PCI DSS 4.0 and ISO 27001 – the dynamic duo | The State of Security

It’s not often we can say this, but 2022 is shaping up to be an exciting time in information governance, especially for those interested in compliance and compliance frameworks.

We started the year in eager anticipation of the new version of the international standard for information security management systems, ISO 27001:2022, soon to be followed by version 4.0 of the PCI DSS standard.  Although we are still waiting for the release of 27001, the release of the guidance (ISO27002:2022) has shown us that the “Annex A” controls have been dramatically improved and updated.

But what has not changed is fundamentally essential for us to establish before we even begin to consider the improvements. PCI DSS is a standard that establishes a baseline for protecting payment card data, while ISO 27001 is an information management system that establishes a framework for protecting data. Both standards focus on technical and organisational controls, but while ISO 27001 is more risk-based, PCI DSS is rule-based.

Please do not underestimate the importance of this.  Organisations (and Consultants) often miss this critical aspect of both standards. Therefore, when we compare PCI DSS and ISO 27001, we’re comparing a set of baseline rules vs a risk-based set of controls. PCI DSS tells you what it expects to see in unambiguous terms, while ISO 27001 expects you to determine what the command will look like.

With this said (and understood), let’s look at new versions of the standards to see what improvements have been made and how they now support each other.

What we know – ISO27001

ISO 27001:2022 is set to be released in Q4 2021, but the guidance on implementing the standard, ISO 27002:2022, was released in February 2022.  We therefore know in advance what the new Controls (often referred to as “Annex A”) will contain. 

Organisations will have approximately 18 to 24 months to transition to the new standard, and there have been quite a few changes to consider. For example, the 114 Annex A controls in the current standard are now reduced to 93, and the structure has changed from 14 clauses to just 4.

58 of the controls have been updated, 24 have been merged, and 11 new controls have been added.

What we know – PCI DSS V4.0.

On 31 March 2022, the PCI Security Standards Council (PCI SSC) released the new version of the standard, which went from 139 pages to 360 pages! Within this considerable piece of work are clarifications, definitions, flow charts, and examples of how to interpret and implement the standard.  I believe this demonstrates a clear understanding by the PCI SSC that previous versions of the standard have been too ambiguous for organisations to understand, which led many to get it wrong.

As with ISO 27001, organisations have 24 months to transition to the new standard, and like ISO 27001, the changes in the new standard are evolutionary, not revolutionary.  For example, of the six clauses (or groups) within PCI DSS, one word has been changed;

PCI DSS v3.2.1 –

1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

PCI DSS V4.0 –

1. Build and Maintain a Secure Network and Systems
2. Protect account Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

This may seem like a small change, but where possible, references to cardholder data have been changed to account data. The terms were used previously, but now the emphasis is placed on account data throughout the standard.  Perhaps in recognition that people aren’t just cardholders any longer.

This highlights something that I believe needs to be considered carefully: to whom does PCI DSS apply?

Version 3.2.1 states that PCI DSS requirements apply to:

“organisations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted.”

Version 4.0 states that the requirements apply to:

“entities with environments where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted, and entities with environments that can impact the security of the Cardholder Data Environment (CDE).”

The word “entity” occurs 133 times in V3.2.1, so it is not a new concept. However, in V4.0, the word appears 552 times.

The 12 Requirements of PCI DSS

Unlike the ISO 27001 Annex A controls, the essential structure of PCI DSS has not changed. There are still 12 fundamental requirements to be addressed.  But the wording has changed and, in my opinion, improved considerably.

PCI DSS v3.2.1

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by businesses need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

PCI DSS v4.0

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
12. Support information security within organisational policies and programs.

There is a lot to unpack here, and each of the above will be discussed in detail in subsequent blogs and papers, but I’m a great believer in keeping things simple. Review carefully and consider each requirement and consider how the wording has changed.

Consider why the wording has changed and what that could mean to you and your business.

ISO 27001 and PCI DSS – The Dynamic Duo

The changes made in both standards have been much needed and highly anticipated. But it’s essential to consider the things that have not changed as much as those that have.  What we know about the standards are;

Flexibility –

• PCI DSS – Very low
• ISO 27001 – Very high

Scope –

• PCI DSS – Account data
• ISO 27001 – Depends on the organisation

Control requirements

• PCI DSS – Prescriptive and well defined
• ISO 27001 – High level and risk-based

Direction

• PCI DSS – ‘Must’ apply the control
• ISO 27001 – Inclusion or exclusion is determined by risk

 Conclusion

The new standards bring much-needed clarity and remove ambiguity, which has existed in previous versions. I am often asked which standard is better and which should organisations implement, and when they do, my response is always the same “It depends on what you’re doing and what you want to achieve”.  But I would always add that it shouldn’t be an ‘either-or’ situation. 

ISO 27001:2022 continues to be a risk-based management system that benefits any organisation wishing to implement security in a structured way.  But if you’re processing payment card data, i.e., account data, you need PCI DSS v4.0.  On their own, they are fundamentally important to improving security, but together, they are extremely powerful and helpful in delivering a robust security framework.

Like Batman and Robin, this Dynamic Duo can help protect our digital lives and keep the bad guys at bay. Yes, you can have one without the other, but they are so much better together.

About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.

You can follow Gary on Twitter here: @AgenciGary

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.