PCI DSS Requirements

PCI DSS Requirement ISO/IEC 27001 Clause
1. Install and maintain a firewall configuration to protect cardholder data.
A.6 Organisation of information security
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
3. Protect stored cardholder data.
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.15 Supplier relationships
4. Encrypt transmission of cardholder data across open, public networks.
A.12 Operations security
A.14 System acquisition, development and maintenance
5. Protect all systems against malware and regularly update antivirus software or programs.
A.10 Cryptography
A.11 Physical and environmental security
A.14 System acquisition, development and maintenance
6. Develop and maintain secure systems and applications.
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.14 System acquisition, development and maintenance
7. Restrict access to cardholder data by business need to know.
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
8. Identify and authenticate access to system components.
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
9. Restrict physical access to cardholder data.
A.7 Human resource security
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
10. Track and monitor all access to network resources and cardholder data.
A.12 Operations security
A.13 Communications security
11. Regularly test security systems and processes.
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
12. Maintain a policy that addresses information security for all personnel.
A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance

SOC2 Requirements

  • Workforce Clearance Processes
  • Management Reviews
  • Risk Management
  • Access Management
  • Patch and Vulnerability Management
  • Secure Software Development Life Cycle
  • Data Encryption
  • Malware Protection
  • Business Continuity and Disaster Recovery
  • Network Security
  • Authentication Standards
  • Incident Detection, Monitoring, and Response
  • Security Awareness Training
  • Third-Party Risk Management