The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card companies, including Visa, MasterCard, American Express, Discover and JCB. PCI DSS “was created to increase controls around cardholder data to reduce credit card fraud via its exposure.”1 “[The] ISO/IEC 27001 standard is a specification for an information security management system (ISMS) published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee.”2
While both standards focus on information security, ISO/IEC 27001 is suitable for every type of organization and PCI DSS focuses on organizations dealing with e-commerce.
What if those two standards were to be combined? Is that feasible? What are the differences between the standards?
This article discusses and examines the interoperability of PCI DSS 3.1 and ISO/IEC 27001:2013. Further, the pros and cons of the PCI DSS and ISO/IEC 27001 standards are compared and contrasted.
PCI DSS
PCI DSS is a standard developed by a council consisting of Visa, MasterCard, American Express, Discover and JCB in order to preserve payment card and cardholders’ sensitive information.3 There are six goals and 12 requirements in the standard (figure 1).
These 12 requirements have been addressed at a high level in ISO/IEC 27001:2013 standard developed by the ISO and the IEC. Figure 2 shows high-level mapping of these 12 PCI DSS requirements to ISO/IEC 27001:2013 clauses.
Companies must be audited by a qualified security assessor (QSA) and an approved scanning vendor (ASV) in predetermined periods that have been authorized by the PCI Council.4 Further, the Internal Security Assessor (ISA) can perform assessments using self-assessment questionnaires (SAQs), depending on the size and the level of the merchants.
Figure 3 illustrates the compliance of PCI DSS in four different levels based on number and type of transactions. Figure 4 depicts the compliance of JCB. Figure 5 portrays the compliance of American Express. These three figures help organizations by providing information on how to audit information security within the context of the number of transactions performed annually. By using the information in the following figures, chief information security officers (CISOs) can easily decide in what circumstances to perform a self-assessment, a security scan or an on-site review for auditing information security.
ISO/IEC 27001 Standard
This standard includes seven main titles within the scope of annex SL: organization, leadership, planning, support, operation, performance evaluation and improvement.5 Annex SL is a new management system format that helps streamline creation of new standards and make implementing multiple standards within one organization easier. It was created by ISO Technical Management Board’s (TMB) Joint Technical Coordination Group (JTCG).6 Using the same titles defined in the annex SL is useful for those organizations that choose to operate a single management system that meets the requirements of two or more management system standards. Although ISO/IEC 27001 does not suggest a Plan-Do-Check-Act (PDCA) cycle, the seven titles can be mapped into the cycle as shown in figure 6.
ISO/IEC 27001 contains 14 control domains, shown in figure 7, and 114 controls.
Comparison of the Standards
InformationShield has developed a table that provides high-level mapping between the security requirements of PCI DSS and ISO/IEC 27001.7
It is recommended that combining both PCI DSS and ISO/IEC 27001 provides better solutions about information security to organizations. The flexibility of ISO/IEC 27001 is higher than that of PCI DSS, since all of the controls have been written at a high level.
“The organizations have to determine the boundaries and applicability of the information security management system to establish its scope.”8 When comparing the scope of the two standards, scope selection in ISO/IEC 27001 depends on the company; however, the scope is exactly the credit cardholder information in PCI DSS.
Although the controls in ISO/IEC 27001 are recommendations, it is important to note that the controls in PCI DSS are compulsory.
Since ISO/IEC 27001 is more flexible than PCI DSS, it is easier to conform to the ISO/IEC 27001 standard.
When comparing the costs, establishing a typical information security management system (ISMS) and completing the PDCA cycle costs approximately US $150,000 in a typical organization. The cost of a typical PDCA cycle includes:9
- The costs that are caused by information security incidents
- The costs for managing information security
- The costs that are related to information security measures
- The costs of capital that are induced by information security risk
However, the cost of compliance with PCI DSS is approximately US $120,000 to US $700,000, due to the differences among the four levels.
And what about auditing? Recertification auditing of ISO/IEC 27001 is performed in three-year cycles and small-scope auditing is performed every year. There are also surveillance audits that are performed at least once a year. In contrast, there are four network scanning audits and an onsite audit for level 1 in PCI DSS.
There are compliance levels in PCI DSS to measure the maturity level of the company; no compliance levels exist in ISO/IEC 27001.
Mapping of PCI DSS and ISO/IEC 27001 is shown in figure 8.
Conclusion
PCI DSS is a standard to cover information security of credit cardholders’ information, whereas ISO/IEC 27001 is a specification for an information security management system. Mapping of PCI DSS and ISO/IEC 27001 standards is vital information for managers who are tasked with conforming to either standard in their organizations. It is recommended that PCI DSS and ISO/IEC 27001 be combined to give better solutions about information security to organizations.
Endnotes
1 CDS, PCI Security Standards Council
2 International Organization for Standardization, Technical Commitees, www.iso.org/iso/home/standards_development/list_of_iso_technical_committees.htm
3 PCI Security Standards Council, What Is the PCI Security Standards Council?, www.pcisecuritystandards.org/security_standards/role_of_pci_council.php
4 PCI Security Standards Council, Payment Card Industry Data Security Standard Approved Scanning Vendors, May 2013, http://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf
5 Tangen, S.; A. Warris; “Management Makeover - New Format for Future ISO Management System Standards,” International Organization for Standardization, 18 July 2012, www.iso.org/iso/news.htm?refid=Ref1621
6 The 9000 Store, ISO 9001:2015 in Detail: What is the New Annex SL Platform?, www.the9000store.com/iso-9001-2015-annex-sl.aspx
7 InformationShield, PCI-DSS Policy Mapping Table
8 International Organization for Standardization, ISO/IEC 27001 Information Technology—Security Techniques—Information Security Management Systems—Requirements, www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103
9 Brecht, M.; T. Nowey; A Closer Look at Information Security Costs, working paper, The Workshop on the Economics of Information Security, www.econinfosec.org/archive/weis2012/papers/Brecht_WEIS2012.pdf
Tolga Mataracioglu, CISA, CISM, COBIT Foundation, CCNA, CEH, ISO 27001 LA, BS 25999 LA, MCP, MCTS, VCP, is chief researcher at TUBITAK BILGEM Cyber Security Institute in Turkey. He is the author of many papers about information security published nationally and internationally. His areas of specialization are system design and security, operating systems security, information security management systems, business continuity, COBIT, and social engineering.