| # | Requirement | Verified? (Y/N) | Notes |
|---|---|---|---|
| 1 | HSM is FIPS 140-2 Level 3 (or FIPS 140-3 Level 3) validated | Check NIST CMVP list | |
| 2 | Cryptographic keys for CHD never exist outside HSM in plaintext | Confirm via architecture review | |
| 3 | All key management (generation, storage, rotation, destruction) occurs within HSM | ||
| 4 | HSM access is restricted via strong authentication (MFA recommended) | PCI DSS Req 8 | |
| 5 | Role separation enforced (e.g., SO vs. Crypto User vs. Auditor) | PCI DSS Req 7 | |
| 6 | All HSM operations logged; logs sent to SIEM | PCI DSS Req 10 | |
| 7 | HSM physically secured (if on-prem) or in compliant cloud environment | PCI DSS Req 9 | |
| 8 | HSM firmware/software kept up to date | PCI DSS Req 6 | |
| 9 | HSM included in annual PCI DSS assessment scope | Document in ROC/SAQ | |
| 10 | If used in P2PE or PIN processing, solution is PCI-listed or validated | Check PCI SSC website |
Created
October 13, 2025 13:09
-
-
Save kardesyazilim/8d12a3b8f07cc6d0e0d74036e0a403b3 to your computer and use it in GitHub Desktop.
PCI DSS + HSM Compliance Checklist
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment