SESSION ID: #RSACTroy Leach NIST Cybersecurity Framework and PCI DSSGRC-R03 Chief Technology Officer PCI Security Standards CouncilEmma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council#RSAC PCI Security Standards Council 2We Help Secure Payment DataIndustry -driven, flexible and effective standards and programs Helping businesses detect, mitigate and prevent criminal attacks and breachesGlobal, cross -industry effort to increase payment security#RSAC PCI Security Standards and Programs Standards, Training and Certification Programs, Educational Resources Payment Equipment Payment Software Merchant & Payment Service Provider Environments Training –Assessors, InvestigatorsCertification –Equipment, Service Providers, Assessors, Investigators 3#RSAC PCI DSS and the NIST Cybersecurity Framework 4Voluntary Framework for managing cybersecurity -related risk Consists of standards, guidelines, and best practices Promotes the protection and resilience of critical infrastructure Applies wherever payment card data is stored, processed or transmitted Provides a baseline of technical and operational requirements Focused on the protection of payment card data#RSAC Standard vs. Framework 5 #RSAC Mapping Relationships #RSAC Observations from Mapping Exercises Both PCI DSS and the NIST CSF provide a comprehensive approach to security Mapping results are not exact matches Controls used to meet PCI DSS can contribute to meeting CSF, and vice versa Meeting either PCI DSS or the CSF does not result in the other being met This Photo by Unknown Author is licensed under CC BY -NC#RSAC Example Mappings –Equivalence 8NIST CSF (ID.AM -3) PCI DSS (Req. 1.1) •Organizational communication and data flows are mapped•Network diagram that identifies all connections to/from CDE (Req. 1.1.2) •Diagram that shows all cardholder data flows (Req. 1.1.3)#RSAC Example Mappings –Subset 9NIST CSF (PR.DS -7) PCI DSS (Req. 6.4) •The development and testing environment(s) are separate from the production environment•Separate development/test environments from production environments, enforce with access controls (Req. 6.4.1) •Separation of duties between development/test and production environments (Req. 6.4.2)#RSAC Example Mappings –Intersections 10NIST CSF (PR.DS -2) PCI DSS •Data -in-transit is protected •Use strong cryptography to protect cardholder data during transmission over open, public networks (Req. 4) •Use strong cryptography to protect authentication credentials during transmission (Req. 8.2.1)