Staying PCI DSS Compliant: The Annual Checklist
Payment Card Industry Data Security Standard (PCI DSS) compliance isn’t a once-a-year exercise; it’s a year-round effort that requires regular validation to protect cardholder data, manage risk, and maintain audit readiness throughout the year.
Compliance failures are rarely caused by a single missing control. Often, they result from small gaps that accumulate over time, such as missed quarterly scans, delayed remediation, incomplete evidence, or scope assumptions that are not reviewed as environments change.
Frustratingly, these issues tend to only surface when the assessment window is already open, leaving little time to respond. So, to help avoid last-minute disruptions and support ongoing PCI DSS compliance, Outpost24 has developed an annual PCI DSS compliance checklist organized by quarter to guide you through the process.
Who does PCI DSS apply to?
PCI DSS applies to any organization that stores, processes, or transmits payment card data. This includes merchants accepting card payments through physical or digital channels, as well as service providers and third parties whose systems or access can impact the security of the Cardholder Data Environment (CDE).
This includes third-party vendors such as;
- Hosting and cloud providers
- Payment gateways
- Managed service providers
- Software vendors
- Partners connected to payment processing environments
The type of PCI DSS assessment required depends on an organization’s role, transaction volume, and payment environment, as defined by payment brands and acquiring banks, e.g. American Express, Discover, JCB, Mastercard, Visa, UnionPay.
Key PCI DSS validation documents and who is responsible for them
| Document | Who prepares it | What is it? |
|---|---|---|
| Report on Compliance (ROC) | Qualified Security Assessor (QSA) | A full PCI DSS assessment for level 1 merchants or service providers |
| Self-Assessment Questionnaire (SAQ) | Merchant or service provider | Self-assessment compliance, based on transaction volume and payment model for lower-level merchants and service providers. |
| Approved Scanning Vendor (ASV) scan report and attestation | ASV such as Outpost24s PCI Compliance solution | An external vulnerability scan and attestation for PCI DSS compliance |
Outpost24’s Annual PCI DSS compliance checklist
Q1 (January to March): Review and plan
Goal: Establish a clear picture of your current compliance posture, confirm applicable PCI DSS requirements, define your assessment approach and the activities needed to achieve a successful outcome.
Watch for: Assumptions or errors introduced at this stage often persist and later surface as failed scans, incomplete evidence, or unexpected audit findings.
| Month | Key actions | Purpose |
|---|---|---|
| January | 1. Confirm PCI DSS assessment requirements with payment brands and acquiring banks. 2. Review last year’s ROC, SAQ, and ASV scan results to identify recurring findings and evidence gaps. 3. Confirm that your ASV remains listed on the PCI Security Standards Council approved vendor list. 4. Determine PCI scope to ensure all in-scope internet-facing systems are identified. | Establish a complete and accurate view of PCI DSS requirements, scope, and external scanning dependencies to prevent assessment gaps later in the year. |
| February | 1. Review and test segmentation assumptions. 2. Perform quarterly internal vulnerability scans in line with PCI DSS requirement 11.3.1, which mandates regular internal scanning of in-scope systems. | Confirm that PCI scope and segmentation remain valid and identify internal configuration or patching gaps early. |
| March | 1. Run quarterly external vulnerability scans and remediate identified findings, in line with PCI DSS requirement 11.3.2. | Validate external exposure and reduce risk before remediation and control monitoring intensifies in Q2. |
Q2 (April–June): Test and monitor
Goal: Verify that security controls are operating as intended, and that vulnerabilities are identified and addressed before they accumulate.
