Simplifying Compliance

A GUIDE TO ALIGNING
P C I D S S V4 W I T H I S O/ I E C 270 01 : 2 0 2 2

PUBLIC | V1.0
In today’s digital age, information
security remains paramount for
organisations worldwide.
Two pivotal standards — the Payment
Card Industry Data Security Standard
(PCI DSS V4.0) and ISO/IEC 27001 —
play crucial roles in safeguarding data.
While on the surface, PCI DSS V4.0 and ISO/IEC 27001 serve
the overarching goal of information security, they are tailored
for varied organisational contexts. This guide emerges as a
response to businesses’ shared challenges in navigating these
standards. With overlaps, gaps, and nuanced differences
between PCI DSS V4.0 and ISO 27001:2022, we will create a
roadmap simplifying the path to concurrent compliance.

3 PCI DSS V4.0 Explained

4 Ensuring Compliance: The PCI DSS V4.0 Audit Process

5 Insight into ISO/IEC 27001

6 Standard Comparison

12 Intersections & Deviations

13 Benefits of the Integrated Approach

PCI DSS V4.0 EXPL AINED

The PCI DSS, formulated by a

consortium of card giants such as
Visa, MasterCard, American Express,
Discover, and JCB, was primarily
established to bolster payment card
transaction security and shield card
and cardholder data from breaches.

At its core, the PCI DSS V4.0 is structured around six primary goals, which further break
down into 12 essential requirements:

Build and maintain a secure network and Implement strong access control measures
systems
7. Restrict access to system components and cardholder
1. Install and maintain network security controls data by business need to know
2. Apply secure configurations to all system components 8. Identify users and authenticate access to system
components
Protect cardholder data 9. Restrict physical access to cardholder data

3. Protect stored account data

Regularly monitor and test networks
4. Protect cardholder data with strong cryptography
during transmission over open, public networks 10. Log and monitor all access to system components and
cardholder data
Maintain a vulnerability management 11. Test security of systems and networks regularly
program
5. Protect all systems and networks from malicious Maintain an information security policy
software 12. Support information security with organisational
6. Develop and maintain secure systems and software policies and programs

ISO/IEC 27001:2022, the international benchmark for an Information Security Management System
(ISMS), addresses these 12 requirements at a macroscopic level.

For a thorough understanding, see page 06, detailing the mapping between PCI DSS V4.0
requirements and ISO/IEC 27001:2022 clauses and controls.
ENSURING COMPLIANCE: THE PCI DSS V4.0 AUDIT PROCESS

PCI DSS V4.0 compliance is not

merely about understanding the
requirements; it’s about evidencing
adherence through audits.
To this end, companies must undergo evaluations there’s the Internal Security Assessor (ISA).
by a Qualified Security Assessor (QSA) and an Depending on a merchant’s operational size
Approved Scanning Vendor (ASV) within specific and level, the ISA can oversee assessments via
intervals, as determined by the PCI Council. Self-Assessment Questionnaires (SAQs).

Additionally, for businesses wondering about See below for details on operational size.
the role of self-assessments in this equation,

Merchant Level Merchant Definition Compliance

Annual onsite PCI data security

More than 6 million V/MC transactions annually
Level 1 assessment and quarterly
across all channels, including e-commerce
network scans

Annual self-assessment and

Level 2 1,000,000–5,999,999 V/MC transactions annually
quarterly network scans

Annual self-assessment and

Level 3 20,000–1,000,000 V/MC transactions annually
quarterly network scans

Less than 20,000 V/MC e-commerce transactions

Annual self-assessment and
Level 4 annually and all merchants across channel up to
annual network scans
1,000,000 VISA transactions annually

PCI DSS V4.0 also offers two ways to implement its

requirements: the traditional method and a new
customised approach.
In the traditional method, organisations follow the rules outlined in PCI DSS V4.0. Most
organisations will stick to this method. The customised approach allows for personalised controls.
While many requirements can still follow the traditional method, this approach can
be tailored to individual requirements.
INSIGHT INTO ISO/IEC 27001

The primary purpose of ISO 27001:2022

is to provide organisations with a
structured framework to safeguard
their information assets.
This involves:

• Risk Assessment: Identifying potential • Continuous Improvement: Establishing a

threats and vulnerabilities to determine the feedback loop that facilitates the recurrent
associated risks. enhancement of the Information Security
Management System (ISMS).
• Risk Management: Implementing
appropriate measures to mitigate or
accept risks, ensuring they remain within
acceptable limits.

