menu

News

PCI DSS doesn’t equal Cybersecurity - But it sure helps!

November 7, 2018 | News/Articles

The UCF Team has mapped NIST’s Cybersecurity Framework, version 1.1, to PCI DSS 3.2 as well as the testing procedures for PCI DSS 3.2. There is very little direct overlap between the two, so don’t mistake one for the other! PCI DSS 3.2 is indeed very prescriptive (and NIST Cybersecurity is anything but). However, there’s a great deal PCI DSS has to offer for specific areas of Cybersecurity that NIST just doesn’t cover.

How does the UCF team know for certain they don’t overlap?

There are many documents and methodologies for crosswalking, harmonizing, mapping or unifying one regulation or standard to another. Of Google’s half a million references for mapping one compliance document to the other, only three of them state their mapping rules explicitly. A great deal of compliance mapping is guesswork. Art. Not science. It is based on a “best guess” at what the mapping might be. There is nothing wrong with art or artists, except when they pretend to be scientists. In order to scientifically map compliance documents, the integration of processes and tools to must be followed to aggregate and harmonize all compliance requirements applicable to an organization. The defining requirements include the ability to:

  1. Extract Mandates: Define rules to extract Mandates from Citations within Authority Documents.
  2. Map Mandates to Common Controls: Map Mandates from all Citations to Common Controls and when necessary create new Common Controls.
  3. Report Mapping Accuracy: Calculate the percent of match accuracy when tagging Mandates and mapping them to Common Controls. The Unified Compliance Framework’s mapping process follows all three. We’ve documented how we do this in our attached guide Crosswalking-and-Harmonization-Rules-Explained.pdf

What overlaps and what doesn’t?

If you compare the two documents using actual terminology and advanced semantic crosswalking rules, you’ll see that NIST Cybersecurity has 106 unique mandates, PCI DSS has 351 unique mandates, and the two of them only share 26 overlapping mandates. That’s it!

Don’t take our word for it, read yourself.

We’ve created a great download for you. It includes our guide on how we mapped the documents together, as well as both PDF documents and spreadsheets examining the mapping between the two sets of documents from both points of view (PCI to NIST, NIST to PCI).

Happy Reading!