JOnline: Mapping PCI DSS v2.0 With COBIT 4.1 

Download Article

In today’s era, every organization across the globe, regardless of its size or industry, faces security issues pertaining to new and evolving threats, vulnerabilities, risks or regulatory/ compliance landscapes. As such, there arises a need for organizations to make stringent efforts to ensure that their security and enterprise risk management (ERM) programs address multiple compliance requirements.

This article contains the results of a mapping of Payment Card Industry Data Security Standard (PCI DSS) v2.0 controls with COBIT 4.1. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis.

This mapping is designed to provide guidance to organizations seeking PCI compliance by identifying and highlighting the COBIT areas that should be considered for each requirement within PCI DSS. The mapping highlights how the processes in COBIT can support PCI DSS compliance activity. As a result, the mapping can be used as a reference for formulating an integrated and customized control framework for an organization.

Since COBIT covers the broad spectrum of IT control processes and PCI DSS is strictly focused on protecting cardholder data, any user of COBIT must first determine the relevance and applicability of IT processes and subprocesses within the COBIT framework. COBIT, a framework for the governance of enterprise IT (GEIT), has a broad scope and is applicable to all organizations, whereas PCI DSS v2.0 focuses more on the area of protecting cardholder data and is applicable to all organizations that hold, process or exchange cardholder information. PCI DSS controls are mandatory for organizations that collect credit card data, whereas COBIT has general controls that can be leveraged based on an organization’s requirements.

The implicit benefits of mapping PCI DSS v2.0 with COBIT include:

  • A unique set of controls—Organizations planning to implement PCI DSS can easily manage, measure and provide evidence of satisfying multiple compliance and governance requirements through a single unique set of controls.
  • Adherence to multiple standards—Organizations can adhere to multiple industry standards for securing credit card data by adopting the unique set of controls, through which organizations can increase their operational efficiency.
  • Increased performance—Each PCI DSS control and requirement is mapped extensively with COBIT controls after assessing the in-depth objective of the control, which results in increasing the performance efficiency of the security program.
  • PCI DSS compliance made easy—While compliance with PCI DSS is mandatory for organizations that process financial transactions through payment cards, its scope is limited to protecting cardholder data. However, COBIT is like an integrator for best practices. It is an umbrella framework for IT governance designed to apply across a variety of organizations, and it is universally recognized. For certain enterprises, PCI compliance is mandatory, and COBIT is used as a guideline.

Figure 1 provides a mapping of PCI DSS v2.0 to COBIT 4.1. Please note that multiple PCI DSS requirements can map to a single control in COBIT 4.1, as seen in requirements 11 and 12.

Figure 1
Figure 1 continued
Figure 1 continued


Information security will always remain a challenge for every organization dealing with customer information. Complying with PCI DSS v2.0 along with COBIT 4.1 controls, the organization can work efficiently with IT compliance and IT governance. PCI DSS v2.0 focuses on the compliance area, and COBIT 4.1 provides the overall governance.

PCI DSS v2.0 gives a detailed description of a number of important IT controls that can be applied to achieve compliance for the organization dealing with payment card transactions and storing customer information. COBIT provides managers, auditors and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of IT and in developing appropriate IT governance and control in an organization.

Pritam Bankar, CISA, CISM
is a senior consultant with Infosys Technologies Limited and has more than seven years of experience in information security, IT/information systems (IS) audits, compliance and regulations, and IT governance and strategy. Bankar is part of an IT controls and compliance practice and leads Payment Card Industry Data Security Standard (PCI DSS) service offerings for Infosys.

Sharad Verma
is a senior associate consultant with Infosys Technologies Limited and has several years of diversified experience across various domains including IT and business operations. Verma is certified in COBIT 4.1 and ITIL V3 and has worked in capability development for PCI DSS. He also designed a PCI DSS framework for Infosys. He has expertise in the security domain and experience in implementing ISO 27001.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.