PCI DSS Compliance Checklist

Diagram every place card data is captured, processed, transmitted, or stored — checkout page, subscription billing (Recharge, Bold), buy-now-pay-later handoffs, customer service phone orders, refund flows. Note which flows touch your servers vs. iframe to Stripe / Shopify Payments / PayPal.

Shopify Payments / Stripe Checkout / PayPal Standard with full redirect typically qualify for SAQ A. Direct API integrations or self-hosted forms push you to SAQ A-EP or SAQ D — dramatically more controls. Confirm with your acquiring bank before assuming scope.

Level 1 merchants (>6M Visa/MC transactions/year) require ROC by a QSA, not self-assessment. SAQ D scope also benefits from a QSA review even when self-attestation is permitted. Skip if SAQ A applies.

Pull the latest annual transaction count from Shopify Payments, Stripe, and any other processors. Confirm with the acquiring bank which AOC and SAQ they require and the submission deadline.

For SAQ A-EP / D environments, document inbound and outbound rules, deny-by-default posture, and Cloudflare / AWS WAF managed rule coverage. SAQ A merchants on Shopify largely inherit this from Shopify's PCI Level 1 attestation — record the inheritance.

Cover Shopify admin, Klaviyo, Gorgias, Recharge, NetSuite, 3PL portals, and any database / server access. Replace any vendor-default credential and confirm MFA is enforced. Service accounts and API keys count too.

Search support ticket archives (Gorgias, Zendesk), shared drives, and email for PAN. Customer service reps pasting full card numbers into tickets is the most common SAQ A finding. Redact and retrain if found; never store CVV under any circumstance.

Run SSL Labs against the storefront, the checkout subdomain, and any custom payment endpoints. PCI DSS v4.0 requires strong cryptography on all transmissions; TLS 1.0 and 1.1 are explicitly disallowed.

Update theme code, custom Shopify apps, WooCommerce / WordPress core and plugins, and any self-hosted services. Critical patches must be applied within 30 days under v4.0; document the patch cycle and exceptions.

Pull active users from Shopify, Klaviyo, Gorgias, NetSuite, ShipStation, and any tool with payment or customer-data access. Remove ex-employees, ex-agency users, and dormant accounts. Document the business need for each remaining user.

PCI DSS v4.0 requires MFA on all access into the CDE and on all admin access — not just remote. Verify Shopify staff accounts, processor dashboards, and any VPN / bastion are MFA-enforced; SMS-only is no longer considered strong.

No shared logins — agency, contractor, or VA. Each person needs an individual account so audit trails attribute actions correctly. Common gotcha: a shared 'support@' login on Gorgias used by three reps.

Applies if you have retail POS, warehouse workstations, or office machines used for order entry. Lock server rooms, badge offices, log visitor access, and inventory POS terminals quarterly to detect skimmer tampering.

Log admin actions, login attempts, and data access on Shopify, processor, and any in-scope server. Retain at least 12 months (3 months immediately accessible). For SAQ A this is largely the platform's responsibility — capture the inheritance evidence.

Required quarterly for SAQ A-EP and SAQ D. Use a PCI SSC-listed Approved Scanning Vendor (Trustwave, SecurityMetrics, ControlScan). All findings ranked High or Medium must be remediated and the scan re-run until passing.

Required annually for SAQ D and after significant changes. Internal and external testing of the CDE perimeter and segmentation. Skip for pure SAQ A merchants — but document the scope decision.

Daily review per v4.0 — automated SIEM (Datadog, Splunk) acceptable for the daily cadence. Look for off-hours admin logins, geo-impossible sessions, repeated failed auths, and bulk customer record exports. Document the reviewer and findings.

PCI DSS v4.0 requirements 6.4.3 and 11.6.1 (effective March 31, 2025) require an inventory of all checkout-page scripts and tamper-detection. Magecart-style skimmers via compromised third-party tags are the primary e-commerce CDE breach vector. Tools like Source Defense, Jscrambler, or HUMAN PerimeterX address this.

Refresh annually or after significant change. Cover acceptable use, password rules, incident response, vendor management, and customer-data handling. Reference the actual tools in use — Shopify, Klaviyo, Gorgias — not generic placeholders.

v4.0 introduces targeted risk analyses (TRA) per requirement to justify customized frequency. Cover threats to cardholder data — e-skimming, account takeover, third-party app compromise, insider misuse — and document mitigations.

Annual training plus onboarding for new hires and contractors. Cover phishing recognition, the no-PAN-in-tickets rule for CX agents, and how to escalate suspected card fraud. KnowBe4 or in-house deck both work; track completion.

List every TPSP that touches cardholder data — processor, gateway, subscription billing, fraud tool, 3PL with payment-on-delivery. Collect their AOCs annually and document the responsibility matrix per v4.0 requirement 12.8.

Final attestation by an executive officer. Submit via the acquirer's portal (Chase, Stripe, Adyen each have their own intake). Keep a signed copy in the compliance folder for the next year's audit trail.