NIST CSF 2.0 → PCI DSS crosswalk
A control-by-control mapping between NIST Cybersecurity Framework 2.0 and PCI DSS v4.0. 13 mappings.
| NIST CSF 2.0 | PCI DSS | Relationship | Notes |
|---|---|---|---|
| DE.CM-01 Networks and services monitored | Req. 10 Log and monitor all access to system components and cardholder data | EquivalentOfficial mapping | Logging, monitoring & detection |
| GV.OC-01 Organizational mission and security role understood | Req. 12 Support information security with organizational policies and programs | PartialOfficial mapping | Governance & security policy |
| ID.RA-01 Vulnerabilities identified and recorded | Req. 11 Test security of systems and networks regularly | EquivalentOfficial mapping | Vulnerability management |
| PR.AA-01 Identities and credentials managed | Req. 7 Restrict access by business need to know | EquivalentCurated | Access control & identity |
| PR.AA-01 Identities and credentials managed | Req. 8 Identify users and authenticate access | EquivalentOfficial mapping | Access control & identity |
| PR.AA-05 Access permissions and authorizations enforced | Req. 7 Restrict access by business need to know | EquivalentOfficial mapping | Access control & identity |
| PR.AA-05 Access permissions and authorizations enforced | Req. 8 Identify users and authenticate access | EquivalentCurated | Access control & identity |
| PR.DS-01 Confidentiality of data-at-rest protected | Req. 3 Protect stored account data | EquivalentOfficial mapping | Cryptography & data protection |
| PR.DS-01 Confidentiality of data-at-rest protected | Req. 4 Protect cardholder data with strong cryptography during transmission | EquivalentCurated | Cryptography & data protection |
| PR.DS-02 Confidentiality of data-in-transit protected | Req. 3 Protect stored account data | EquivalentCurated | Cryptography & data protection |
| PR.DS-02 Confidentiality of data-in-transit protected | Req. 4 Protect cardholder data with strong cryptography during transmission | EquivalentOfficial mapping | Cryptography & data protection |
| PR.PS-01 Configuration management practices established | Req. 2 Apply secure configurations to all system components | EquivalentOfficial mapping | Secure configuration & hardening |
| PR.PS-04 Log records generated for monitoring | Req. 10 Log and monitor all access to system components and cardholder data | EquivalentOfficial mapping | Logging, monitoring & detection |
Mappings marked “Official” derive from standards-body informative references; “Curated” mappings are authored by Cyber Compliance and provided for guidance only.