PCI DSS Compliance Checklist: A Step-by-Step Guide for Merchants

PCI DSS (Payment Card Industry Data Security Standard) compliance is a requirement for every business that accepts, transmits, or stores payment card data. Version 4.0, the current standard, introduced significant updates to authentication requirements, customized implementation options, and targeted risk analyses. This checklist walks through what merchants need to know and do.

1. Understand Your PCI DSS Scope

PCI DSS scope is determined by how your business handles card data. The less card data you touch, the lower your compliance burden.

For WooCommerce merchants using ConvesioPay’s hosted checkout widget, card data goes directly to Adyen’s systems, it never touches your server or WordPress instance. This qualifies you for SAQ A, the lowest-complexity compliance level.

For detailed SAQ guidance, see PCI SAQ Types Explained: Which Self-Assessment Questionnaire Do You Need?

2. The 12 PCI DSS Requirements

PCI DSS v4.0 organizes requirements across 12 domains:

1. Install and Maintain Network Security Controls — firewalls between cardholder data environment (CDE) and untrusted networks
2. Apply Secure Configurations to All System Components — no default passwords; disable unnecessary services
3. Protect Stored Account Data — don’t store CVV post-authorization; encrypt any stored PANs
4. Protect Cardholder Data with Strong Cryptography During Transmission — TLS 1.2+ for all card data transmission
5. Protect All Systems Against Malware — anti-malware on applicable systems; regular updates
6. Develop and Maintain Secure Systems and Software — vulnerability management; patch management
7. Restrict Access to System Components by Business Need — least-privilege access controls
8. Identify Users and Authenticate Access — multi-factor authentication for all non-console access to CDE; strong password policies
9. Restrict Physical Access to Cardholder Data — physical access controls for systems in CDE
10. Log and Monitor All Access to Network Resources and Cardholder Data — audit logs; log monitoring
11. Test Security of Systems and Networks Regularly — quarterly vulnerability scans; annual penetration testing (SAQ D)
12. Support Information Security with Organizational Policies and Programs — security policies; security awareness training

3. PCI DSS v4.0 Key Changes

PCI DSS v4.0 replaced v3.2.1 in March 2022, with a transition deadline of March 2024. Key new requirements:

• Multi-factor authentication (MFA) — now required for all access into the CDE, not just remote access
• Targeted Risk Analysis (TRA) — for requirements with flexible implementation, entities must document a risk analysis to justify the approach
• Customized Implementation — organizations can use alternative controls to meet an objective, rather than prescriptive requirements, if they can demonstrate equivalent security
• E-commerce security — new Requirement 6.4 specifically addresses web-skimming attacks (Magecart-style); requires monitoring of scripts running on payment pages
• Password length — minimum 12 characters (up from 7 in v3.2.1)

4. SAQ A Compliance Checklist (Hosted Checkout Merchants)

For WooCommerce merchants using ConvesioPay (SAQ A scope), the primary requirements you’re responsible for:

• ☑ Third-party oversight — confirm your payment processor is PCI DSS compliant; obtain their Attestation of Compliance (AOC)
• ☑ Payment page security — ensure the payment iframe/widget loads from your processor’s domain
• ☑ Access controls — only authorized personnel have access to your payment processor account and WordPress admin
• ☑ Passwords — strong, unique passwords on all accounts; MFA where available
• ☑ No card data storage — confirm no card data is stored in your WordPress database or logs
• ☑ HTTPS everywhere — TLS 1.2+ on your entire site, not just checkout pages
• ☑ Security awareness — personnel with access to the payment environment are trained on their security responsibilities
• ☑ Annual self-assessment — complete and retain the SAQ A form annually

5. Common PCI DSS Pitfalls

• Storing CVV codes — never store CVV after authorization, even temporarily in logs. This is a serious violation with significant penalties
• Scope creep — using a plugin that captures and sends card data through your server can expand your scope from SAQ A to SAQ D overnight
• Third-party scripts — scripts on your payment page from untrusted sources can be used for web skimming (Magecart attacks). Audit all scripts on checkout pages
• Outdated WordPress or plugins — known vulnerabilities in WordPress core or plugins can create a path to card data compromise even if you don’t store it
• Shared hosting — on shared hosting, other tenants’ compromises can affect your environment. Convesio’s isolated container infrastructure eliminates this risk

6. Ongoing Compliance Maintenance

PCI DSS compliance isn’t a one-time event. Ongoing requirements include:

• Annual SAQ completion and submission to your acquirer
• Quarterly internal and external vulnerability scans (for SAQ D; not typically required for SAQ A)
• Immediate response to security incidents that may affect card data
• Updating your SAQ if your payment environment changes
• Monitoring third-party processor compliance status annually

For small merchant-specific guidance, see PCI Compliance for Small Business: What You Actually Need to Do.