failure of authentication, and corresponding system component accessed? | |||
| Do all of your in scope systems (servers, routers, firewalls, etc.) produce an audit/log file, and are those audits reviewed regularly daily? |
|
||
| Do you have a formal key-management process and procedures for cryptographic keys used for encryption of cardholder data? | |||
| If you gain remote access to the network, do you incorporate two-factor authentication? |
|
||
| Do you render all passwords unreadable during transmission and storage on all system components using strong cryptography? | |||
| Do you enforce minimum password length of at least seven characters and force everyone to change passwords every 90 days, limit repeated access attempts to no more than six attempts with a minimum lockout period of 30 minutes? |
|
