Mapping PCI DSS v. 3.2.1 to the NIST Cybersecurity Framework v. 1.1
How meeting PCI DSS requirements can help toward achieving Framework outcomes for payment environments. On the blog, we cover basic questions about the newly released Mapping of PCI DSS to the NIST Cybersecurity Framework (NCF)with PCI SSC Chief Technology Officer Troy Leach.
What is the mapping document that PCI SSC has put together?
Based on feedback from stakeholders, the PCI SSC felt it would be helpful for organizations to understand how the PCI Data Security Standard (PCI DSS) is similar or different to the NIST Cybersecurity Framework. What we have developed is a mapping resource that illustrates how meeting PCI DSS requirements may help demonstrate achieving NIST Framework outcomes for payment environments.
What is the difference between the PCI DSS and NIST Cybersecurity Framework?
The NIST Cybersecurity Framework provides an overarching security and risk-management structure for voluntary use by U.S. critical infrastructure owners and operators. Simply put, the NIST Cybersecurity Framework provides broad security and risk management objectives with discretionary applicability based on the environment being assessed. PCI DSS defines security requirements for the protection of payment card data specifically, as well as validation procedures and guidance to help organizations understand the intent of the requirements.
So are PCI DSS and the NIST Framework interchangeable?
No, they are not. Both PCI DSS and the NIST Cybersecurity Framework are solid security approaches that address common security goals and principles as relevant to specific risks. While the NIST Cybersecurity Framework identifies general security outcomes and activities, PCI DSS provides specific direction and guidance on how to meet security outcomes for payment environments. Because they are intended for different audiences and uses, they are not interchangeable, and neither one is a replacement for the other.
How should stakeholders use the mapping document put out by the PCI SSC?
Stakeholders can use this mapping to identify opportunities for control efficiencies and greater alignment between organizational security objectives. For example, the mapping can help identify where the implementation of a particular security control can support both a PCI DSS requirement and a NIST Cybersecurity Framework outcome. Additionally, an entity’s internal evaluations to determine the effectiveness of implemented controls may help the entity prepare for either a PCI DSS or NIST Cybersecurity Framework assessment, or both.
Where can stakeholders find more information about the PCI SSC’s PCI DSS to NIST mapping resources?
I would encourage people to check out our website for additional information. We have wonderful resources that illustrate and explain the mapping. For more information, please download: