Skip to main content

PCI and GDPR: How to be cross-compliant

(Image credit: Image source: Shutterstock/Wright Studio)

In less than a month, the General Data Protection Regulation (or GDPR) will come into force, bringing with it strict rules relating to the storage and handling of personal information, and harsh punishments for those who fail to comply.

For some time companies have been working, to ensure that they don’t fall foul of these new regulations, but with zero hour rapidly approaching, many are still left with much to do.

The impact of non-compliance

It’s no secret that a lack of compliance with the GDPR will have far-reaching repercussions. Fines of up to 4 per cent of total worldwide turnover or €20 million, whichever is higher (depending on the severity of the breach) aren’t something that can be shrugged off, indeed for smaller businesses just one breach could be the end of them entirely, but compliance with the already well-established PCI DSS could (nay, should) lend a hand to those looking to get ahead.

The GDPR’s introduction presented a raft of challenges to companies all over the world, as they seek to keep up to date with the rigours of a rapidly changing industry, among them sit issues such as staffing and data storage, which are proving particularly troublesome for many businesses as they seek readiness for the EU’s new regulations.

Education is the key to compliance

Ensuring that staff know their revised roles and responsibilities is perhaps the chief issue facing many companies, and with a serious shortage of primed data officers and other experts, it isn’t one that is easily solved.

Audits make compliance a breeze

Similarly, auditing data storage solutions and ensuring that permissions are transparent and adequately administered by Data Protection Officers (DPOs) has been cited as cause for concern, and the aforementioned dearth of talent is a key quandary in this respect, too.

Does PCI DSS compliance mean automatic GDPR compliance?

Companies that are PCI DSS compliant have a leg up on companies that are trying to prepare for the GDPR cold, however.

While there are obvious differences between the two, such as the GDPR being much wider in scope, relating to all personal data, compared to only cardholder data, and the weight of fines and sanctions involved in non-compliance, the two do cross paths, at which point the PCI DSS could be a great asset.

Both pieces of regulation sit on the same branch, so to speak, and a breach of PCI DSS is a breach of GDPR. However, PCI DSS is much more descriptive on how to achieve compliance and as a complete contrast, the GDPR is somewhat watered down in specifics.

Stringent data handling

PCI DSS has also demanded stringent data handling procedures for some time, such as knowing where cardholder data resides, and it also demands – in requirement 3 - that cardholder data be encrypted to a certain standard, these two key points will be integral in staying compliant with the GDPR.

Similarly, the GDPR explicitly states (in article 25) that logs must be kept relating to the processing of personal data, so that any access can be closely monitored. This mirrors PCI DSS requirement 10.6.1., which requires the daily review of logs to ensure personal data is being adequately controlled.

Personal data definition

The similarities don’t end here. A dig into what is required for PCI DSS compliance will set a business on the right path and encourage key behaviours which will be invaluable for those looking to stay within the confines of the GDPR.

What’s key to note is that in general, a breach of PCI DSS compliance means a breach of GDPR. The latter defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, while PCI DSS defines cardholder data as the primary account number, but it may not include the personal data of the individual such as a name, address or social security number.

By its very nature, by failing to protect the account number of an individual, GDPR has been breached as that particular information comes under the identification number umbrella.

ICO regulation

Both the GDPR and PCI DSS are regulated by the Information Commissioner’s Office (ICO) in the UK and if there’s a data breach, whether of personal information or specific cardholder data, it’s likely to be investigated by the ICO. The organisation will look into the severity of the breach, how and why it happened and penalise the offending business appropriately.

Perhaps most important of all is that there is already a wealth of knowledge and talent relating to PCI DSS compliance, and these individuals and companies are waiting to help businesses nurture good habits – habits which could be the making of them.

It’s vital businesses continue to observe PCI DSS compliance when considering the impact of the GDPR and apply the principles of both to ensure they escape the wrath of the ICO.

Tony Smith, EMEA sales director, PCI Pal
Image source: Shutterstock/Wright Studio

Tony Smith is EMEA sales director at contact centre security solutions business PCI Pal.