Controls & Attributes

The standard outlines specific controls within its Annex, addressing varied areas from access
control to incident management, ensuring a comprehensive approach to information security.

IEC/ISO 27001:2022 encompasses four clauses within its Annex A framework:

Organisational People Physical Technological

With five core attributes:

Information Cybersecurity Operational

Control Type Security Domains
Security Properties Concepts Capabilities

These are designed to enable organisations to understand their current security posture better
and encourage adopting security practices and processes that will lead to more effective
business operations.
S TA N D A R D C O M PA R I S O N

ISMS.online’s comprehensive table

provides a macro perspective, mapping
the security mandates of PCI DSS V4.0
against ISO/IEC 27001: 2022.
Organisations can reap enhanced information security outcomes by fusing PCI DSS V4.0 and
ISO/IEC 27001. It’s pertinent to understand that ISO/IEC 27001, being more encompassing,
offers higher flexibility.

Jump to table:
R1: Install and Maintain Network security controls R7: Restrict Access to System Components and
Cardholder Data by Business Need to Know
R2: Apply Secure Configurations to All System
Components R8: Identify Users and Authenticate Access to System
Components
R3: Protect Stored Account Data
R9: Restrict Physical Access to Cardholder Data
R4: Protect Cardholder Data with Strong Cryptography
During Transmission Over Open, Public Networks R10: Log and Monitor All Access to System Components
and Cardholder Data
R5: Protect All Systems and Networks from Malicious
Software R11: Test Security of Systems and Networks Regularly

R6: Develop and Maintain Secure Systems and Software R12: Support Information Security with Organizational
Policies and Programs

R1: Install and Maintain Network security controls

PCI DSS V4.0 ISO 27001:2022

1.1 Processes and mechanisms for installing and A.8.20 Networks security
maintaining network security controls are defined and 5.3 Organisational roles, responsibilities and
understood authorities

1.2 Network security controls (NSCs) are configured A.8.20 Networks security
and maintained A.8.21 Security of network services
A.8.32 Change management

1.3 Network access to and from the cardholder data A.8.22 Segregation of networks
environment is restricted A.8.21 Security of network services
8.21 Security of network services

1.4 Network connections between trusted and A.8.22 Segregation of networks

untrusted networks are controlled 8.21 Security of network services

1.5 Risks to the CDE from computing devices that are 8.7 Protection against malware
able to connect to both untrusted networks and the A.8.19 Installation of software on operational systems
CDE are mitigated A.8.22 Segregation of networks
R2: Apply Secure Configurations to All System Components

PCI DSS V4.0 ISO 27001:2022

2.1 Processes and mechanisms for applying secure 8.9 Configuration management
configurations to all system components are defined 5.3 Organisational roles, responsibilities and authorities
and understood

2.2 System components are configured and managed 8.9 Configuration management
securely 8.21 Security of network services
8.8 Management of technical vulnerabilities
A.5.6 Contact with special interest groups

2.3 Wireless environments are configured and A.8.20 Networks security

managed securely A.6.5 Responsibilities after termination or change of
employment

R3: Protect Stored Account Data

PCI DSS V4.0 ISO 27001:2022

3.1 Processes and mechanisms for protecting stored 8.3 Information access restriction
account data are defined and understood 5.3 Organisational roles, responsibilities and authorities

