PCI DSS v3.2 vs CIS Critical Security Controls v6.0

A few months ago, while incredibly bored, I decided to perform my own mapping of the PCI DSS v3.2 to ISO 27001:2013.

I know what you’re going to say; “You can’t compare the two, one’s a management framework, the other’s a controls-based assessment standard!” I agree with you, however, it IS possible to map PCI’s Control Requirements to the ISO’s Control Objectives.

The DSS did not fare well; PCI DSS v3.2 vs ISO 27001-2013

This is not surprising really, the PCI DSS was never designed to be a security framework. It was designed to reduce the risk of card holder data loss to acceptable levels, and nothing more. Whether or not it has succeeded is a debate for the ages, and any frequent readers of my blog will know where I stand.

This week I found myself bored yet again, so I decided to give the DSS another shot at matching up to an ‘industry-accepted’ standard. This time I chose the CIS Critical Security Controls (CSC) v6.0 which, by definition, should have given the DSS a shot at redeeming itself.

It didn’t; PCI DSS_v3.2 vs CIS Critical Security Controls_v6.0

In the DSS’s defence, this is not a fair apples-to-apples comparison either, for 2 main reasons:

  1. The DSS is not a 100% controls-based standard, the CIS CSC is. The DSS, quite rightly, includes a significant chunk of policy and procedure, only a reverse mapping would give the full picture.
  2. The CIS CSC includes a significant number of technologies ill-suited for all but the most advanced and mature environments. Not to mention those with unlimited budgets. The PCI DSS was written to be understood by as many people, and be as universally affordable, as possible.

That said, we can certainly make some observations that illuminate some of the PCI DSS’s more significant deficiencies:

  1.  Data Protection (CSC 13): 18% coverage – Rather ironic, but the entire raison d’être for the DSS; protection of card holder data, scores the lowest in terms of controls requirements. While CSC 13 does not include as much encryption as the DSS, the lack of Data Loss Prevention (DLP) techniques in the DSS is starkly transparent. The DSS has never even mentioned DLP in the main body, or even alluded to it in the “Scope of PCI DSS Requirements“. Only the Designated Entities Supplemental Validation (DESV) section mentions it, and that only in the Guidance as an option.

  2. Inventory of Authorized and Unauthorized Devices CSC 1 & Software (CSC 2)20% coverage – Asset Management is at the heart of every security program, nothing else can possibly function without it. The requirement for an asset register was not added to the DSS until v3.0. Along with Logging & Monitoring, the PCI minimums related to asset management are the most damaging to the overall program. Automation and alerting are both next to impossible without the baselines the asset register should provide.

  3. Malware Defences (CSC 8): 27% coverage – The DSS focuses almost entirely on anti-malware, and that almost exclusively on Windows. That’s what they mean by “…commonly affected by malicious software” in Requirement 5.1. Base-lining, white-listing, black-listing and so on aren’t featured in the DSS, because with asset management there is no way to track what should and should not be there.

  4. Security Skills Assessment and Appropriate Training to Fill Gaps (CSC 17): 28% coverage – This one is truly unconscionable given the enormous power of education and training. Security Awareness means nothing unless it’s in appropriate context to the individual taking it. One size does not fit all, and PCI would be wise to take note.

Clearly I have a significant bias against the PCI DSS in general, so I would welcome any counter-argument from others who are equally bored.

Now I have to go find something else to do..

6 thoughts on “PCI DSS v3.2 vs CIS Critical Security Controls v6.0

  1. Given that the DSS applies primarily to small merchants count-wise, your use of “affordability” and “unlimited budget” is spot on. DLP is certainly not affordable to small merchants either in acquisition or operation costs particularly in the food industries. Neither are control frameworks affordable to a small business.

    Asset management is important? No, it really is not. Why? Because asset management is looked at by most businesses as a financial matter, not anything else. Computers depreciate off quickly so the company would be spending manpower costs to manage something that has no value or minimal value on the books, manpower costs that generate zero revenue. Computers are a commodity. Even losing one is not a big financial hit UNTIL they are FORCED to disclose it. And we all know how many breaches simply are not reported.

    Auditors and frameworks stop no crimes or fraud. Potentially they can get a weak technical control fixed before a crime occurs or detect it while it’s still in progress but that’s it. They both are a 99.9% detective control.

    Frameworks and audits say to install malware protection. So companies install Microsoft Windows Defender or System Center Endpoint Protection because they’re free. Complaint? Check. Does the product actually stop anything? Nope. But compliant, right? Check.

    Remember, to most businesses, almost any risk is acceptable until it actually happens to them. It’s just the way the world currently works.

    • Hi JJ, thank you again for your comments.

      It sounds like YOU don’t think asset management is important, when not one of the things that make up an appropriate security program is possible without it. And by appropriate I mean for ANY organisation.

      Without true asset management, there are no recorded baselines, no known-goods, and no white-lists, which are the cause of the “99.99% detective” you mentioned.

      Asset management need not be expensive, or labour intensive, organisations just have to do their homework.


      • Nah, it was just a bit too subtle perhaps. There’s nothing I like better than having a laptop reported as lost, asking what data was on it and getting a response about its book value and a question about when the replacement will come in.

        The business owners make the policies and we follow them. If they don’t take our advice, well, it’s their company and not ours. You either follow their policies or you move on, voluntarily or otherwise.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.