Watch for: Repeated scan failures caused by unresolved findings, undocumented exceptions, or scope drift are often introduced through infrastructure changes.
| Month | Key actions | Purpose |
|---|---|---|
| April | 1. Review ASV scan results and address any special notes requiring validation, such as remote access services or externally accessible scripts. 2. Review firewall rules and access configurations to confirm alignment with defined PCI scope and segmentation assumptions. 3. Confirm encryption and key management practices remain compliant across in-scope systems. 4. Monitor logs and alerts for suspicious or unauthorized activity. | Ensure that security controls are operating as intended and that no scope drift, control gaps, or unresolved scan issues are present. |
| May | 1. Perform quarterly internal vulnerability scanning across in-scope systems to meet PCI DSS requirement 11.3.2. | Identify missing patches or newly introduced weaknesses. |
| June | 1. Run quarterly external vulnerability scans against internet-facing in-scope systems in compliance with PCI DSS requirement 11.3.2. 2. Remediate identified findings and repeat scanning as needed to achieve a passing result. | Identify any internal configuration or patching gaps are remediated that could derail your upcoming PCI DSS assessment. |
Q3 (July–September): Validate and strengthen
Goal: Test and refine your controls before the final annual assessment.
Tip: Outpost24’s PCI DSS Compliance solution automatically and continuously monitors your internet-facing web applications for the latest vulnerabilities, ensuring continuous protection, zero false positives and results verified by our certified pen testers.
| Month | Key actions | Purpose |
|---|---|---|
| July | 1. Conduct internal penetration testing across in-scope systems to comply with PCI DSS requirements 11.4.2 and 11.4.3. 2. Conduct external independent penetration testing against internet-facing in-scope systems. 3. Review penetration testing findings and prioritise remediation activities. 4. Test your incident response plan, including roles, escalation paths, and communication procedures. 5. Review third-party Attestations of Compliance (AOC). | Independently validate the effectiveness of security controls, confirm third-party compliance, and address critical weaknesses. |
| August | 1. Perform internal vulnerability scans following remediation activities. 2. Confirm your asset inventory and validate where cardholder data resides. | Verify that remediation has been effective and that PCI DSS scope accurately reflects your current environment. |
| September | 1. Run external vulnerability scans against in-scope systems. | Confirm external exposure remains controlled and that results support a passing status. |
Q4 (October–December): Complete the annual assessment and reset for the next cycle
Goal: Finalise your PCI DSS validation, close outstanding gaps, and prepare your compliance programme for the next year.
Important: A passing ASV scan requires remediation of all vulnerabilities with CVSS ≥ 4.0. Make sure you address and verify the resolution of these issues prior to resubmission.
| Month | Key actions | Purpose |
|---|---|---|
| October | 1. Conduct your annual PCI DSS assessment (ROC or SAQ). 2. Gather and review evidence for all in-scope controls. 3. Resolve any non-compliance findings identified during the assessment. 4. Finalize and submit your AOC. 5. Include the ASV ASC with your ROC or SAQ submission, as required by PCI DSS. 6. Document lessons learned and update your compliance roadmap. | Formally validate PCI DSS compliance, achieve a clean assessment outcome, and capture improvements for the next compliance cycle. |
| November | 1. Perform internal vulnerability scanning across in-scope systems. | Confirm no new configuration or patching gaps have been introduced following the annual assessment. |
| December | 1. Run quarterly external vulnerability scans against internet-facing in-scope systems. 2. Remediate identified findings and retest where required. | Maintain required scanning cadence and ensure ongoing compliance heading into the next year. |
How Outpost24 can help you achieve PCI DSS compliance
Outpost24 has been a PCI Security Standards Council Approved Scanning Vendor (ASV) for over 20 years, with deep experience supporting organizations in achieving and maintaining PCI DSS compliance.
Outpost24’s PCI DSS Compliance solution reflects this expertise by bringing certified ASV scanning, penetration testing, and compliance reporting together in a single solution, supporting audit readiness throughout the year without unnecessary complexity. By supporting quarterly internal and external vulnerability scanning, ASV validation, and remediation tracking, our solution helps you maintain required scanning cadence, achieve passing results, and retain the evidence needed for ROC or SAQ submissions.
For organizations with limited internal capacity or tight timelines, our Managed PCI Compliance services provide hands-on support. If you need results fast, with a defined scope, our Managed Services team can complete a PCI DSS scan in 24-48 hours.
Get in touch to learn more about our PCI DSS compliance solution or to set-up a live demo.
About the Author