3.2 Storage of account data is kept to a minimum 5.33 Protection of records

8.10 Information deletion
A.8.11 Data masking

3.3 Sensitive authentication data (SAD) is not stored A.8.26 Application security requirements
after authorization A.8.10 Information deletion

3.4 Access to displays of full PAN and ability to copy A.8.11 Data masking
PAN is restricted A.8.18 Use of privileged utility programs

3.5 Primary account number (PAN) is secured A.8.24 Use of cryptography

wherever it is stored

3.6 Cryptographic keys used to protect stored A.8.24 Use of cryptography

account data are secured

3.7 Where cryptography is used to protect stored A.8.24 Use of cryptography

account data, key-management processes and A.5.19 Information Security in supplier relationships
procedures covering all aspects of the key lifecycle
are defined and implemented

R4: Protect Cardholder Data with Strong Cryptography During Transmission Over
Open, Public Networks

PCI DSS V4.0 ISO 27001:2022

4.1 Processes and mechanisms for protecting A.8.24 Use of cryptography

cardholder data with strong cryptography during 5.3 Organisational roles, responsibilities and authorities
transmission over open, public networks are defined
and documented

4.2 PAN is protected with strong cryptography during A.8.24 Use of cryptography
transmission
R5: Protect All Systems and Networks from Malicious Software

PCI DSS V4.0 ISO 27001:2022

5.1 Processes and mechanisms for protecting all A.8.20 Networks security
systems and networks from malicious software are 8.21 Security of network services
defined and understood 8.7 Protection against malware
5.3 Organisational roles, responsibilities and authorities

5.2 Malicious software (malware) is prevented, or A.8.7 Protection against malware

detected and addressed

5.3 Anti-malware mechanisms and processes are A.8.7 Protection against malware
active, maintained, and monitored A.8.23 Web filtering
A.8.15 Logging

5.4 Anti-phishing mechanisms protect users against 6.3 Information security awareness, education
phishing attacks and training
A.8.7 Protection against malware
A.8.23 Web filtering

R6: Develop and Maintain Secure Systems and Software

PCI DSS V4.0 ISO 27001:2022

6.1 Processes and mechanisms for developing and A.8.25 Secure development life cycle
maintaining secure systems and software are defined 5.3 Organisational roles, responsibilities and authorities
and understood

6.2 Bespoke and custom software are developed A.8.25 Secure development life cycle
securely A.8.28 Secure coding
A.5.20 Addressing information security within supplier
agreements

6.3 Security vulnerabilities are identified and 8.8 Management of technical vulnerabilities
addressed

6.4 Public-facing web applications are protected 8.21 Security of network services
against attacks

6.5 Changes to all system components are managed A.8.32 Change management
securely

R7: Restrict Access to System Components and Cardholder Data by Business Need
to Know

PCI DSS V4.0 ISO 27001:2022

7.1 Processes and mechanisms for restricting access A.5.15 Access control
to system components and cardholder data by 5.3 Organisational roles, responsibilities and authorities
business need to know are defined and understood

7.2 Access to system components and data is A.5.15 Access control

appropriately defined and assigned A.5.18 Access rights

7.3 Access to system components and data is A.5.15 Access control

managed via an access control system(s)
R8: Identify Users and Authenticate Access to System Components

PCI DSS V4.0 ISO 27001:2022

8.1 Processes and mechanisms for identifying users A.5.16 Identity management
and authenticating access to system components are 5.3 Organisational roles, responsibilities and authorities
defined and understood

8.2 User identification and related accounts for users A.5.16 Identity management
and administrators are strictly managed throughout 5.3 Organisational roles, responsibilities and authorities
an account’s lifecycle

8.3 Strong authentication for users and administrators A.8.5 Secure authentication
is established and managed A.5.1 Policies for information security

8.4 Multi-factor authentication (MFA) is implemented A.8.5 Secure authentication

to secure access into the CDE

8.5 Multi-factor authentication (MFA) systems are A.8.5 Secure authentication

configured to prevent misuse

8.6 Use of application and system accounts and 8.2 Privileged access rights
associated authentication factors is strictly managed

R9: Restrict Physical Access to Cardholder Data

PCI DSS V4.0 ISO 27001:2022

9.1 Processes and mechanisms for restricting physical A.7.1 Physical security perimeters
access to cardholder data are defined and understood 5.3 Organisational roles, responsibilities and authorities

9.2 Physical access controls manage entry into A.7.2 Physical entry
facilities and systems containing cardholder data A5.15 Access Control
A.7.4 Physical security monitoring

9.3 Physical access for personnel and visitors is A.7.2 Physical entry
authorized and managed A.7.3 Securing offices, rooms and facilities

9.4 Media with cardholder data is securely stored, 7.6 Working in secure areas
accessed, distributed, and destroyed A.7.10 Storage media
A.5.9 Inventory of information and other associated assets

9.5 Point-of-interaction (POI) devices are protected A.7.8 Equipment siting and protection
from tampering and unauthorized substitution A.5.9 Inventory of information and other associated assets
A.6.3 Information security awareness, education and
training
R10: Log and Monitor All Access to System Components and Cardholder Data

PCI DSS V4.0 ISO 27001:2022

10.1 Processes and mechanisms for logging and A.8.15 Logging

monitoring all access to system components and A.8.16 Monitoring activities
cardholder data are defined and documented 5.3 Organisational roles, responsibilities and authorities

10.2 Audit logs are implemented to support the A.8.15 Logging

detection of anomalies and suspicious activity, and
the forensic analysis of events

10.3 Audit logs are protected from destruction and A.8.15 Logging
unauthorized modifications 5.3 Organisational roles, responsibilities and authorities

10.4 Audit logs are reviewed to identify anomalies or A.8.15 Logging

suspicious activity A.8.16 Monitoring activities

10.5 Audit log history is retained and available for analysis A.8.15 Logging

10.6 Time-synchronization mechanisms support A.8.17 Clock synchronization

consistent time settings across all systems

10.7 Failures of critical security control systems are A.8.16 Monitoring activities
detected, reported, and responded to promptly

R11: Test Security of Systems and Networks Regularly

PCI DSS V4.0 ISO 27001:2022

11.1 Processes and mechanisms for regularly testing 5.35 Independent review of information security
security of systems and networks are defined and 5.3 Organisational roles, responsibilities and
understood authorities

11.2 Wireless access points are identified and A.8.20 Networks security
monitored, and unauthorized wireless access points A.5.9 Inventory of information and other associated
are addressed assets

11.3 External and internal vulnerabilities are regularly 5.35 Independent review of information security
identified, prioritized, and addressed

11.4 External and internal penetration testing is 5.35 Independent review of information security
regularly performed, and exploitable vulnerabilities A.8.8 Management of technical vulnerabilities
and security weaknesses are corrected

11.5 Network intrusions and unexpected file changes 5.26 Response to information security incidents
are detected and responded to A.8.16 Monitoring activities

11.6 Unauthorized changes on payment pages are 5.26 Response to information security incidents
detected and responded to A.8.16 Monitoring activities
R12: Support Information Security with Organizational Policies and Programs

PCI DSS V4.0 ISO 27001:2022

12.1 A comprehensive information security policy that A.5.1 Policies for information security
governs and provides direction for protection of the 5.2 Policy
entity’s information assets is known and current 5.3 Organizational roles, responsibilities and authorities

12.2 Acceptable use policies for end-user A.5.10 Acceptable use of information and other
technologies are defined and implemented associated assets

12.3 Risks to the cardholder data environment are 6.1 Risk assessment process
formally identified, evaluated, and managed A.5.9 Inventory of information and other associated
assets

