How to

DORA and PCI DSS

Article will help to introduce DORA requirements to those who have years of cybersecurity experience but are very new to DORA.

schedule a call

I just started reading through DORA requirements and to apply my PCI knowledge and help organizations to understand the difference between DORA and PCI DSS, I compiled the following summary table. Hopefully, it will help to introduce DORA requirements to those who, just like me, have years of PCI experience but are very new to DORA.

Scope

DORA

Broad: Focuses on operational resilience for the entire financial sector, including financial entities, ICT service providers, and third-party providers.

PCI DSS

Narrow: Focuses specifically on protecting payment card data and applies only to organizations handling cardholder data.

Applicability

DORA

Mandatory for financial entities within the EU, including banks, investment firms, insurance companies, payment service providers, and ICT providers.

PCI DSS

Applicable to any organization worldwide that processes, stores, or transmits payment card data (e.g., merchants, payment processors, service providers).

Resilience requirements

DORA

Comprehensive: Emphasizes operational continuity, cybersecurity, incident management, and recovery. Includes risk management for ICT systems, continuity planning, stress testing, and regular reporting to authorities.

PCI DSS

Focused: Primarily centred on protecting payment card data through secure system configurations, encryption, monitoring, and access controls. Continuity and incident response are covered but not as extensively as DORA

1. None of PCI standards, except PCI 3DS, contains requirements to continuity planning and operation availability.
2. None of PCI standards directly requires stress testing.
3. A very few PCI standards, like Secure Software and P2PE Domain 2, require software source code reviews.

Security requirements

DORA

Broad: Requires comprehensive cybersecurity measures, including governance frameworks, ICT risk management, threat detection, incident response, vulnerability management, and security monitoring across the entire operational environment. Also includes security of third-party service providers.

PCI DSS

Specific: Focuses on 12 core requirements to protect cardholder data, including securing network infrastructure, encryption, strong access controls, vulnerability management, regular security testing, and monitoring. Primarily concerned with protecting cardholder data and payment systems.

Approach to penetration testing

DORA

Mandatory and Risk-Based: Requires periodic, risk-based penetration testing for ICT systems critical to financial operations, focusing on both internal and external threats. Stress testing may also be required to assess the resilience of systems in real-world attack scenarios. Penetration tests must consider all ICT-related risks and involve third-party providers where necessary.

PCI DSS

Required for Critical Systems: Mandates regular penetration testing on systems that store, process, or transmit cardholder data, as well as any critical systems connected to these environments. Testing should cover both internal and external vulnerabilities, as well as segmentation mechanisms used. Compliance must be validated by a QSA or an approved independent third-party/internal tester, with remediation of identified issues.

Risk management

DORA

Comprehensive: Focuses on ICT risk management across the entire financial organization, including risks related to third-party providers. Requires continuous monitoring, regular risk assessments, and effective controls for operational resilience, incident prevention, and recovery. Emphasizes the management of technological and operational risks, with specific measures for risk assessment, testing, and mitigation.

PCI DSS

Specific: Focused on managing risks related to payment card data, including network security, access control, vulnerability management, and monitoring. Organizations must identify vulnerabilities, implement compensating controls, and ensure continuous monitoring of systems that store, process, or transmit cardholder data. Limited focus on broader organizational risk beyond payment data security.

PCI DSS also suggests a Targeted Risk Assessment for those requirements where the organization prefers to maintain alternative security controls or where organization needs to define frequiency of periodical activities.

Validation process

DORA

Regulatory: Requires regular self-assessments, stress testing, reporting to competent authorities, and incident notifications. Financial entities must demonstrate ongoing compliance with operational resilience and cybersecurity requirements. There are specific reporting mechanisms and audits by regulatory bodies.

PCI DSS

Industry-driven: Requires annual assessments for organizations handling large volumes of cardholder data (Level 1 merchants and service providers) by a Qualified Security Assessor (QSA). Smaller organizations can perform self-assessments. Compliance is validated through a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). ASV scans are also mandatory.

Focus on Security and Resilience

DORA

Comprehensive: DORA emphasizes the overall operational resilience of financial institutions, including security, continuity, and recovery. It requires a holistic approach, ensuring that ICT systems can withstand and recover from disruptions and cyberattacks. This includes both cybersecurity measures and broader operational resilience strategies.

PCI DSS

Data-Centric: PCI DSS focuses primarily on the security of cardholder data within payment systems. While it includes security controls like monitoring, encryption, and access management, its scope of resilience is narrower, with emphasis on safeguarding payment data and maintaining system integrity rather than the broader organizational resilience required by DORA.

Incident Response and Reporting

DORA

Rigorous and Regulatory: DORA mandates detailed incident response and reporting protocols for financial institutions, including requirements for immediate reporting of major ICT-related incidents to regulatory authorities. It also enforces post-incident analysis, ensuring lessons are learned and improvements are made to resilience. Ongoing communication with authorities is required throughout the incident lifecycle.

PCI DSS

Data-Focused: PCI DSS requires organizations to establish and maintain an incident response plan, specifically for incidents involving payment card data. Organizations must document, respond, and report breaches that may expose cardholder data. Reporting is primarily to card brands, acquiring banks, and stakeholders, without a regulatory authority requirement. Focuses on quick containment, notification, and remediation.

Third-Party Risk Management

DORA

Comprehensive: DORA places significant emphasis on third-party risk management, requiring financial institutions to assess and monitor the risks posed by external ICT service providers. It mandates formal agreements, continuous oversight, and ensures third-party providers meet stringent cybersecurity and resilience standards. DORA also requires specific reporting and management processes for critical third-party services.

PCI DSS

Limited to Cardholder Data: PCI DSS requires organizations to ensure that third-party service providers who have access to cardholder data comply with PCI DSS requirements. Organizations must have written agreements with third parties, perform due diligence, and ensure service providers maintain adequate security controls, but the scope is focused on protecting payment card data, not broader operational or ICT risks.

Again, PCI family of standards does not focus on reliability of services provided by third parties, the main concern is cardholder data security. The only exception is services provided by P2PE component providers to P2PE solution providers.

Regulatory vs. Industry – Led Penalties and Enforcement

DORA

Regulatory: DORA is a regulatory mandate enforced by the European Union. Financial institutions and critical service providers must comply with DORA’s requirements, and regulatory authorities oversee and enforce compliance, with penalties for non-compliance. DORA ensures legal accountability across the financial sector.

PCI DSS

Industry-Led: PCI DSS is a security standard developed and maintained by the PCI Security Standards Council (an industry consortium including major card brands). While it is not a law, organizations must comply with PCI DSS to maintain relationships with payment processors, card brands, and acquiring banks. Non-compliance can lead to fines or termination of processing services.

As you can see, there is a significant difference in approach, scope, applicability, and level of implementation of security controls.

Poor compliance managers, security and IT leads, right?

So, what can be done to minimize the efforts and harmonize PCI DSS and DORA compliance?

Here are the items where the efforts can be joined:

  • Unified risk assessment
  • Vendor management
  • Integrated incident response plan
  • Joint incident response plan testing
  • Consolidated cybersecurity framework (encryption, access control, etc)
  • Centralized monitoring and reporting (SIEM)
  • Unified penetration testing and vulnerability management
  • Streamlined documentation with cross-references to both PCI DSS and DORA requirements
  • Integrated assessment process and reporting
  • Cross-training of teams
  • Shared tools and automation.

This is just the top of the iceberg, I keep digging and will provide more specifics, so please stay tuned.

Red Team ENGAGEMENT

The white paper document explores the methodology, testing process, planning, preparation, and expected deliverables.

Read More About Red Teaming: