PCI Onboarding Checklist

  • Updated

PCI Onboarding Checklist

Scroll to the bottom of this page for a PDF of this checklist!

Activate Vanta:

1. Complete Company Information

2. Add Admins

3. Add Connections

  • Connections are how Vanta pulls data and scans your systems for any gaps applicable to PCI controls. If you do not have admin privileges for key systems that need integration, add those Admins to the Users page. 

4. Set Up Call with Your CSM

  • Select a call time to connect with your Customer Success Manager to get an overview of Vanta.


Set Controls:

1. Create Policies

Policies make up the framework your company will follow to ensure you are PCI-compliant.

  • Use our PCI-compliant policy templates to create your policies.

2. Create Your PCI Network and Dataflow Diagrams

  • Create a diagram for your cardholder data (CHD) flow and network diagrams.

3. Update Inventory for PCI-Impacting Systems

  • Add systems that store, process, transmit, or connect to CHD systems.

4. Track Vendors

  • Go to the Vendors tab to upload annual validation of each vendor's Attestations of Compliance (AOC) for any vendors you share CHD.
  • Complete the vendor security controls field in the upload flow with your notes and comments about each vendor’s security and PCI scope. 


Set Up Employee Onboarding

1. Manage Computers

  • Ensure all computers that handle or store CHD have a password-protected screensaver lock or timeout enabled.
  • The timeout or screen lock length should correspond to your written company policy. We recommend automatic screen timeout within 60 minutes. 
  • Ensure passwords for all computers that can access CHD follow the company password policy.
  • If you use a Mobile Device Management (MDM) provider for endpoint management or have the Vanta Workstation Agent installed on your employee’ machines, Vanta can automatically help test and prove these settings.

2. Manage People

  • Identify any employees or contractors in your organization who will come into contact with CHD or need access to this data for their role.
  • Hold a PCI training session with these employees and contractors to review security practices they need to follow for handling CHD. This can be similar to your standard security training for all employees but should reference CHD and the requirements around CHD  specifically during the training. 
  • Repeat training on an annual basis and record the list of attendees from each session. 
  • Upload records for each person.


Get Compliant

1. Contract with an Approved Scan Vendor (ASV)

  • ASVs are required to perform quarterly external scans. Access the list of ASVs here.

2. Perform Annual Network and Application Layer Penetration Testing

  • Utilize a qualified internal resource or an external company for PCI in-scope systems. 
  • Note: Network segmentation testing must be performed every six months for Service Providers.
  • Complete Vanta’s Risk Assessment or upload your own risk assessment.
  • Upload the completed risk assessment on the Documents tab of the Tasks page, under the “Risk Assessment Completed” request. Reach out to your CSM for our free template.

3. Review Access Management 

  • Confirm all-access, application, and network logs for PCI in-scope systems (who is accessing your resources and when) have a retention period of 1 year offline and 3-months online. 

4. Complete Self-Assessment Questionnaire and AOC

Note: For self-assessment engagements.


4. Engage an External Qualified Security Assessor (QSA) Company

  • Utilize the services of a QSA to complete a Report on Compliance (ROC) and AOC.

Was this article helpful?

Have more questions? Submit a request