HardChecklist

PCI DSS 4.0 Certificate Audit Prep

Everything your QSA will ask about certificates and encryption. PCI DSS 4.0 has 12 requirements—this checklist focuses on Requirement 4 (protect cardholder data in transit) and related certificate controls.

2-3 hoursLast Updated: January 2026

Progress: 0/66 complete0%

When to Use

• Preparing for PCI DSS 4.0 assessments
• Gathering evidence for QSA interviews
• Fixing certificate-related findings before the audit
• Training security teams on PCI crypto requirements

Do NOT Use For

• SAQ A merchants with no CHD handling (outsourced everything)
• Systems outside the cardholder data environment (CDE)

Quick Reference (TL;DR)

TLS 1.2 minimum, TLS 1.3 recommended—no legacy protocols
Forward secrecy required (ECDHE/DHE ciphers)
No weak ciphers: NULL, RC4, 3DES, export ciphers
No self-signed certs on public endpoints; complete chain required
Document your certificate inventory (Requirement 12.3.3 is new)
Know your scope before anything else

11. Know Your Scope

Objective: Document what systems are in scope before anything else—this is the QSA's first question

Identify all systems transmitting CHD (cardholder data)

List all external-facing TLS endpoints (payment pages, APIs, partner connections)

Document internal TLS connections (service mesh, database connections)

Map certificate inventory to CDE—which certs protect CHD?

Identify third-party providers that terminate TLS on your behalf (CDNs, payment gateways, WAFs)

💡 **This is the QSA's first question.** If you can't define scope, everything else is harder.

💡 Internal TLS connections are often forgotten—don't overlook service mesh and database links.

💡 QSAs will ask how you govern third-party TLS termination—have their AOCs and crypto configs ready.

22. Requirement 4.2.1 - Protocol Requirements

Objective: "Strong cryptography is used to safeguard PAN during transmission over open, public networks"

TLS 1.2 minimum enabled on all endpoints

TLS 1.3 where possible (not required, but recommended)

SSL 2.0/3.0 disabled (should be dead, but verify)

No fallback to weak protocols (POODLE-style downgrades)

Test protocol support:

# Should succeed
openssl s_client -connect payment.example.com:443 -tls1_2 2>&1 | head -5

# Should fail (TLS 1.0 disabled)
openssl s_client -connect payment.example.com:443 -tls1 2>&1 | head -5

💡 **Common finding:** TLS 1.0 or 1.1 still enabled on legacy systems.

💡 Prepare server config exports and SSL Labs reports as evidence.

33. Requirement 4.2.1 - Cipher Suite Requirements

Objective: Verify cipher configuration meets PCI DSS 4.0 standards

No NULL ciphers (instant fail)

No anonymous DH (missing authentication)

No export ciphers (FREAK/Logjam vulnerabilities)

No RC4 (known broken)

No 3DES (Sweet32—new emphasis in 4.0)

AES-128 or AES-256 only (approved algorithms)

Forward secrecy enabled (ECDHE/DHE—new emphasis in 4.0)

Export cipher list from server:

nmap --script ssl-enum-ciphers -p 443 payment.example.com

💡 **New in 4.0:** Forward secrecy is now explicitly required, not just recommended. Be prepared to show at least one config/export demonstrating ECDHE in use.

💡 3DES removal is new—many legacy systems still have it enabled.

💡 💡 Document which cipher policy baseline you follow (e.g., NIST SP 800-52r2) and keep that doc handy as evidence.

44. Key Strength Requirements

Objective: Ensure certificate keys meet minimum strength thresholds

RSA keys ≥ 2048 bits (1024-bit = finding)

ECC keys ≥ 224 bits (P-256 or higher)

DH parameters ≥ 2048 bits (often overlooked)

Check key size:

openssl x509 -noout -text -in cert.crt | grep "Public-Key"

Generate 2048-bit DH parameters:

openssl dhparam -out dhparam.pem 2048

💡 DH parameters are the most commonly overlooked—many servers use 1024-bit defaults.

💡 **Retire any 1024-bit keys within scope**, even if not internet-facing. QSAs scrutinize internal services too.

💡 Document certificate details as evidence.

55. Certificate Lifecycle Controls

Objective: Be ready for QSA questions about how you manage certificates

How do you track certificate expiration? (monitoring tool, alerts)

What's your renewal process? (documented runbook)

How far in advance do you renew? (30-60 days typical)

Who can request certificates? (access control documentation)

Where are private keys stored? (HSM inventory, key storage docs)

Who has access to private keys? (access control lists)

Have you had any certificate-related outages? (be honest)

💡 QSAs want to see process, not just technology. Document your runbooks.

💡 **Pro tip:** Have specific people assigned to answer each area. QSAs notice when everyone looks at each other.

88. Requirement Mapping Quick Reference

Objective: Understand which PCI requirements map to certificate/crypto controls

4.2.1: Strong cryptography for CHD transmission (QSA: "Show me your cipher configs")

4.2.1.1: Trusted certificates for public networks (QSA: "Any self-signed in the CDE?")

4.2.1.2: Certificates valid and not expired (QSA: "How do you ensure nothing expires in production?")

4.2.2: Secure protocols, no SSL/early TLS (QSA: "Show me TLS 1.0 is disabled")

3.5.1: Key storage and access controls (QSA: "Where are private keys stored? Who has access?")

3.6.1: Key management procedures (QSA: "Walk me through key generation to destruction")

3.7.1: Key rotation procedures (QSA: "How often do you rotate keys? Show me evidence")

12.3.3: Cryptographic inventory (QSA: "Show me your crypto inventory"—NEW in 4.0!)

💡 **New in 4.0:** Requirement 12.3.3 explicitly requires organizations to maintain a cryptographic inventory. Certificates are a key part of this.

💡 This checklist focuses on Requirement 4, but key management (Req 3) is equally important. See our key ceremony best practices for what auditors look for in key generation procedures.

Troubleshooting

Problem: QSA asks for cryptographic inventory and we don't have one

Solution: Start with certificate inventory from your CLM tool. Document all TLS endpoints, algorithms in use, and key storage locations. This is now required under Requirement 12.3.3.

Problem: Legacy system requires TLS 1.0 for compatibility

Solution: Document a compensating control: network segmentation, enhanced monitoring, planned upgrade timeline. Use the PCI Council's standard Compensating Control Worksheet—QSAs expect to see it in that format.

Problem: Can't disable 3DES due to legacy integrations

Solution: Similar to TLS 1.0: document the business justification, implement compensating controls, and show a migration plan. 3DES removal is new in 4.0, so QSAs are seeing this frequently.

Problem: Certificate expired during previous assessment period

Solution: Be honest. Show what monitoring you've implemented to prevent recurrence. QSAs respect transparency and demonstrated improvement over cover-ups.

Problem: Private keys stored on application servers without HSM

Solution: This isn't automatically a failure, but document your controls: file permissions, encryption at rest, access logging. HSMs are best practice but not always required.

Related Resources

📖 TLS Protocol Comparison 📖 Cipher Suite Decoder 📖 Forward Secrecy Explained 📖 RSA vs ECC Keys 📖 Certificate Lifecycle Guide 📖 HSM Integration Guide 📖 Chain Builder Guide ✅ Certificate Renewal Runbook ✅ Key Compromise Response Runbook 🔧 SSL/TLS Checker Tool

← Back to Checklists Library