PCI DSS Compliance Checklist

Pull the current security group / firewall ruleset for every VPC, subnet, and load balancer that touches the CDE. Look for any 0.0.0.0/0 ingress on non-public ports, stale rules referencing decommissioned services, and any path that connects the corp network directly to the CDE without a documented business justification (PCI DSS req 1.2).

Confirm every system component in the CDE has had vendor-default accounts disabled or renamed and default passwords rotated — databases, network appliances, container base images, and SaaS admin consoles. Common gotcha: a Helm chart bundles a default admin user that nobody flagged during deploy.

Run the CIS benchmark scan (or equivalent — Wiz, Prisma Cloud, AWS Security Hub) against EC2 AMIs, EKS node groups, and RDS parameter groups in the CDE. File any drift as remediation tickets with CVSS-style severity and a 30-day SLA.

Run a PAN discovery scan (e.g., Spirion, ground-labs, or a regex sweep across S3 + RDS + log archives) to catch unencrypted PAN that has leaked outside the documented CDE — application logs, support-ticket attachments, and analytics warehouses are the usual offenders.

Confirm every RDS instance, EBS volume, S3 bucket, and ElastiCache cluster in the CDE uses a customer-managed KMS key (not the AWS-managed default) and that key rotation is enabled. Document key custodians and the dual-control process for key changes per req 3.6.

Run an SSL Labs scan (or equivalent) against every public-facing hostname in the CDE. Reject any TLS 1.0/1.1, weak ciphers (RC4, 3DES), or expired-soon certs. PCI DSS v4.0 requires TLS 1.2+; v4.0.1 deprecates older suites entirely.

Schedule the scan with a PCI-approved scanning vendor (Qualys, Tenable, ControlScan). Quarterly external ASV scans are mandatory regardless of SAQ level. Coordinate the scan window with on-call so the WAF/IDS alerts don't get treated as a real attack.

Walk the SCA backlog with the team that owns each repo. Categorize findings by exploit-in-the-wild status (CISA KEV catalog), reachability (call-graph analysis), and SLA tier. Don't just auto-merge patch-version PRs and call it triage — major-version upgrades you keep deferring are how the next Log4Shell hits you unprepared.

Six or more unresolved critical findings means the standard 30-day patch SLA is at risk. Open a SEV-2 in PagerDuty, name an incident commander, and run the remediation as an incident — not as a normal sprint item — until the backlog is back under threshold.

PCI DSS req 6.3.3 requires critical (CVSS 9.0+) patches within one month of release. Track each ticket to merge + deploy, not just to PR-opened. Capture compensating controls in writing for any item that genuinely cannot ship in window.

Pull the IAM role list, GitHub org membership, kubectl RBAC bindings, and database user list for every CDE component. Cross-check against the current HRIS roster. Flag any account belonging to a departed engineer, any role with broader scope than the job description, and any service account with no documented owner.

For each anomaly, revoke through SSO / SCIM first, then sweep the breakouts: GitHub org, AWS console SAML, kubectl kubeconfigs, vendor SaaS admin consoles. SOC 2 and PCI auditors both check that the offboarding ticket closed before the next access review — not just that revocation eventually happened.

PCI DSS v4.0 req 8.4.2 requires MFA on all access into the CDE — not just remote/admin. Confirm MFA on AWS console SSO, bastion hosts, database admin tools, and any break-glass account. SMS-based MFA is no longer sufficient; use TOTP, WebAuthn, or hardware tokens.

For any office or colo space inside the CDE physical scope, export the badge access log for the quarter and reconcile against active employees and authorized visitors. Investigate any after-hours access by accounts that shouldn't have it.

Walk the service catalog (Backstage, internal wiki, Terraform modules) and confirm every CDE service ships logs to the central SIEM — Splunk, Datadog, or equivalent. PCI requires one year of log retention with at least three months immediately searchable. Watch for services that log to stdout but never made it into the Fluent Bit config.

Engage a qualified pentest firm for both external network and application-layer testing per req 11.4. Scope must cover the full CDE plus any segmentation controls. Attach the executive summary and the remediation tracker once the report is delivered.

Pull the FIM event stream (OSSEC, Wazuh, Tripwire, or AWS GuardDuty equivalents) for the quarter. Walk through any alert that didn't get resolved with a documented change ticket. Unexplained changes to /etc, container base layers, or webroots are the highest-signal items.

Review the policy against PCI DSS v4.0 changes since last cycle, push the updated version to Confluence / Notion / Vanta, and ping #engineering and #security with a summary of what changed. Required annually under req 12.1.1.

Push the annual training (KnowBe4, Vanta, or in-house) to everyone with CDE access including contractors. Track completion in the LMS. New hires need this within 30 days of start, not at the next annual cycle — auditors check.

Run a 60-minute tabletop with the on-call rotation, an IC, and security. Pick a realistic scenario — leaked AWS access key, suspicious DB query against the cardholder schema, ransomware on a developer laptop. Capture gaps as action items with owners and due dates.

The compliance lead and security director review the quarter's evidence pack and sign off. Capture the attestation outcome, any caveats or compensating controls in effect, and the digital signature for the audit trail.