CSF 2.0 ↔ PCI-DSS v4.0.1 Crosswalk
NIST OLIR mapping between Cybersecurity Framework 2.0 subcategories and PCI DSS v4.0.1 requirements. 551 mappings connecting 101 CSF subcategories to 133 PCI requirements.
CSF v2.0 PCI-DSS v4.0.1
Showing 551 of 551 mappings
| CSF Subcategory | CSF Title | PCI Requirement | PCI Title |
|---|---|---|---|
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 10.3.3 | Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. |
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 10.3.4 | File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 10.4.1 | The following audit logs are reviewed at least once daily: All security events. |
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 10.4.2.1 | 10.4.2.1 |
DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | 6.3.1 | Security vulnerabilities are identified and managed as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). |
DE.AE-03 | Information is correlated from multiple sources | 1.2.4 | An accurate data-flow diagram(s) is maintained that meets the following: Shows all account data flows across systems and networks. |
DE.AE-03 | Information is correlated from multiple sources | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.AE-03 | Information is correlated from multiple sources | 10.3.3 | Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. |
DE.AE-03 | Information is correlated from multiple sources | 10.4.1 | The following audit logs are reviewed at least once daily: All security events. |
DE.AE-03 | Information is correlated from multiple sources | 12.5.1 | An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
DE.AE-04 | The estimated impact and scope of adverse events are understood | 1.2.3 | An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. |
DE.AE-04 | The estimated impact and scope of adverse events are understood | 1.2.4 | An accurate data-flow diagram(s) is maintained that meets the following: Shows all account data flows across systems and networks. |
DE.AE-04 | The estimated impact and scope of adverse events are understood | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.AE-04 | The estimated impact and scope of adverse events are understood | 10.4.1 | The following audit logs are reviewed at least once daily: All security events. |
DE.AE-04 | The estimated impact and scope of adverse events are understood | 12.5.1 | An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
DE.AE-06 | Information on adverse events is provided to authorized staff and tools | 10.3.1 | Read access to audit logs files is limited to those with a job-related need. |
DE.AE-06 | Information on adverse events is provided to authorized staff and tools | 10.3.3 | Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. |
DE.AE-06 | Information on adverse events is provided to authorized staff and tools | 12.10.1 | An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. |
DE.AE-06 | Information on adverse events is provided to authorized staff and tools | 12.10.3 | Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. |
DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | 12.3.4 | Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: Analysis that the technologies continue to receive security fixes from vendors promptly. |
DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | 12.5.1 | An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | 6.3.1 | Security vulnerabilities are identified and managed as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). |
DE.AE-07 | Cyber threat intelligence and other contextual information are integrated into the analysis | 6.4.3 | All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized. |
DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria | 12.10.1 | An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. |
DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria | 12.10.2 | At least once every 12 months, the security incident response plan is: Reviewed and the content is updated as needed. |
DE.AE-08 | Incidents are declared when adverse events meet the defined incident criteria | 12.10.4 | Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities. |
DE.CM-01 | Networks and network services are monitored to find potentially adverse events | 1.2.4 | An accurate data-flow diagram(s) is maintained that meets the following: Shows all account data flows across systems and networks. |
DE.CM-01 | Networks and network services are monitored to find potentially adverse events | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.CM-01 | Networks and network services are monitored to find potentially adverse events | 10.4.1 | The following audit logs are reviewed at least once daily: All security events. |
DE.CM-01 | Networks and network services are monitored to find potentially adverse events | 11.2.1 | Authorized and unauthorized wireless access points are managed as follows: The presence of wireless (Wi-Fi) access points is tested for, All authorized and unauthorized wireless access points are detected and identified, Testing, detection, and identification occurs at least once every three months. |
DE.CM-02 | The physical environment is monitored to find potentially adverse events | 9.3.1.1 | 9.3.1.1 |
DE.CM-02 | The physical environment is monitored to find potentially adverse events | 9.4.1.2 | 9.4.1.2 |
DE.CM-02 | The physical environment is monitored to find potentially adverse events | 9.5.1.2 | 9.5.1.2 |
DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | 10.4.1 | The following audit logs are reviewed at least once daily: All security events. |
DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | 10.6.1 | System clocks and time are synchronized using time-synchronization technology. |
DE.CM-03 | Personnel activity and technology usage are monitored to find potentially adverse events | 8.2.2 | Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows: ID use is prevented unless needed for an exceptional circumstance. |
DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events | 10.2.1 | Audit logs are enabled and active for all system components and cardholder data. |
DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events | 12.8.4 | A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
DE.CM-06 | External service provider activities and services are monitored to find potentially adverse events | 7.2.4 | All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months To ensure user accounts and access remain appropriate based on job function. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 10.3.4 | File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 11.3.1 | Internal vulnerability scans are performed as follows: At least once every three months. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 11.3.2 | External vulnerability scans are performed as follows: At least once every three months. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 5.2.1 | An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 5.2.2 | The deployed anti-malware solution(s): Detects all known types of malware. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 5.3.2 | The anti-malware solution(s): Performs periodic scans and active or real-time scans OR Performs continuous behavioral analysis of systems or processes. |
DE.CM-09 | Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | 6.4.3 | All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized. |
