The UCF Team has mapped NIST’s Cybersecurity Framework, version 1.1, to PCI DSS 3.2 as well as the testing procedures for PCI DSS 3.2. There is very little direct overlap between the two, so don’t mistake one for the other! PCI DSS 3.2 is indeed very prescriptive (and NIST Cybersecurity is anything but). However, there’s a great deal PCI DSS has to offer for specific areas of Cybersecurity that NIST just doesn’t cover.
There are many documents and methodologies for crosswalking, harmonizing, mapping or unifying one regulation or standard to another. Of Google’s half a million references for mapping one compliance document to the other, only three of them state their mapping rules explicitly. A great deal of compliance mapping is guesswork. Art. Not science. It is based on a “best guess” at what the mapping might be. There is nothing wrong with art or artists, except when they pretend to be scientists. In order to scientifically map compliance documents, the integration of processes and tools to must be followed to aggregate and harmonize all compliance requirements applicable to an organization. The defining requirements include the ability to:
If you compare the two documents using actual terminology and advanced semantic crosswalking rules, you’ll see that NIST Cybersecurity has 106 unique mandates, PCI DSS has 351 unique mandates, and the two of them only share 26 overlapping mandates. That’s it!
We’ve created a great download for you. It includes our guide on how we mapped the documents together, as well as both PDF documents and spreadsheets examining the mapping between the two sets of documents from both points of view (PCI to NIST, NIST to PCI).