Summary

PCI DSS v4.0 requires user access reviews at least every six months for accounts with access to the cardholder data environment. For privileged CRM administrator accounts, more frequent reviews are recommended best practice.

PCI DSS Checklist for CRM Software: Everything You Need to Know

Customer relationship management (CRM) platforms are treasure troves of sensitive data. They store payment histories, billing addresses, contact details, and sometimes full cardholder data. If your CRM touches payment card information in any way, you are almost certainly in scope for Payment Card Industry Data Security Standard (PCI DSS) compliance.

This guide gives you a practical, actionable PCI DSS checklist specifically tailored for CRM software environments, whether you’re running Salesforce, HubSpot, Microsoft Dynamics, or a custom-built solution.

Why CRM Software Falls Under PCI DSS Scope

PCI DSS applies to any system that stores, processes, or transmits cardholder data (CHD). CRM platforms frequently qualify because they:

Log payment-related support tickets containing card numbers
Store billing and transaction histories linked to customer profiles
Integrate directly with payment processors or e-commerce platforms
Allow sales agents to manually enter card details during phone orders

Even if your CRM doesn’t store full Primary Account Numbers (PANs), partial card data, expiration dates, or cardholder names can still pull the system into scope. Understanding your data flows before you begin is non-negotiable.

PCI DSS Checklist for CRM Software

Use this checklist as a working document during your assessment. Each section maps to the relevant PCI DSS v4.0 requirements.

1. Scoping and Data Discovery

Before anything else, you need to know exactly what data lives in your CRM.

[ ] Identify all cardholder data fields stored in your CRM (PAN, expiration date, CVV, cardholder name)
[ ] Map all data flows between your CRM and payment processors, billing systems, and third-party integrations
[ ] Document which CRM modules, fields, and integrations are in scope
[ ] Confirm that sensitive authentication data (SAD) such as CVV/CVV2 is never stored post-authorization
[ ] Review CRM API connections that may transmit card data

2. Network Security Controls (PCI DSS Requirements 1 & 2)

[ ] Segment your CRM environment from out-of-scope systems using firewalls or network controls
[ ] Ensure CRM servers are not directly accessible from the public internet
[ ] Change all default passwords on CRM infrastructure, databases, and admin panels
[ ] Disable unnecessary services, ports, and protocols on CRM-connected systems
[ ] Document your network topology showing CRM placement within the cardholder data environment (CDE)

3. Data Protection and Encryption (Requirements 3 & 4)

This is one of the highest-risk areas for CRM platforms.

[ ] Implement strong encryption (AES-256 or equivalent) for stored cardholder data in CRM databases
[ ] Use tokenization to replace PANs with non-sensitive tokens wherever possible
[ ] Mask PANs when displayed in the CRM interface (show only last four digits)
[ ] Enforce TLS 1.2 or higher for all data transmission between CRM and integrated systems
[ ] Confirm that CRM backups containing cardholder data are also encrypted
[ ] Verify that encryption keys are stored separately from encrypted data

4. Access Control and Identity Management (Requirements 7 & 8)

[ ] Apply the principle of least privilege — users should only access the CRM data they need
[ ] Assign unique user IDs to every CRM user; no shared accounts
[ ] Enforce multi-factor authentication (MFA) for all CRM access, especially remote access
[ ] Implement role-based access controls (RBAC) for different CRM user types (sales, support, admin)
[ ] Review and update CRM user access rights at least every six months
[ ] Immediately revoke access for terminated employees
[ ] Set session timeout policies for inactive CRM sessions

5. Physical Security (Requirement 9)

If your CRM is self-hosted or uses on-premise infrastructure:

[ ] Restrict physical access to servers hosting CRM data
[ ] Maintain access logs for server rooms and data centers
[ ] Securely destroy any physical media containing cardholder data exported from the CRM

For cloud-hosted CRM platforms, verify your vendor’s physical security compliance through their SOC 2 or PCI DSS attestation documents.

