Professional Documents
Culture Documents
Comparison of PCI DSS and ISO IEC 27001 Standards Joa Eng 0116
Comparison of PCI DSS and ISO IEC 27001 Standards Joa Eng 0116
developed by the ISO and the IEC. Figure 2 shows high-level Figure 3—Compliance of PCI DSS
mapping of these 12 PCI DSS requirements to ISO/IEC
Merchant
27001:2013 clauses. Level Merchant Definition Compliance
Companies must be audited by a qualified security
Level 1 More than 6 million Annual onsite PCI data
assessor (QSA) and an approved scanning vendor (ASV) in V/MC transactions annually security assessment and
predetermined periods that have been authorized by the PCI across all channels, quarterly network scans
Council.4 Further, the Internal Security Assessor (ISA) can including e-commerce
perform assessments using self-assessment questionnaires Level 2 1,000,000-5,999,999 Annual self-assessment
(SAQs), depending on the size and the level of the merchants. V/MC transactions annually and quarterly network
scans
Figure 3 illustrates the compliance of PCI DSS in four
different levels based on number and type of transactions. Level 3 20,000-1,000,000 V/MC Annual self-assessment
e-commerce transactions and quarterly network
Figure 4 depicts the compliance of JCB. Figure 5 portrays annually scans
the compliance of American Express. These three figures
Level 4 Less than 20,000 V/MC Annual self-assessment
help organizations by providing information on how to audit e-commerce transactions and annual network scans
information security within the context of the number of annually and all merchants
transactions performed annually. By using the information across channel up
to 1,000,000 VISA
in the following figures, chief information security officers transactions annually
(CISOs) can easily decide in what circumstances to perform Source: Tolga Mataracioglu. Reprinted with permission. Based on Compliance
a self-assessment, a security scan or an on-site review for Resource Kit, What Is PCI DSS, complianceresourcekit.com/index.php?
auditing information security. option=com_content&task=view&id=67
If cardholder data and transaction data are not handled via the Internet or Internet-accessible network
Merchants Payment Processors
One million JCB transactions or more Less than 1 million JCB transactions per Regardless of the number of
per year year JCB transactions
Self-assessment N/A ✓ N/A
Security scan N/A N/A N/A
Onsite review Yearly N/A Yearly
Source: Tolga Mataracioglu. Reprinted with permission. Based on JCB, JCB Data Security Program, partner.jcbcard.com/security/jcbprogram/index.html
ISO/IEC 27001 STANDARD Coordination Group (JTCG).6 Using the same titles defined
This standard includes seven main titles within the scope in the annex SL is useful for those organizations that choose
of annex SL: organization, leadership, planning, support, to operate a single management system that meets the
operation, performance evaluation and improvement.5 Annex requirements of two or more management system standards.
SL is a new management system format that helps streamline Although ISO/IEC 27001 does not suggest a Plan-Do-Check-
creation of new standards and make implementing multiple Act (PDCA) cycle, the seven titles can be mapped into the
standards within one organization easier. It was created by cycle as shown in figure 6.
ISO Technical Management Board’s (TMB) Joint Technical
5. Leadership
10. Improvement
4. Context of the
Requirements Organization 6. Planning Managed Risks
9. Performance Evaluation
7. Support
8. Operation
Check Do
Source: Tolga Mataracioglu. Reprinted with permission.
Figure 8—Mapping of PCI DSS and ISO/IEC 27001:2013 Technical Commitees, www.iso.org/iso/home/standards_
development/list_of_iso_technical_committees.htm
ISO/IEC 27001:2013
Parameter Standard PCI DSS 3 PCI Security Standards Council, What Is the PCI Security
Creator ISO PCI Council Standards Council?, www.pcisecuritystandards.org/
security_standards/role_of_pci_council.php
Flexibility High Low
4 PCI Security Standards Council, Payment Card Industry
Scope Depends on the Credit cardholders’
Data Security Standard Approved Scanning Vendors,
company information
May 2013, https://www.pcisecuritystandards.org/
Controls applied Flexible Tight
documents/ASV_Program_Guide_v2.pdf
Controls High-level Low-level 5 Tangen, S.; A. Warris; “Management Makeover - New
Control types “Should” “Must” Format for Future ISO Management System Standards,”
Compliance Easy Hard International Organization for Standardization, 18 July
Number of controls 114 224 2012, www.iso.org/iso/news.htm?refid=Ref1621
Auditing Three-year cycles Four network 6 The 9000 Store, ISO 9001:2015 in Detail: What is the
and a small-scope scanning audits and New Annex SL Platform?, the9000store.com/
audit performed an onsite audit for iso-9001-2015-annex-sl.aspx
every year level 1
7 InformationShield, PCI-DSS Policy Mapping Table,
Certification May be given to all Any companies that www.informationshield.com/papers/ISO27002%20PCI-
companies provide information
DSS%20V3%20Policy%20Map.pdf
security for critical
paying processes International Organization for Standardization,
8
Compliance level Does not exist Exists ISO/IEC 27001 Information Technology—Security
Techniques—Information Security Management
Source: Tolga Mataracioglu. Reprinted with permission.
Systems—Requirements, www.iso.org/iso/iso_catalogue/
catalogue_tc/catalogue_detail.htm?csnumber=42103
9 Brecht, M.; T. Nowey; A Closer Look at Information
Security Costs, working paper, The Workshop on the
Economics of Information Security, www.econinfosec.org/
archive/weis2012/papers/Brecht_WEIS2012.pdf