Manage Learn to apply best practices and optimize your operations.

Compliance recycling: Combining compliance efforts to manage PCI DSS

While the Payment Card Industry Data Security Standard (PCI DSS) looms large over most enterprises' compliance efforts, it doesn't necessarily mean abandoning other compliance efforts. Expert Diana Kelley explains not only how to use existing controls to achieve PCI DSS compliance, but also how other compliance frameworks can ease the PCI DSS compliance process.

Live webcast

Join us for a live webcast on July 30 at 12:00 noon ET as Diana Kelley answers your questions about PCI DSS. Register now while seats are still available!
Going "green" is becoming a way of life for many of us. The "reduce, reuse and recycle" approach can help save materials and decrease impact on the environment.

In compliance work, the concepts of reducing work and "reusing" existing controls can also be applied. Many organizations have invested time and effort to implement ISO 27002 controls and certify against 27001 Information Security Management System (ISMS) processes. Others have adopted the IT management techniques from the UK Office of Government Commerce (OGC), known as ITIL. And many organizations have made significant investments to create a standardized compliance framework for use across business units and divisions.

Although compliance with the Payment Card Industry Data Security Standard (PCI DSS) cannot be accomplished by using another framework or methodology exclusively, organizations have found that they can leverage valuable mappings between existing frameworks. Additionally, some of the policies and tools implemented for PCI DSS may provide unexpected compliance benefits for other initiatives.

David Howell, senior manager of compliance solutions at RSA, the security division of EMC Corp., said he's observed a desire for compliance normalization. Companies are looking for a "common framework that can be used to eviscerate the walls between disparate compliance programs," Howell said, "defining commonalities so that pieces can be leveraged."

Reuse can work bidirectionally. Controls implemented for PCI DSS can be used for other initiatives in the organization, and controls implemented before or independently of PCI DSS may be reusable as part of PCI DSS validation work.

Examples of PCI DSS controls that can be reused are policies and procedures related to protection of sensitive data. PCI mandates that sensitive authentication data cannot be stored after the authorization phase, but primary account numbers (PANs) can. Requirement 3.4 of the PCI DSS provides specific details on how PANs must be stored in order to achieve compliance. Implementing these specifics can be a challenge, involving the use of native encryption on databases, or a cryptographic gateway or library to encrypt the data before passing it to the database for storage. Such encryption requires key management, and PCI DSS also details rules regarding proper key storage, aging and control. With sophisticated storage protection in place, a number of companies have found that the techniques in Requirement 3.4 can be applied to other sensitive data in the organization.

Michelle Stewart, manager of data security for AirTran Airways, discovered some unexpected benefits from using PCI DSS controls. Monitoring systems that were put in place for PCI DSS became valuable tools for the operations and audit teams. Information from network and host scans were used to identify "devices that weren't in compliance with company policy," Stewart said. The increased visibility provided by the tools helped AirTran enforce policy management for non-PCI DSS-related initiatives like ensuring that no unwanted applications, such as streaming radio, were running on the corporate network. Stewart said savvy companies can leverage IT spending intended for PCI DSS compliance for work beyond PCI DSS and card data protection.

For more information
Read more about applying ISO 27002 to PCI compliance

Learn about Visa's payment application best practices for PCI
The relationship between ISO 27001/27002 and PCI DSS is a little more complex, but worth investigating, especially for organizations that are ISO 27001 certified. ISO 27001 is a methodology for managing a security program using the Plan-Do-Check-Act (PDCA) quality control cycle. Organizations that build security programs can use ISO 27001 to certify their ISMS approach to the standard. ISO 27002, on the other hand, is a list of controls. The PCI DSS is something of a mix of the two; it encompasses both technical controls and defines management techniques and approaches. While a company could be fully ISO 27001 certified, that is no assurance that it is also PCI DSS compliant. Since controls in ISO 27001 are adopted based on an organization's risk assessment determination, the final decision regarding which controls to implement rests with the organization itself. PCI DSS is not that flexible; controls listed in the standard are mandatory for compliance.

However, if a company is ISO 27001 certified, it is likely that the organization has already implemented many of the controls that PCI DSS requires. Though the two aren't aligned, an organization could perform a gap assessment of existing controls, such as those implemented from ISO 27002, to the mandatory PCI DSS controls. Sections A.10, A.11 and A.12 of the ISO standard focus on more technical controls, and this is where the majority of the overlaps occur. The end result would be a delta highlighting additional controls required for PCI, potentially streamlining compliance and assessment work. Another benefit for ISO 27001 certified organizations is that extensive documentation is required. Insufficient documentation is a core reason that companies fail PCI DSS compliance, so having it in place for ISO will make the PCI compliance work easier.

Finally, the Unified Compliance Framework (UCF) is an interesting approach to compliance. Developed by Dorian Cougias and Marcelo Halpern, UCF attempts to help companies streamline compliance work by mapping normalized controls and management approaches. In February 2008, the group behind UCF published a "harmonization" that integrates the PCI DSS Self-Assessment Questionnaire (SAQ) v1.1 and PCI DSS requirements into the UCF. Companies using the UCF as a meta-compliance framework may find the integration document helpful for normalization and mapping between the two. The document is available to all PCI Qualified Security Assessors (QSAs) as well as UCF subscribers.

Compliance is a cornerstone to a healthy IT environment. Consider "going green" when it comes to compliance. In other words, rather than throwing out previous compliance work when new regulations comes along, look for areas where controls and policies can be mapped and "recycled" for applicability to the new mandates.

About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.


  • Payment Card Industry Data Security Standard Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit
  • The Unified Compliance Framework, and
    Conformity Assessment Scheme for Information Security Management Systems (ISMS Conformity Assessment Scheme)
  • ISO 27001 and 27002

This was last published in July 2008

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.