12.4 PCI DSS V4.0 compliance is managed 5.36 Compliance with policies, rules and standards
for information security

12.5 PCI DSS V4.0 scope is documented and validated 4.2 Interested parties

12.6 Security awareness education is an ongoing A.6.3 Information security awareness, education and
activity training

12.7 Personnel are screened to reduce risks from A.6.1 Screening

insider threats

12.8 Risk to information assets associated with 5.21 Managing information security in the ICT supply
third-party service provider (TPSP) relationships is chain
managed

12.9 Third-party service providers (TPSPs) support A.5.20 Addressing information security within supplier
their customers’ PCI DSS V4.0 compliance agreements

12.10 Suspected and confirmed security incidents A.5.26 Response to information security incidents,
that could impact the CDE are responded to A.8.12 Data leakage prevention
immediately

Determining the scope of the ISMS is contingent on individual

organisational parameters in ISO/IEC 27001. In stark contrast, PCI
DSS V4.0’s scope exclusively revolves around credit cardholder
data. Another distinction lies in their mandates — PCI DSS V4.0
controls are obligatory, while those of ISO/IEC 27001 serve as
recommendations.
I N T E R S E C T I O N S & D E V I AT I O N S

When one dives into the intricate details

of PCI DSS V4.0 and ISO 27001:2022, the
intersections and deviations become
evident, and to achieve an efficient
compliance strategy, businesses need to
understand these intricacies.

Scope & Objectives: Mapping Insight

While PCI DSS V4.0 has a more niche focus,
PCI DSS V4.0: Primarily focuses on the protection of ISO 27001 offers a broad spectrum of information

cardholder data. security controls. If an organisation is already

compliant with ISO 27001, it may have addressed
ISO 27001:2022: Emphasises a holistic approach many of the underlying principles of PCI DSS V4.0,

to information security management across all though specific controls related to cardholder data
will still need attention.
organisational data.

Risk Assessment & Management:

Mapping Insight
PCI DSS V4.0: Requires a yearly risk assessment for The continual risk management process in
processes related to cardholder data. ISO 27001 provides a foundation that can
streamline the yearly requirements of PCI DSS V4.0.
ISO 27001:2022: Mandates a continual risk assessment
and management process for all information assets.

Access Control Measures: Mapping Insight

While the overarching principles are similar,
PCI DSS V4.0: Detailed requirements on access controls,
businesses must ensure the specific control
especially for cardholder data.
measures of PCI DSS V4.0 related to card data are
incorporated into their ISO 27001 access control
ISO 27001:2022: General access control objectives
framework.
encompassing all data types.
B E N E F I T S O F T H E I N T E G R AT E D A P P R O A C H

The primary advantage of mapping

PCI DSS V4.0 to ISO 27001:2022
is the opportunity to streamline
compliance processes.
By understanding the overlaps between the two standards,
organisations can:

• Eliminate redundant processes. • Reduce administrative burdens associated

with maintaining two separate compliance
• Develop a more consolidated compliance
postures.
roadmap.

Potential Cost Savings and Efficiencies

A harmonised approach can also lead to tangible cost benefits for
businesses:

• Fewer resources are required for • Avoiding potential non-compliance

compliance monitoring and reporting. penalties or remediation costs.

• Allocating resources more efficiently • Reducing the training time and expenses as
by focusing on shared objectives and staff can be trained on unified processes
requirements of both standards. instead of separate ones.

Enhanced Security Posture

Merging the principles of PCI DSS V4.0 and ISO 27001:2022 isn’t just
about ticking off compliance boxes. It can also lead to a robust
security posture:

• Exploiting the strengths of both standards • Facilitating a culture of continuous

ensures comprehensive protection against improvement, as the integrated approach
a broader spectrum of threats. can lead to regular reviews and better
responsiveness to emerging risks.
• Identifying and addressing potential security
gaps that might have been overlooked
when treating the standards in isolation.
Ready to combine
PCI DSS 4.0
and ISO 27001?
Book a chat with our team to find out how
our joined up management system can
streamline your compliance.

Get started