6. Vulnerability Management and Patching (Requirements 5 & 6)

[ ] Deploy and maintain anti-malware solutions on all CRM-connected endpoints
[ ] Apply security patches to CRM software within 30 days of release (critical patches within one month)
[ ] Conduct regular vulnerability scans of CRM-connected systems (at least quarterly)
[ ] Perform penetration testing on CRM infrastructure at least annually
[ ] Review and secure all CRM customizations, plugins, and third-party integrations
[ ] Implement a secure development lifecycle (SDLC) if you build custom CRM features

7. Monitoring and Logging (Requirements 10 & 11)

[ ] Enable audit logging for all CRM user activity, especially access to cardholder data fields
[ ] Log all failed login attempts and privilege escalation events
[ ] Retain CRM logs for at least 12 months (three months immediately available)
[ ] Implement automated alerts for suspicious CRM activity (bulk data exports, repeated failed logins)
[ ] Deploy file integrity monitoring (FIM) on CRM system files and configuration files
[ ] Review logs daily or use a SIEM solution to automate log analysis

8. Security Policies and Training (Requirement 12)

[ ] Maintain a documented information security policy that explicitly covers CRM data handling
[ ] Train all CRM users on PCI DSS requirements and data handling procedures annually
[ ] Conduct background checks on employees with CRM access to cardholder data
[ ] Establish an incident response plan that covers CRM data breaches
[ ] Review your CRM vendor’s PCI DSS compliance status and obtain their Attestation of Compliance (AOC)

CRM-Specific PCI DSS Considerations

Third-Party CRM Integrations

Every integration your CRM has with a payment processor, billing tool, or marketing platform extends your compliance scope. For each integration:

Obtain the vendor’s PCI DSS AOC or SAQ
Review data-sharing agreements to confirm what card data (if any) is transmitted
Ensure API keys and credentials are stored securely, not hardcoded in CRM workflows

Cloud-Based CRM Platforms

If you use a SaaS CRM like Salesforce or HubSpot, your compliance responsibility is shared with the vendor. Key steps:

Request your CRM vendor’s PCI DSS AOC and understand what they cover
Identify the controls that remain your responsibility (user access, configuration, custom code)
Avoid storing raw cardholder data in custom CRM objects or notes fields

Reducing Your CRM Scope

The best strategy is often descoping your CRM entirely from PCI DSS by:

Using tokenization so only tokens (never real PANs) are stored in the CRM
Routing all payment processing through a PCI-compliant payment page that never touches your CRM
Conducting regular data discovery scans to confirm no card data has leaked into CRM fields

Frequently Asked Questions

Does my CRM automatically need to be PCI DSS compliant?

Not automatically. Your CRM only falls under PCI DSS scope if it stores, processes, or transmits cardholder data. If your CRM is fully isolated from payment data and you use tokenization or a separate payment system, you may be able to exclude it from your cardholder data environment entirely.

What PCI DSS SAQ applies to a business using a CRM for phone orders?

Businesses that take card payments over the phone and manually enter data into a CRM typically fall under SAQ C or SAQ D, depending on how the CRM is hosted and connected to other systems. Consult a Qualified Security Assessor (QSA) to confirm your applicable SAQ.

How often should we audit CRM user access for PCI DSS compliance?

Can we use a cloud CRM and still be PCI DSS compliant?

Yes. Many organizations use cloud CRM platforms within a PCI DSS-compliant environment. The key is understanding the shared responsibility model — your vendor handles infrastructure-level controls, while you remain responsible for user access management, configuration, and ensuring no sensitive card data is stored in unsanctioned fields.

What happens if cardholder data is accidentally stored in CRM notes or custom fields?

This is a common and serious issue. If card data is discovered in unintended CRM fields, you must immediately purge it, investigate how it got there, retrain users, and implement technical controls (such as field-level data loss prevention) to prevent recurrence. Depending on your compliance scope, you may also need to notify your acquiring bank.

Stop Building Compliance Documents from Scratch

Working through PCI DSS requirements for your CRM environment is complex — but your documentation doesn’t have to be. Our ready-to-use PCI DSS compliance template bundles include pre-built checklists, policy templates, risk assessment frameworks, and evidence collection guides specifically designed for software and SaaS environments.

Save dozens of hours and reduce compliance risk today. Browse our PCI DSS template library and get audit-ready documentation your QSA will actually approve.