Soothing the headache of compliance overload: a look at PCI DSS and GDPR

null

Four months have passed since GDPR became law and UK companies still have a long way to go to achieve compliance with the comprehensive EU data protection regulation. According a survey conducted by TrustArc a month after the May 25th deadline date, only 21 per cent of UK companies reported that they had achieved compliance. More encouragingly, 53 per cent of companies across the UK and Europe now say that they are in the implementation phase and with 74 per cent of companies expecting to be compliant by the end of 2018 and 93 per cent by the end of 2019, UK businesses are definitely moving in the right direction.

It’s important to remember that the GDPR isn’t just about taking every effort to protect personal data. It also lays out clear procedures for managing communications in the event of a breach. British Airways, for example, in spite of suffering a serious security breach, has received praise for its handling of the situation after the event. The organisation was quick to inform affected passengers and to alert the Information Commissioner’s Office (ICO), following the guidelines and processes which are laid out by the GDPR.

Whichever phase organisations find themselves in, GDPR compliance can be a time and resource intensive process. For many payment providers, this latest regulation seems like yet another box they need to tick just to continue trading. It’s not all doom and gloom, however - organisations that have achieved Payment Card Industry Data Security Standard (PCI DSS) compliance may find that they are further down the road to GDPR compliance than they expected.

Being PCI DSS compliant does not mean a business has all of the requirements for GDPR in place (if only!), but the time and effort invested in PCI DSS most definitely stands these organisations in good stead for an easier road to GDPR compliance.

To better understand the two regulations’ similarities and differences, it is important to explore them in more detail. Here’s a closer look:

The importance of semantics

One of the most important differentiators between GDPR and PCI DSS lies in their definitions: GDPR is a law, while PCI DSS is a standard. In essence, this means that organisations found to be non-compliant or in violation of GDPR can face fines of up to €20 million or 4 per cent of the previous year’s annual turnover, whichever is larger. While the regulation is still too new for any large fines to have been issued, the threat of such punitive – and legally enforceable – fines are helping to ensure businesses invest in proper GDPR compliance measures.

In contrast, PCI DSS is not actually a law. It is an industry standard aimed at securing payment transactions and protecting card holders against the misuse of their personal information. This does not make it less important than GDPR; any organisation that processes, stores or transmits payment card data - including merchants and service providers - must aim to comply with PCI DSS.

While the PCI Security Standards Council (PCI SSC) does not have legal authority to impose fines on businesses that are not compliant, payment card brands can still impose costly penalties on a merchant’s acquiring bank if they are found to be non-compliant. According to the UK Card Association, retailers may be liable for non-compliance fines if they do not work toward compliance with their acquirer and ultimately, the acquirer may be forced to terminate their relationship, preventing the business from accepting card payments.

And perhaps more importantly, non-compliance with PCI DSS puts a business’s customer data at greater risk, making it more vulnerable to fraudsters. We’ve all seen the consequences of data breaches – the resulting lost customers and reputations may prove to be even more detrimental to a business than the threat of fines.

Defining data: personal vs payment

While GDPR and PCI DSS both deal with data protection and privacy, it is important to note the different types of data that are applicable to each regulation. GDPR applies to any personal data connected to any EU or UK resident and his or her private, professional or public life. This includes names, home addresses, photos or images, email addresses, bank details, medical information, posts on social networking websites and even a computer’s IP address.

PCI DSS deals more specifically with payment card data and cardholder information, such as credit/debit card numbers, primary account numbers (PAN), and sensitive authentication data (SAD) such as CVVs and magnetic stripe data.

This means a data breach that violates PCI DSS compliance also violates GDPR, but a breach that violates GDPR compliance does not necessarily violate PCI DSS.

Monitoring sensitive data

Despite their differences, GDPR and PCI DSS have comparable requirements for the handling of sensitive data. When it comes to personal information, both regulations require logs to be kept and closely monitored regularly to ensure the information is being protected and controlled.

More specifically, PCI DSS requires that a business knows where its cardholder data resides, as well as ensuring the data is encrypted to a certain standard. This practice put in place for PCI DSS compliance can help contribute to processes for GDPR compliance, as well.

How technology can help ease compliance

Treating all personal data as ‘toxic’ and keeping it away from business servers and IT systems is an accepted best practice when it comes to PCI DSS compliance. Many organisations already do this and can therefore avoid re-inventing the wheel and duplicating efforts.  If personal data isn’t on their systems in the first place, it isn’t subject to GDPR regulations.

For example, businesses that use contact centres to take payments over the phone can use dual-tone multi-frequency (DTMF) technology to capture payment details, while still keeping them safe.

DTMF solutions make this possible by taking payment card information as customers enter it via their telephone keypad. The keypad tones are masked with flat ones, making them indecipherable to customers service representatives on the call. This prevents the card information from being captured on call recording systems or heard by customer service representatives who could potentially write the numbers down and use them later for fraudulent purchases.

The segregated data is then securely routed directly to the payment processor, by-passing the contact centre’s IT systems entirely. Because they no longer handle, process or store the payment data, these areas of the business are no longer under the scope of compliance for PCI DSS and they have also reduced the amount and type of data on hand that is subject to GDPR compliance.

Keeping as much personal information as possible out of the organisation’s IT infrastructure also makes a company a much less attractive target for hackers and fraudsters, also helping protect the organisation’s brand reputation from high-profile data breaches.

It’s important to note that the GDPR goes much further than PCI DSS in setting requirements for how companies handle sensitive information or report data breaches. For example, it was GDPR which imposed obligations on BA to respond and publicise its data breach, not PCI DSS; BA’s response may come to be seen as a model response under the regulation in the near future. Even if this is not the case, it’s highly unlikely that we’ll see the ICO imposing the full fine.

Compliance with GDPR also requires ‘informed consent’ from an individual before an organisation can handle their personal data, aimed at giving individuals more control over and visibility into where their data is and how it’s being used.

Even with these more in-depth requirements, any business with PCI DSS compliance should already have a sound approach to data security in place. This will go a long way in advancing them from the ‘early implementation’ phase toward ‘compliance’ - speeding up the route, not only to GDPR compliance, but to more informed, transparent relationships with customers when it comes to their personal data.

Tim Critchley, CEO, Semafone
Image source: Shutterstock/Wright Studio