PCI DSS Compliance Checklist

Annual PCI DSS v4.0 compliance review for e-commerce merchants accepting card payments. Walks through scoping, network controls, access controls, monitoring, and policy attestation — including SAQ selection based on payment integration type.

5 sections 23 steps Collects data
1

Scope and SAQ Determination

  1. Map cardholder data flows across the storefront

    • Diagram every place card data is captured, processed, transmitted, or stored — checkout page, subscription billing (Recharge, Bold), buy-now-pay-later handoffs, customer service phone orders, refund flows. Note which flows touch your servers vs. iframe to Stripe / Shopify Payments / PayPal.

  2. Identify the correct SAQ type

    • Shopify Payments / Stripe Checkout / PayPal Standard with full redirect typically qualify for SAQ A. Direct API integrations or self-hosted forms push you to SAQ A-EP or SAQ D — dramatically more controls. Confirm with your acquiring bank before assuming scope.

    Collects list
  3. Engage a QSA for SAQ D or large merchants

    • Level 1 merchants (>6M Visa/MC transactions/year) require ROC by a QSA, not self-assessment. SAQ D scope also benefits from a QSA review even when self-attestation is permitted. Skip if SAQ A applies.

  4. Document the merchant level and acquirer requirements

    • Pull the latest annual transaction count from Shopify Payments, Stripe, and any other processors. Confirm with the acquiring bank which AOC and SAQ they require and the submission deadline.

    Collects number
2

Network and System Hardening

  1. Review firewall and WAF rules at the storefront edge

    • For SAQ A-EP / D environments, document inbound and outbound rules, deny-by-default posture, and Cloudflare / AWS WAF managed rule coverage. SAQ A merchants on Shopify largely inherit this from Shopify's PCI Level 1 attestation — record the inheritance.

  2. Rotate vendor-default passwords on all admin accounts

    • Cover Shopify admin, Klaviyo, Gorgias, Recharge, NetSuite, 3PL portals, and any database / server access. Replace any vendor-default credential and confirm MFA is enforced. Service accounts and API keys count too.

  3. Confirm cardholder data is not stored locally

    • Search support ticket archives (Gorgias, Zendesk), shared drives, and email for PAN. Customer service reps pasting full card numbers into tickets is the most common SAQ A finding. Redact and retrain if found; never store CVV under any circumstance.

    Collects list
  4. Verify TLS 1.2 or higher across all payment paths

    • Run SSL Labs against the storefront, the checkout subdomain, and any custom payment endpoints. PCI DSS v4.0 requires strong cryptography on all transmissions; TLS 1.0 and 1.1 are explicitly disallowed.

  5. Apply security patches to storefront and connected apps

    • Update theme code, custom Shopify apps, WooCommerce / WordPress core and plugins, and any self-hosted services. Critical patches must be applied within 30 days under v4.0; document the patch cycle and exceptions.

3

Access Control and Authentication

  1. Audit Shopify and tool admin user list

    • Pull active users from Shopify, Klaviyo, Gorgias, NetSuite, ShipStation, and any tool with payment or customer-data access. Remove ex-employees, ex-agency users, and dormant accounts. Document the business need for each remaining user.

    Collects number
  2. Enforce MFA on all admin and remote access

    • PCI DSS v4.0 requires MFA on all access into the CDE and on all admin access — not just remote. Verify Shopify staff accounts, processor dashboards, and any VPN / bastion are MFA-enforced; SMS-only is no longer considered strong.

  3. Confirm unique IDs for every person with access

    • No shared logins — agency, contractor, or VA. Each person needs an individual account so audit trails attribute actions correctly. Common gotcha: a shared 'support@' login on Gorgias used by three reps.

  4. Restrict physical access to POS and back-office gear

    • Applies if you have retail POS, warehouse workstations, or office machines used for order entry. Lock server rooms, badge offices, log visitor access, and inventory POS terminals quarterly to detect skimmer tampering.

4

Monitoring and Testing

  1. Enable audit logging across CDE systems

    • Log admin actions, login attempts, and data access on Shopify, processor, and any in-scope server. Retain at least 12 months (3 months immediately accessible). For SAQ A this is largely the platform's responsibility — capture the inheritance evidence.

  2. Run an ASV external vulnerability scan

    • Required quarterly for SAQ A-EP and SAQ D. Use a PCI SSC-listed Approved Scanning Vendor (Trustwave, SecurityMetrics, ControlScan). All findings ranked High or Medium must be remediated and the scan re-run until passing.

    Collects file
  3. Commission an annual penetration test

    • Required annually for SAQ D and after significant changes. Internal and external testing of the CDE perimeter and segmentation. Skip for pure SAQ A merchants — but document the scope decision.

  4. Review logs for anomalies and suspicious activity

    • Daily review per v4.0 — automated SIEM (Datadog, Splunk) acceptable for the daily cadence. Look for off-hours admin logins, geo-impossible sessions, repeated failed auths, and bulk customer record exports. Document the reviewer and findings.

  5. Test the e-skimming script-integrity controls

    • PCI DSS v4.0 requirements 6.4.3 and 11.6.1 (effective March 31, 2025) require an inventory of all checkout-page scripts and tamper-detection. Magecart-style skimmers via compromised third-party tags are the primary e-commerce CDE breach vector. Tools like Source Defense, Jscrambler, or HUMAN PerimeterX address this.

5

Policy, Training, and Attestation

  1. Update the information security policy

    • Refresh annually or after significant change. Cover acceptable use, password rules, incident response, vendor management, and customer-data handling. Reference the actual tools in use — Shopify, Klaviyo, Gorgias — not generic placeholders.

  2. Conduct the annual risk assessment

    • v4.0 introduces targeted risk analyses (TRA) per requirement to justify customized frequency. Cover threats to cardholder data — e-skimming, account takeover, third-party app compromise, insider misuse — and document mitigations.

  3. Deliver security awareness training to all staff

    • Annual training plus onboarding for new hires and contractors. Cover phishing recognition, the no-PAN-in-tickets rule for CX agents, and how to escalate suspected card fraud. KnowBe4 or in-house deck both work; track completion.

    Collects number
  4. Refresh the third-party service provider inventory

    • List every TPSP that touches cardholder data — processor, gateway, subscription billing, fraud tool, 3PL with payment-on-delivery. Collect their AOCs annually and document the responsibility matrix per v4.0 requirement 12.8.

    Collects file
  5. Sign and submit the SAQ and AOC to the acquirer

    • Final attestation by an executive officer. Submit via the acquirer's portal (Chase, Stripe, Adyen each have their own intake). Keep a signed copy in the compliance folder for the next year's audit trail.

    Collects list Collects file Collects signature

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 23
Category E-commerce
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

E-commerce

CRM Setup Checklist

View
E-commerce

E-commerce Expense Management Checklist

View
E-commerce

Live Chat Operations Checklist

View
E-commerce

Daily Operations Checklist

View

Run PCI DSS Compliance Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial