PCI DSS Compliance & CIS Benchmarks


The Payment Card Industry Data Security Standard (PCI DSS) comprises 12 requirements to guide organizations processing cardholder data when securing their systems. PCI DSS Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters) points to the CIS Benchmarks in sub-requirement 2.2 for configuration standards:


2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards—for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).


In addition, PCI DSS enumerates other requirements for which the CIS Benchmark configuration recommendations are useful for achieving PCI DSS compliance, including:

              1.1 Firewall and router configurations
              6.1 Patch deployment
              7.1 Access control
              6.4 Change control
              plus numerous other specific requirements.

The PCI DSS document can be found here.

FISMA Compliance and CIS Benchmarks

The NIST National Checklist Program Repository contains the CIS Benchmarks as official configuration guidance for use by federal agencies and other entities who are subject to FISMA compliance requirements. Visit the NIST National Checklist Prograpm Repository for more information.

CIS-CAT Pro Assessor is a validated product for the NIST Security Content Automation Protocol (SCAP) in the following categories:

              FDCC Scanner

              Authenticated Configuration Scanner


As a NIST validated tool, CIS-CAT Pro Assessor may be used for auditing systems subject to FISMA requirements for compliance with CIS Benchmark configuration recommendations. Visit the NIST Security Content Automation Protocol Validated Products page for further information.

Other Security Standards and CIS Benchmarks

The CIS Benchmark configuration recommendations are widely used to attain compliance with a number of recognized security standards, including:

                ISO/IEC 27002

                Graham, Leech, Bliley

                Sarbanes-Oxley for all sectors




The above named standards/codes of practice deal with the protection of information in a horizontally comprehensive manner, touching on many facets of information security such as asset classification, access authentication methods and privileges, event logging, segregation of duties, encryption, and others. 


Within these standards, the components of information security are typically expressed in a technology brand-agnostic way, and at a level of generality that requires further elaboration of detail prior to operational implementation. It is the brand-specific, operationally detailed and actionable content in the CIS Benchmarks that renders them so useful for implementation of the various security standards and codes of practice noted above.