PCI-DSS VS ISO 27001 STANDARDS
INTRODUCTION:
PCI-DSS and ISO 27001 are organized in sets of requirements for the cardholder data process. PCI-DSS has 12 sets of elements; there are about 250 controls based on securing credit card information. In ISO 27001, there are 11 sets of elements with 114 controls based on improving an ISMS, planning, running, implementing, monitoring. In this article, I’m going to discuss and examines the interoperability of PCI-DSS and ISO/IEC 27001 and also some of the pros and cons of the PCI-DSS and ISO/IEC 27001 standards.
PCI-DSS STANDARD:
PCI-DSS is a standard of data security for the credit card organizations, and it also applies only to companies that have the process, store, or transmit credit card data. Compliances with the standard are mandatory, though depending on the full range of cards processed. PCI-DSS is a card data security standard developed by a council consisting of Visa, MasterCard, American Express, Discover and JCB to protect the payment card and cardholder’s sensitive information processed by organizations.
ISO 27001 STANDARD:
ISO 27001 is a standard that includes seven main titles within the scope, such as organization, leadership, planning, support, operation, performance evaluation and improvement. It’s a worldwide recognition, which lays down the requirements for the establishment of an ISMS. It applies to any organization.
HIGH-LEVEL MAPPING OF PCI AND ISO27001
| |
PCI-DSS REQUIREMENTS
|
ISO27001 CLAUSE
|
| 1. Install and maintain a firewall configuration to protect cardholder data. | A-12: Operations Security
A-13: Communications Security
|
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters. | A-12: Operations Security
A-13: Communications Security
|
| 3. Protect stored cardholder data. | A-12: Operations Security
A-13: Communications Security
|
| 4. Encrypt transmission of cardholder data across open, public networks. | A-14: System acquisition, development and maintenance. |
| 5. Protect all systems against malware and regularly update antivirus software or programs. | A-14: System acquisition, development and maintenance. |
| 6. Develop and maintain secure systems and applications. | A-14: System acquisition, development and maintenance. |
| 7. Restrict access to cardholder data by business need to know | A-12: Operations Security
A-13: Communications Security
|
| 8. Identify and authenticate access to system components. | A-12: Operations Security
A-13: Communications Security
|
| 9. Restrict physical access to cardholder data. | A-11: Physical and environmental security |
| 10. Track and monitor all access to network resources and cardholder data. | A-12: Operations Security
A-13: Communications Security
|
| 11. Regularly test security systems and process. | A-14: System acquisition, development and maintenance
A-6: Organization of Information security
A-18: Compliance
|
| 12. Maintain a policy that addresses information security for all personnel. | A-5: Information security policies |
COMPARISON OF PCI-DSS AND ISO 27001
It is recommended and required that both PCI-DSS and ISO27001 provides better solutions for risk management to Card data Industry and other organizations. The ISO 27001 is better than that of PCI-DSS standards as all the controls have been written at a high level. There are compliance levels in PCI-DSS to measure the maturity level of the company, but no compliance levels exist in ISO 27001. “The organizations have to determine the boundaries and applicability of the information security management system to establish its scope.” When comparing the scope of the two standards, scope selection in ISO/IEC 27001 depends on the company; however, the scope is exactly the credit cardholder information in PCI-DSS.
The controls in ISO 27001 are a suggestion to all the organizations, and also it is important to note that the controls in PCI-DSS standards are mandatory to payment and Cardholder data organizations.
Were the ISO 27001 contains more requirements than PCI-DSS, it is easier to comply with the ISO 27001 standard to the organizations.
According to the costs, establishing a partial (ISMS) audit and PDCA cycle which cost more to the organization as it a mandatory.
In an organization, the re certification auditing of ISO 27001 is performed in every three-year cycles, and internal scope auditing is conducted. There are also surveillance audits that are done at least once. In every PCI-DSS auditing, there are four network scanning audits and a Level 1 onsite audit.
MAPPING OF PCI-DSS AND ISO 27001
| ||
PARAMETER
|
ISO27001
|
PCI-DSS
|
| Creator | ISO | PCI Council |
| Flexibility | High | Low |
| Scope | Depends on the company | Credit cardholders information |
| Controls applied | Flexible | Tight |
| Controls | High-Level | Low-Level |
| Compliance | Easy | Hard |
| Number of Controls | 114 | 224 |
| Auditing | Three-year cycles and a small-scope audit performed every year | Four network scanning audits and an onsite audit for level 1 |
| Certification | Maybe given to all companies | Any companies that provide information security for critical paying processes |
| Compliance level | Does not exist | Exists |
CONCLUSION:
PCI-DSS is a standard which handles Security for Cardholder data, whereas ISO 27001 is a specified to the Information Security and Management of the Organization. Mapping of PCI-DSS and ISO/IEC 27001 standards is optional information for managers who are assigned with ensuring to either standard in their organizations. It is recommended that PCI-DSS and ISO/IEC 27001 must be combined to give a better solution to risk mitigation and secure the organization of Cardholder data.
REFERENCE:
ISACA: https://www.isaca.org/
ISO STANDARDS: https://www.iso.org/standards.html
AUTHOR
Dharmesh B
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
https://www.linkedin.com/in/dharmeshbaskaran/
Posts
