PCI Self Assessment April 28, 2026 Do you have a firewall protecting every network that processes or stores cardholder data? *PCI DSS requires a properly configured firewall between any untrusted network and systems in the cardholder data environment. Consumer-grade routers don’t count.YesPartiallyNoNot SureHave all vendor-supplied default passwords been changed on every device in your network? *This includes routers, firewalls, switches, point-of-sale terminals, printers, and any networked equipment. Default credentials are public knowledge.YesPartiallyNoNot SureIs stored cardholder data encrypted, and is card data encrypted when transmitted across public networks? *If you store any card numbers (even temporarily), they must be encrypted at rest. All transmission of card data over the internet must use TLS 1.2 or higher.YesPartiallyNoNot SureDo all systems that process or access cardholder data have current endpoint protection (antivirus or EDR)? *Every workstation, server, and POS terminal in the cardholder data environment needs active, up-to-date endpoint protection. “Came with the computer” antivirus doesn’t meet this bar.YesPartiallyNoNot SureAre all systems and software patched with security updates within 30 days of release? *Critical security patches must be installed within one month. This includes operating systems, firmware, applications, and POS software.YesPartiallyNoNot SureIs access to cardholder data restricted to only employees whose job requires it? *The principle of least privilege: nobody should have access to card data unless they specifically need it for their role. This includes both physical and digital access.YesPartiallyNoNot SureDoes every person with computer access have a unique ID, and is multi-factor authentication (MFA) enabled for remote access? *No shared accounts. No generic logins. Every user has their own credentials. MFA is required for any remote access to the cardholder data environment.YesPartiallyNoNot SureIs physical access to servers, POS devices, and network equipment restricted and monitored? *Server rooms should be locked. POS terminals should be inspected for tampering. Visitor access to sensitive areas should be logged.YesPartiallyNoNot SureDo you log and monitor all access to network resources and cardholder data? *Every access event, authentication attempt, and administrative action should be logged. Logs must be reviewed regularly and retained for at least one year.YesPartiallyNoNot SureDo you perform quarterly vulnerability scans and annual penetration testing? *PCI requires quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) and annual penetration testing of the cardholder data environment.YesPartiallyNoNot SureDo you have a documented information security policy that is reviewed annually and shared with all employees? *A written policy covering data handling, acceptable use, incident response, and employee security responsibilities. Must be reviewed at least yearly.YesPartiallyNoNot SureIs your payment processing network segmented from your general business network? *Network segmentation isolates the systems that handle card data from the rest of your network. This reduces your PCI scope and limits the blast radius of a breach.YesPartiallyNoNot SureGet Your PCI risk score
How Today’s Acme Business Came To Be April 28, 2026 Like many businesses Acme has evolved over the years continuing to grow and adapt to the changing business world. Acme began as a Royal Typewriter…
Having Microsoft Issues? Patch Tuesday Could Be Your Problem August 4, 2020 Have you ever logged onto your computer on a Wednesday morning and found your Microsoft products acting up? If you have, Patch Tuesday might be…
