How to Map PCI DSS to the NIST Cybersecurity FrameworkPublished December 3, 2019 by Shanna Nasiri • 4 min read
Organizations face an increasing number of compliance metrics. Risk management is of paramount importance and is feeding the need for governance. Terms like PCI DSS and NIST CSF are two frameworks that help enhance data security and manage risk.
Often, it is the confusion on where businesses need to start that prevents them from taking action at all. It is important first to understand what PCI and NIST do, how they are related to each other, and how they are different to prevent analysis paralysis.
What Is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) were created to standardize the way all organizations that accept, process, transmit, and store credit card information securely. The requirements mandated by the PCI Security Standards Council (PCI SSC) are both technical and operational in nature. The council manages the security standards, security requirements, and security controls related to securing credit card information. PCI DSS Requirements are made up of security best practices, which are also known as common-sense steps. If you are an organization that stores, processes, or transmits payment card data, you are required to comply with PCI DSS.
The PCI Data Security Standard Goals are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
What Is NIST?
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce and was originally founded to help the United States better compete with economic rivals. NIST has several divisions. The one that most closely aligns with cybersecurity standards is the Computer Security Resource Center (CSRC). The CSRC division published the NIST Cybersecurity Framework (NIST CSF) as well as numerous NIST publications like the NIST 800 series. The NIST CSF provides best practices for organizations to successfully design and implement an information security program and design secure information systems. NIST helps organizations better understand security standards, security requirements, and conduct proper risk management.
How Do PCI DSS and NIST Relate to Each Other?
Both PCI DSS and NIST CSF focus on security best practices. PCI DSS was designed with a similar set of standard goals as the NIST cybersecurity framework. Both frameworks share the common mission of enhancing an organization’s overall data security posture. The frameworks’ foundations are network, data, and risk focused.
They share the advice on building a secure network and regularly monitoring and testing the network. Both PCI DSS and NIST go about creating an information security policy in similar ways by defining why the organization is going to secure something, how they are going to secure it, and what is going to be secured.
How Are PCI DSS and NIST different?
The primary difference between the two frameworks really comes down to scope. PCI DSS would not be appropriate for an entire data security program nor would NIST CSF have the right depth for a payment card environment.
The NIST CSF is broadly focused on participating organizations’ risk management programs, where PCI DSS is razor-focused on the cardholder data environment (CDE). NIST CSF is mandatory only for federal entities, where PCI DSS is mandatory for any organization that stores, processes, or transmits payment card data.
The NIST CSF offers best practices, security functions, categories, and sub-categories for an entire program. The PCI DSS has specific goals related to building specific systems and processing environments for payment cards.
Can You Map PCI DSS to the NIST Security Framework?
With all of the background on what PCI DSS and NIST CSF actually do, can an organization map the two together? The frameworks may have different audiences, but an organization would be unable to replace one with the other. Because of this fact, it is simple to map PCI DSS to the NIST Security Framework.
Take, for instance, the way that NIST breaks down the cybersecurity framework into functions, categories, sub-categories, and informative references. The PCI DSS capabilities add substance to the NIST CSF informative references section.
|Function: Identify (ID)|
Asset Management (ID, AM)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
|ID.AM1 – Physical devices and systems within an organization are inventoried.||NIST SP 800-53
PCI DSS v3.2.1 2.4, 9.9, 11.1.1, 12.3.3
|ID.AM2 – Software platforms and applications within the organization are inventoried.||NIST SP 800-53
PCI DSS v3.2.1 2.4, 12.3.7
PCI DSS and NIST CSF are different sides of the same coin. On one side, PCI DSS has practical best practices for payment card environments, but an organization would not build an entire risk management or information security program with the common sense laid out by PCI.
On the other side of the coin, you have NIST CSF, which brings a wealth of information on how to design and implement a security program while reducing overall environmental risk. In most circumstances, NIST CSF is optional where PCI DSS is always required when it comes to payment card environments.
There is a best-of-both-worlds approach that organizations should consider by leveraging the mapping between PCI DSS and NIST CSF. The PCI Security Standards Council has spent time thinking about the topic of mapping PCI DSS to the NIST CSF, and has published a guide Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1.1.