The Payment Card Industry Data Security
Standard (PCI DSS) is an information security
standard for organizations that handle branded
credit cards from the major card companies,
including Visa, MasterCard, American Express,
Discover and JCB. PCI DSS “was created to
increase controls around cardholder data to
reduce credit card fraud via its exposure.” 1 “[The]
ISO/IEC 27001 standard is a specification for an
information security management system (ISMS)
published by the International Organization for
Standardization (ISO) and the International
Electrotechnical Commission (IEC) under the
joint ISO and IEC subcommittee.” 2
While both standards focus on information
security, ISO/IEC 27001 is suitable for every
type of organization and PCI DSS focuses on
organizations dealing with e-commerce.
What if those two standards were to be
combined? Is that feasible? What are the
differences between the standards?
This article discusses and examines
the interoperability of PCI DSS 3. 1 and
ISO/IEC 27001:2013. Further, the pros and
cons of the PCI DSS and ISO/IEC 27001
standards are compared and contrasted.
PCI DSS is a standard developed by a council
consisting of Visa, MasterCard, American Express,
Discover and JCB in order to preserve payment
card and cardholders’ sensitive information. 3 There
are six goals and 12 requirements in the standard
These 12 requirements have been addressed
at a high level in ISO/IEC 27001:2013 standard
Tolga Mataracioglu, CISA,
CISM, COBI T Foundation,
CCNA, CEH, ISO 27001 LA,
BS 25999 LA, MCP, MCTS,
VCP, is chief researcher
at TUBITAK BILGEM Cyber
Security Institute in Turkey.
He is the author of many
papers about information
security published nationally
and internationally. His areas
of specialization are system
design and security, operating
systems security, information
systems, business continuity,
COBI T®, and social
Comparison of PCI DSS and
ISO/IEC 27001 Standards
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Figure 1—Overview: 12 Requirements of PCI DSS
PCI Data Security Standard: High-level Overview
Build and maintain a secure network and systems. 1. Install and maintain a firewall configuration to protect
2. Do not use vendor-supplied defaults for system passwords
and other security parameters.
Protect cardholder data. 3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open,
Maintain a vulnerability management program. 5. Protect all systems against malware and regularly update
antivirus software or programs.
6. Develop and maintain secure systems and applications.
Implement strong control access measures. 7. Restrict access to cardholder data by business need
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly monitor and test networks. 10. Track and monitor all access to network resources and
11. Regularly test security systems and processes.
Maintain an information security policy. 12. Maintain a policy that addresses information security for
Source: Tolga Mataracioglu. Reprinted with permission. Based on PCI Security Standards Council, PCI DSS Quick Reference Guide,
October 2010, https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf