Stakeholders have many regulations and protocols with security compliance in the financial services space. In order to meet the objectives of both PCI DSS and NIST, it’s important to understand what each one is, how it works, and how to meet those requirements.
What is NIST?
The National Institute of Standards and Technology (NIST) is designed to lead the development of a Cybersecurity Framework. This provides a prioritized, flexible, repeatable, performance-based and cost-effective approach to help owners and operators of critical infrastructure identify, assess and manage cyber risks through self-guided assistance for organizations. This framework also aids risk and cybersecurity management communications between internal and external organizational stakeholders.
What is PCI DSS?
PCI DSS, or Payment Card Industry Data Security Standard was created in 2004 by Visa, MasterCard, Discover, and American Express and is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions. These policies protect cardholders against misuse of their personal information.
What are the differences?
PCI DSS defines the security requirements for protecting payment card data, and outlines validation procedures and guidance to assist organizations in understanding what the requirements mean. PCI DSS also elaborates on six major objectives:
- Secure network must be maintained where transactions can be conducted. This involves using firewalls that can be effective without causing an inconvenience to cardholders or vendors.
- Cardholder information must be protected wherever it is stored. Cardholder data should be encrypted effectively to protect the information when transmitted through public networks, or e-commerce.
- Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs and other anti-malware solutions. Patches offered by software and operating system (OS) vendors should be installed on a regular basis to ensure the highest levels of risk management.
- Access to system information and operations should be restricted and controlled. Cardholder data should be protected physically as well as electronically.
- Networks must be constantly monitored and regularly tested to ensure all security measures and processes are in place, functioning property and kept up-to-date. All exchanged data should be scanned on a continuous basis.
- A formal information security policy must be defined, maintained and followed at all times by all participating entities, which includes audits and penalties for non-compliance.
NIST provides broad security and risk management objectives based on the environment being assessed. Each set of those objectives has discretionary applicability based on the scenario. By using the Framework, organizations can determine which activities are most important to critical operations and service delivery. As a common language in addressing cybersecurity risk management, it helps with awareness, improved communication and an understanding between and among IT, planning and operating units, and senior management. The Framework also addresses the cost and cost-effectiveness of cybersecurity risk management, in addition to providing help in managing risk for assets not under the direct management of a team.
How do they work?
While both of these provide security approaches addressing common security goals and principles relevant to security risks, they are not interchangeable. They differ in that the NIST identifies general security outcomes and activities, while the PCI DSS provides direction and guidance on how to meet security outcomes for payment environments.
PCI DSS and the NIST Cybersecurity Framework have a common goal: to enhance data security. Mapping PCI DSS to the NIST framework provides a resource to use in understanding how to align security efforts to meet the objectives of both.
How should stakeholders use these together?
NIST put together a mapping tool that outlines common security best practices of the two to showcase how meeting PCI DSS requirements can assist in achieving Framework outcomes for payment environments.
Stakeholders can utilize NIST mapping to identify opportunities for greater alignment between organizational security objectives and better control efficiencies. This mapping can help identify areas where the implementation of security controls can support both. Also, an entity’s internal evaluations to determine the effectiveness of any controls implemented can assist the entity in preparing for a PCI DSS or NIST assessment, or both.
Contact I.S. Partners for Assistance
Both NIST and PCI DSS take time to implement based on the resources, capabilities and needs of an organization. Even with the current regulatory protocols, they are flexible enough where organizations can make their own choices on products and services available while providing cybersecurity protection.
For more information on either PCI or NIST compliance, send us a message or call us at 215-675-1400.