How does PCI DSS compare to ISO 27001?

PCI is free and considerably shorter in length than the ISO 27001 - 17 pages versus 44. Some of the content in the two standards overlap making compliance with ISO 27001 a big step towards, also, complying with PCI DSS. There are, however, several areas where PCI DSS is considerably more specific and provides a number of clearly defined requirements. In contrast, the ISO 27000 standards set the stage for more risk-based security implementation.

Who should use it?

All organizations that treat, store or transmit debit card information should comply with PCI DSS. According to the standard that includes an organization that has entered into a service agreement with a provider of, for example, online transactions for payment in a webshop. The consequence of not complying with PCI DSS will result in an organization losing the ability to receive payment by, among others, VISA and Mastercard. It is possible to outsource your way out of some of the PCI DSS requirements.

What do we recommend?

For organizations that treat, store, or transit debit card information inspiration can be found in some of PCI DSS's concrete security rules. It makes sense to introduce many of the requirements in a slightly altered state.  However, as with all standards, the activities must be dispensed appropriately. Full compliance can be quite a mouthful.

Where can I find the standard?

You can find it by clicking here: PCI Security Standards Council...

How can we help?

Our GRC platform includes the PCI DSS standard