Ubiquiti UniFi PCI Compliance

UniFi offers a robust, secure platform designed with powerful tools to help you achieve and maintain PCI-DSS compliance. If your business processes, stores, or transmits cardholder data, the Payment Card Industry Data Security Standard (PCI-DSS) requires you to implement and maintain specific security controls.

Ubiquiti does not store, process, or transmit cardholder data. However, we provide the capabilities you need to build a PCI-compliant environment, and we’re proud to support customers in regulated industries worldwide.

PCI-DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

1. Install and maintain a firewall configuration to protect cardholder data

UniFi Gateways support zone-based firewall policies and VLAN segmentation, allowing administrators to separate cardholder data from the rest of the network. Firewall rules can be applied at the interface or zone level, enabling tight control over east-west and north-south traffic.

Switches and access points further support segmentation through ACLs and client isolation features. This allows administrators to isolate POS terminals, payment processors, or back-office systems from other devices, helping satisfy PCI segmentation and scoping expectations.

For more information, see Implementing Network and Client Isolation in UniFi.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

UniFi does not retain default usernames and passwords beyond initial setup or device adoption. Furthermore, UniFi administrative sessions are encrypted with TLS and restricted to authenticated admins only.

3. Protect stored cardholder data

UniFi systems do not interact with or store cardholder data in any capacity. Administrative services are managed via an out-of-band control plane, meaning data traffic does not traverse UniFi’s cloud infrastructure.

This architectural separation ensures that network management and cardholder environments remain logically and functionally distinct. Any storage and protection of cardholder data must occur within the customer’s isolated systems, which UniFi’s tools can help segment and protect.

For more information on UniFi’s data centers and cloud security, see our Trust Center.

4. Encrypt transmission of cardholder data across open, public networks

UniFi supports modern wireless encryption protocols, including WPA2, WPA3, and WPA2/WPA3 Mixed Mode, with authentication via pre-shared keys (PSK) or enterprise-grade RADIUS/802.1X.

Administrators can enforce minimum password complexity for PSK usage (i.e., a minimum of 12 characters long, including a mix of uppercase and lowercase letters, numbers, and special characters), and isolate SSIDs handling sensitive traffic using VLAN assignments. These features ensure that wireless transmission of cardholder data is encrypted and segmented according to PCI standards.

See UniFi WiFi SSID and AP Settings Overview for more information on available security settings.

5. Use and regularly update anti-virus software or programs

While PCI-DSS requires antivirus at the endpoint level, Ubiquiti helps implement a multi-layered defense model:

Ubiquiti Gateways include an integrated Intrusion Prevention and Detection System (IPS/IDS) that inspects traffic in real time using a continuously updated database of threat signatures. These signatures detect known vulnerabilities, malware activity, and suspicious traffic patterns.

For enhanced protection, Ubiquiti’s CyberSecure feature augments the base IPS/IDS system with expanded threat intelligence feeds and real-time updates, delivered through a strategic partnership with Proofpoint, one of the industry’s leading threat research organizations. This provides access to a broader and more current set of threat signatures compared to standard IDS deployments.

Beginning with UniFi Network version 9.3, CyberSecure also integrates with Cloudflare to provide DNS-based security filtering and content controls. This integration helps prevent access to malicious domains, phishing sites, and other high-risk web content before it reaches client devices.

Together, these layered protections enable administrators to mitigate a wide range of network-based threats and align with PCI-DSS expectations for proactive malware defense and signature maintenance.

See UniFi Network Security for more information.

6. Develop and maintain secure systems and applications

UniFi supports automatic software and firmware updates across all managed devices. Updates can be scheduled and monitored through the UniFi Network application to ensure all infrastructure components remain current with the latest security patches. This reduces exposure to known vulnerabilities, as required by PCI-DSS.

See UniFi Updates for more information.

7. Restrict access to cardholder data by business need to know

Administrators can configure Role-Based Access Control (RBAC) within the UniFi platform. Permissions can be scoped to individual sites, or management functions, allowing teams to limit access to only what is operationally necessary. This enforces the principle of least privilege across network management.

See Adding Admins in UniFi for more information.

8. Identify and authenticate access to system components

Ubiquiti enforces Multi-Factor Authentication (MFA) for all UI Accounts. are required to authenticate via UI.com accounts, which support Multi-Factor Authentication (MFA). MFA options include app-based one-time passcodes, as well as hardware tokens.

9. Restrict physical access to cardholder data

To address physical security controls, UniFi Access provides door entry management for controlled areas. Administrators can enforce access rules via RFID cards, PINs, and 2FA, and maintain logs of all entry attempts.

Deploying UniFi Access in server rooms or other restricted areas helps enforce physical access boundaries required by PCI-DSS.

See Configuring Door Unlock Methods in UniFi Access for more information.

10. Track and monitor all access to network resources and cardholder data

UniFi logs all administrator logins, configuration changes, and system access events, including IP addresses and timestamps. These logs are available through the UniFi interface and can be exported to external SIEM platforms or syslog servers for long-term retention.

This provides the auditable trail necessary to support PCI’s monitoring and accountability requirements.

11. Regularly test security systems and processes

Intrusion detection features on UniFi Gateways operate in real time and are continuously updated. In addition, Ubiquiti’s cloud infrastructure—used for administrative and support services—is regularly tested by independent security firms. These upstream assurances support trust in the broader control ecosystem, while local IPS/IDS features offer practical in-network protections.

For more information see our Trust Center.

12. Maintain a policy that addresses information security for all personnel

While UniFi provides technical controls, it is the organization’s responsibility to develop and maintain documented information security policies. These policies should include training programs, risk assessments, acceptable use guidelines, and incident response procedures.

UniFi’s tools support the enforcement of these policies, but overall governance must be established and maintained by the deploying organization.