Summary

PCI DSS and the NIST Cybersecurity Framework have a common goal: to enhance data security. Mapping PCI DSS to the NIST framework provides a resource to use in understanding how to align security efforts to meet the objectives of both.

Stakeholders have many regulations and protocols with security compliance in the financial services space. In order to meet the objectives of both PCI DSS and NIST, it’s important to understand what each one is, how it works, and how to meet those requirements.

What is NIST?

The National Institute of Standards and Technology (NIST) is designed to lead the development of a Cybersecurity Framework. This provides a prioritized, flexible, repeatable, performance-based and cost-effective approach to help owners and operators of critical infrastructure identify, assess and manage cyber risks through self-guided assistance for organizations. This framework also aids risk and cybersecurity management communications between internal and external organizational stakeholders.

What is PCI DSS?

PCI DSS, or Payment Card Industry Data Security Standard was created in 2004 by Visa, MasterCard, Discover, and American Express and is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions. These policies protect cardholders against misuse of their personal information.

What are the differences?

PCI DSS defines the security requirements for protecting payment card data, and outlines validation procedures and guidance to assist organizations in understanding what the requirements mean. PCI DSS also elaborates on six major objectives:

  • Secure network must be maintained where transactions can be conducted. This involves using firewalls that can be effective without causing an inconvenience to cardholders or vendors.
  • Cardholder information must be protected wherever it is stored. Cardholder data should be encrypted effectively to protect the information when transmitted through public networks, or e-commerce.
  • Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs and other anti-malware solutions. Patches offered by software and operating system (OS) vendors should be installed on a regular basis to ensure the highest levels of risk management.
  • Access to system information and operations should be restricted and controlled. Cardholder data should be protected physically as well as electronically.
  • Networks must be constantly monitored and regularly tested to ensure all security measures and processes are in place, functioning property and kept up-to-date. All exchanged data should be scanned on a continuous basis.
  • A formal information security policy must be defined, maintained and followed at all times by all participating entities, which includes audits and penalties for non-compliance.

NIST provides broad security and risk management objectives based on the environment being assessed. Each set of those objectives has discretionary applicability based on the scenario. By using the Framework, organizations can determine which activities are most important to critical operations and service delivery. As a common language in addressing cybersecurity risk management, it helps with awareness, improved communication and an understanding between and among IT, planning and operating units, and senior management. The Framework also addresses the cost and cost-effectiveness of cybersecurity risk management, in addition to providing help in managing risk for assets not under the direct management of a team.

How do they work?

While both of these provide security approaches addressing common security goals and principles relevant to security risks, they are not interchangeable. They differ in that the NIST identifies general security outcomes and activities, while the PCI DSS provides direction and guidance on how to meet security outcomes for payment environments.

PCI DSS and the NIST Cybersecurity Framework have a common goal: to enhance data security. Mapping PCI DSS to the NIST framework provides a resource to use in understanding how to align security efforts to meet the objectives of both.

How should stakeholders use these together?

NIST put together a mapping tool that outlines common security best practices of the two to showcase how meeting PCI DSS requirements can assist in achieving Framework outcomes for payment environments.

Stakeholders can utilize NIST mapping to identify opportunities for greater alignment between organizational security objectives and better control efficiencies. This mapping can help identify areas where the implementation of security controls can support both. Also, an entity’s internal evaluations to determine the effectiveness of any controls implemented can assist the entity in preparing for a PCI DSS or NIST assessment, or both.

Contact I.S. Partners for Assistance

Both NIST and PCI DSS take time to implement based on the resources, capabilities and needs of an organization. Even with the current regulatory protocols, they are flexible enough where organizations can make their own choices on products and services available while providing cybersecurity protection.

For more information on either PCI or NIST compliance, send us a message or call us at 215-675-1400.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.