kardesyazilim/pci_dss_hsm_compliance_checklist.md

## pci_dss_hsm_compliance_checklist.md

      
    Raw
  

              pci_dss_hsm_compliance_checklist.md
            
          
#
Requirement
Verified? (Y/N)
Notes


1
HSM is FIPS 140-2 Level 3 (or FIPS 140-3 Level 3) validated

Check NIST CMVP list


2
Cryptographic keys for CHD never exist outside HSM in plaintext

Confirm via architecture review


3
All key management (generation, storage, rotation, destruction) occurs within HSM


4
HSM access is restricted via strong authentication (MFA recommended)

PCI DSS Req 8


5
Role separation enforced (e.g., SO vs. Crypto User vs. Auditor)

PCI DSS Req 7


6
All HSM operations logged; logs sent to SIEM

PCI DSS Req 10


7
HSM physically secured (if on-prem) or in compliant cloud environment

PCI DSS Req 9


8
HSM firmware/software kept up to date

PCI DSS Req 6


9
HSM included in annual PCI DSS assessment scope

Document in ROC/SAQ


10
If used in P2PE or PIN processing, solution is PCI-listed or validated

Check PCI SSC website
#	Requirement	Notes
1	HSM is FIPS 140-2 Level 3 (or FIPS 140-3 Level 3) validated	Check NIST CMVP list
2	Cryptographic keys for CHD never exist outside HSM in plaintext	Confirm via architecture review
3	All key management (generation, storage, rotation, destruction) occurs within HSM
4	HSM access is restricted via strong authentication (MFA recommended)	PCI DSS Req 8
5	Role separation enforced (e.g., SO vs. Crypto User vs. Auditor)	PCI DSS Req 7
6	All HSM operations logged; logs sent to SIEM	PCI DSS Req 10
7	HSM physically secured (if on-prem) or in compliant cloud environment	PCI DSS Req 9
8	HSM firmware/software kept up to date	PCI DSS Req 6
9	HSM included in annual PCI DSS assessment scope	Document in ROC/SAQ
10	If used in P2PE or PIN processing, solution is PCI-listed or validated	Check PCI SSC website
No results found