GV.OC-01 | The organizational mission is understood and informs cybersecurity risk management | 12.1.1 | An overall information security policy is: Established. |
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 12.1.4 | Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management. |
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 12.8.1 | A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. |
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 12.8.5 | Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 12.9.1 | Additional requirement for service providers only: TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that the TPSP could impact the security of the customer’s cardholder data and/or sensitive authentication data. |
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | 12.9.2 | Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements 12. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.8.1 | A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.8.2 | Written agreements with TPSPs are maintained as follows: Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.8.4 | A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.8.5 | Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.9.1 | Additional requirement for service providers only: TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that the TPSP could impact the security of the customer’s cardholder data and/or sensitive authentication data. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 12.9.2 | Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements 12. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 3.2.1 | Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: Coverage for all locations of stored account data. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 9.4.6 | Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. |
GV.OC-03 | Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | 9.4.7 | Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following: The electronic media is destroyed. |
GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | 12.10.1 | An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. |
GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | 12.5.1 | An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
GV.OC-04 | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | 12.5.2 | PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 1.2.3 | An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 1.2.4 | An accurate data-flow diagram(s) is maintained that meets the following: Shows all account data flows across systems and networks. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.5.1 | An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.5.2 | PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.8.1 | A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.8.4 | A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.9.1 | Additional requirement for service providers only: TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that the TPSP could impact the security of the customer’s cardholder data and/or sensitive authentication data. |
GV.OC-05 | Outcomes, capabilities, and services that the organization depends on are understood and communicated | 12.9.2 | Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements 12. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 10.7.1 | Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls IDS/IPS FIM Anti-malware solutions Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Applicability Notes This requirement applies only when the entity being assessed is a service provider. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 10.7.2 | Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 12.10.2 | At least once every 12 months, the security incident response plan is: Reviewed and the content is updated as needed. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 12.10.6 | The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 12.3.1 | For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes: Identification of the assets being protected. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 12.4.2 | Additional requirement for service providers only: Reviews are performed at least once every three months to confirm personnel are performing their tasks in accordance with all security policies and all operational procedures. |
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | 12.4.2.1 | 12.4.2.1 |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 10.7.1 | Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls IDS/IPS FIM Anti-malware solutions Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Applicability Notes This requirement applies only when the entity being assessed is a service provider. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 10.7.2 | Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 11.4.4 | Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: In accordance with the entity’s assessment of the risk posed by the security issue as defined in Require ment 6. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.10.2 | At least once every 12 months, the security incident response plan is: Reviewed and the content is updated as needed. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.10.6 | The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.3.4 | Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: Analysis that the technologies continue to receive security fixes from vendors promptly. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.4.2 | Additional requirement for service providers only: Reviews are performed at least once every three months to confirm personnel are performing their tasks in accordance with all security policies and all operational procedures. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.4.2.1 | 12.4.2.1 |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.5.2 | PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.5.3 | Additional requirement for service providers only: Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management. |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | 12.8.4 | A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 10.7.2 | Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 11.3.1 | Internal vulnerability scans are performed as follows: At least once every three months. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 11.3.2 | External vulnerability scans are performed as follows: At least once every three months. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 11.4.4 | Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: In accordance with the entity’s assessment of the risk posed by the security issue as defined in Require ment 6. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 12.3.1 | For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes: Identification of the assets being protected. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 12.3.4 | Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: Analysis that the technologies continue to receive security fixes from vendors promptly. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 12.4.2 | Additional requirement for service providers only: Reviews are performed at least once every three months to confirm personnel are performing their tasks in accordance with all security policies and all operational procedures. |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | 7.2.5.1 | 7.2.5.1 |
Showing first 100 results. Use filters to narrow down.