PCI-DSS Compliance Guide

📋 Compliance10 min readUpdated May 2026

Overview

PCI-DSS applies to any organization that stores, processes, or transmits cardholder data. Non-compliance can result in fines of $5,000 to $100,000 per month from payment brands, plus increased transaction fees and potential loss of the ability to process card payments.

Key Requirements

• Build and Maintain Secure Networks — Install and maintain firewall configurations. Do not use vendor-supplied defaults for system passwords.
• Protect Cardholder Data — Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.
• Maintain Vulnerability Management — Use and regularly update anti-virus software. Develop and maintain secure systems and applications.
• Implement Strong Access Control — Restrict access to cardholder data by business need-to-know. Assign unique ID to each person with computer access.
• Regularly Monitor and Test Networks — Track and monitor all access to network resources. Regularly test security systems and processes.

How Gridlock Automates PCI-DSS

• Network segmentation verification — Continuously monitors that cardholder data environments are properly segmented from the rest of the network
• Vulnerability scanning — Automated quarterly vulnerability scans as required by PCI-DSS Requirement 11.2
• Access control auditing — Monitors and logs all access to cardholder data environments
• Encryption verification — Validates that cardholder data is encrypted at rest and in transit
• Firewall rule auditing — Reviews firewall rules quarterly and alerts on unauthorized changes

Gap Analysis Checklist

• Scope defined — Identify all systems and data in scope
• Controls implemented — All required controls are in place
• Evidence collected — Automated evidence collection active
• Monitoring active — Continuous compliance monitoring running
• Reports generated — Audit-ready reports available on demand

Timeline: Manual vs Gridlock

Related Guides