Recipe: PCI-DSS prep checklist
A step-by-step guide to hardening your Windows endpoints for PCI-DSS v4.0 compliance using Meridian's kernel instrumentation and tamper-aware licensing.
1. Inventory cardholder data flows
Map every process that touches PAN, track expiry, or stores CVV. Use Meridian's ETW consumer to log process creation and file I/O on protected volumes. Export the manifest as a signed JSON blob for your QSA.
2. Harden the runtime
Enable Meridian's anti-debug aggregator and IAT integrity checks. Configure the kernel driver to block unsigned DLL loads into cardholder-facing processes. Set the tamper response to “terminate + notify SIEM.”
3. Lock down the license plane
Bind your POS terminal licenses to TPM EK and machine SID. Activate offline grace caches signed with HMAC so terminals keep working during network segmentation tests. Rotate Ed25519 signing keys quarterly.
4. Validate with a tabletop exercise
Simulate a tamper event: inject an unsigned DLL into a protected process. Confirm Meridian terminates the process, revokes the license, and pushes an alert to your webhook within 500 ms. Log the timeline for your ROC.
5. Maintain evidence
Schedule weekly exports of Meridian's integrity attestation reports. Store them in an immutable S3 bucket with object lock. Your QSA will ask for 12 months of continuous monitoring data.
Need a QSA-ready attestation bundle?
Meridian Enterprise includes pre-built PCI-DSS report templates and a signed integrity manifest your auditor can verify independently.
View Enterprise plans