Why Integrate ISO/IEC 27001 and PCI DSS?
The PCI DSS and the ISO/IEC 27001 are not significantly different in their requirements for data security (Wright).Both are sets of standards concerning information security management for organizations; however both lack elements that would help to make them more secure, the good news is that both standards contain details that would supplement the other to make an organization have the best of both worlds. Even though they have the same goal of protecting and controlling consumer data, they differ in several ways. Similarities between the two are that they require regular audits and scans of systems to show compliance and perform industry best practices. On the other hand there are many differences. For example, the PCI DSS standard is mainly recognized in North America and Europe, compliance is mandatory, has functioning levels (Merchants and Service Providers), all standards are required and must be met, the separation of systems is high, flexibility is low, there is no mention of any prerequisite requirements for the management framework, and the PCI DSS applies to credit card holder information. Comparatively, ISO/IEC 27001 is internationally recognized, voluntary in compliance, the separation of systems is low, the degree of flexibility is high and there is little detail on how controls are actually implemented. However the corresponding code of practice – ISO/IEC 27002 provides more detailed guidance on how ISO/IEC 27001 controls are implemented.
The ISO/IEC 27001 standard is more flexible in terms of scope, controls, compliance, and enforcement (Wright) and designed to be applicable to a variety of organizations across industries around the world and to work with other standards and regulations. Because the standard is voluntary, the controls are more of a suggestion and the company may decide which controls are applicable to their particular scope. The controls in PCI DSS are much more strict and specific; companies must comply with each of the requirements listed in the standard. The strictness of the PCI DSS make it difficult for organizations to become compliant because of the variety of organizations and their functions, the lack of flexibility of the standard can be considered a hindrance on establishments like small businesses who happen to have a hard time achieving PCI DSS compliance. A comprehensive solution to fill the gaps between the two standards would be to integrate ISO/IEC 27001 and PCI DSS. Some of the requirements in PCI DSS are covered in ISO/IEC 27001 so while an organization meeting the requirements for one standard; parts of the other are being met also. While ISO/IEC 27001 is essentially focused on control objectives, PCI DSS has a combination of control objectives and its own specific controls, and can compensate for ISO/IEC 27001’s omission of the specific implementation of controls in ISO/IEC 27001. The two standards should also be integrated because PCI DSS is meant to deal with data security for credit card information therefore lacks objectives, scope, and management for other data and control measures. Using ISO/IEC 27001 covers all entities of information security that an organization may need including controls that embrace the PCI DSS standard. The ISO/IEC 27001 covers a broad spectrum of security for this reason the control objectives in the PCI DSS framework can be mapped (Appendix B: PCI and ISO/IEC 27001 Relationship Matrix with sections of the ISO/IEC 27001 primarily dealing with access control, communication, development and maintenance (ISO 27001 Implementer’s Forum).
It can be concluded that a standard with such a specific design such as PCI DSS should be used in conjunction with a security standard such as ISO/IEC 27001 to successfully achieve a strong Information Security Management System (ISMS) that gives more understand to what controls are in place and being managed. Implementing the management systems aspect of ISO/IEC 27001 also ensures continuous improvement of an organization’s information security program.
Combining PCI DSS 3.0 and ISO 27001 for a Single, Comprehensive Framework
By implementing both PCI DSS 3.0 and ISO 27001, businesses can create a system that allows support for multiple regulations under a single framework.
Online payment is now commonly used for everything from online shopping to paying tuition fees. With endless accounts of information leaks and identity theft all around the world, credit card payment information has emerged as one of the most critical security risks for most individuals. For businesses, the security of online transactions is critical for building and retaining customer trust.
In light of this, the PCI Security Standards Council (PCI SSC) has recently released version 3.0 of its guidelines for securing online transaction, the PCI Data Security Standard (PCI DSS). The new revision bolsters the security of online credit card transactions through six new control objectives, which include 12 requirements for compliance. Since PCI DSS 3.0 emphasizes end-to-end improvements for the entire online transaction process, it will have implications for online payment platforms, financial institutes, and any other business that relies on online transactions. Due to growth in industries like gaming, tourism, hospitality and construction, credit card transactions have also increased significantly.
Businesses can look to ISO 27001 for inspiration, focusing on making changes in three areas: following guidelines, assessing data and processing data. By implementing both PCI DSS 3.0 and ISO 27001, businesses can create a system that allows support for multiple regulations under a single framework. Not only does this approach completely support existing credit card transaction standards, it also provides significant improvements and reduced complexity in the management of human resources, costs and time.
