PCI DSS compliance is not an annual box-ticking exercise: it is a continuous process that touches networks, systems, people and procedures. For a merchant or SME that does not want to build a dedicated team, having a clear checklist is the starting point. This guide lists the 8 concrete points of PCI DSS compliance and explains where tokenization cuts the workload dramatically.
Perimeter and card data: the first step of PCI DSS compliance
Before following any checklist, you need to understand exactly where card data flows through and where it is stored in your environment. The PAN (Primary Account Number), expiry date and CVV are the sensitive data that PCI DSS protects. If even one of these data points passes through one of your servers, that server enters the CDE (Cardholder Data Environment) and becomes subject to all requirements.
Many companies discover late that their CDE is much larger than expected: a log server recording HTTP requests, an unsegmented backup database, a CRM system saving card numbers for customer service. Mapping the data flow before completing any document is the prerequisite for everything else.
The PCI DSS checklist in 8 concrete points
The official 12 PCI DSS requirements translate into specific operational tasks. Here are the main obligations every merchant must address:
- Firewall and network segmentation: install and maintain firewall configurations that isolate the CDE from the rest of the infrastructure.
- No factory defaults: change all default passwords on devices, routers and applications before going to production.
- Protection of stored data: never store CVV after authorisation; encrypt PANs with approved algorithms if they must be retained.
- Encryption in transit: use TLS 1.2 or higher for any transmission of card data over public networks.
- Antivirus and vulnerability management: update systems and applications, perform vulnerability scans at least every quarter.
- Access control: principle of least privilege, multi-factor authentication for CDE access, periodic user review.
- Monitoring and logging: record all accesses to CDE components, retain logs for at least 12 months.
- Testing and pen testing: perform penetration testing at least once a year and after significant infrastructure changes.
How to reduce 90% of compliance tasks with tokenization
Every point on the checklist applies only to systems that handle real card data. If your environment never sees a PAN, most obligations do not apply to you. Tokenization turns this logic into practice: instead of receiving a card number, your system receives an opaque token generated by a PCI DSS Level 1 certified vault like PCI Proxy EU.
The concrete result is a CDE reduced almost to zero: no additional firewalls to certify, no database encryption to implement, no penetration tests on systems that no longer handle PANs. Only the basic requirements related to your network and users remain active, which is a much more manageable subset. Merchants adopting this architecture often move from SAQ D (over 300 questions) to SAQ A (fewer than 30 questions).
Frequently asked questions
Who is required to comply with PCI DSS?
Any organisation that accepts, processes, stores or transmits card payment data. There are no exemptions based on size: even a small e-commerce with a few transactions per month must be compliant. The obligation derives from the contract with the acquirer or bank that enables card payments.
How much does PCI DSS compliance cost for an SME?
Costs vary greatly based on the perimeter. An SME with an extended CDE may spend between €10,000 and €50,000 per year between consulting, pen tests, vulnerability scans and certifications. With tokenization and a minimal perimeter, many SMEs manage compliance with an autonomous SAQ and annual costs below €2,000.
What happens if you are not compliant?
The main consequences are: monthly penalties from card schemes (Visa, Mastercard) from $5,000 to $100,000, increased interchange fees, possible revocation of the ability to accept card payments. In the event of a breach, forensic, notification and fraud reimbursement costs are added.
Want to reduce your PCI DSS checklist to the essential minimum? Discover PCI Proxy EU.