As the world grows more connected every day and more realms of our lives shift online, data security and privacy has become a priority for consumers, organizations, and governments alike. Bodies like the Payment Card Industry Security Standards Council (PCI SSC) and other independent industry organizations have tended to take the lead, creating standards and best practices for their constituencies, some having been in place for years. More recently, government regulators have begun to turn their attentions to how companies treat the sensitive data of their customers, with every US state now having their own version of a data breach notification law, and whole countries like Australia passed a national regulation in February of 2018 .
The most comprehensive data security legislation of them all went into effect on May 25, 2018, when the EU’s General Data Protection Regulation (GDPR) officially became the law of the land inside the European Union, subsequently becoming the closest thing the world has to a truly global data security standard. It laid out a wide-ranging legislation mandating how organizations must process the sensitive data of European citizens and giving consumers unprecedented control over their own data.
What does the GDPR have in common with independent standards like the PCI DSS that many companies already have programs in place to meet compliance requirements with? While many of the minute details differ, the underlying principles stay the same. Here, we’ll outline the similarities and differences and explain how to leverage and build on the controls implemented for one to achieve compliance with the other.
What is the PCI DSS?
Formed in 2004 when the five major payment card providers, Visa, MasterCard, American Express, Discover, and JCB joined together to create the PCI SSC, the Payment Card Industry Data Security Standard (PCI DSS) which outlines twelve overarching security requirements that merchants must implement in order to process card transactions on behalf of the card issuers. While the reporting requirements differ slightly depending on merchant level, and range from filling out self-assessment questionnaires (SAQs), to working with independent third-party Qualified Security Assessors (QSAs) that certify compliance through a PCI certification, every merchant that accepts payments via card must comply with the PCI DSS, regardless of their size or number of transactions processed each year.
While the PCI DSS is not mandated by any government and is instead independently controlled by the PCI SSC, the harsh consequences of noncompliance still provide enough incentive for organizations to take the standard seriously. Failure to comply could result in fines ranging from $5000 – $100,000 per month, and in the worst cases the payment card issuers could revoke privileges to process card transactions entirely.
What is the GDPR?
Originally adopted by the European Commission on April 14, 2016, companies were given two years to meet their compliance obligations before the sweeping legislation went into effect. As Danny Palmer puts it in his synopsis of the regulation, “At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
“Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.”
Among the many aspects of this law is the “right to be forgotten,” which provides a legal basis for data subjects to request that companies delete their personal data from their systems. Additionally, organizations may now only process someone’s personal data if they have a “legitimate business interest.”
The GDPR applies to every organization processing the data of EU citizens, regardless of whether the organization itself is based inside Europe. Failure to comply could result in fines of up to €20 million, or 4% of global revenue, whichever is greater.
What are the major differences between the PCI DSS and GDPR?
Apart from the consequences of noncompliance, there are several major differences between these two data security standards.
For one, the PCI DSS is an independent standard and not a regulation enforced by any government entity. On the other hand, the GDPR is mandated by the European Union, who has broad authority to enforce compliance.
Another major difference is the scope of each standard. The PCI DSS only applies to cardholder data, which includes things like the primary account number (PAN), the cardholder name, the expiration date, and the security code found on the back of the card. Requirement 3.4 of the PCI DSS outlines the ways in which cardholder data must be stored.
On the contrary, the GDPR is much broader in scope than the PCI DSS because the GDPR applies to all personal data. The European Commission defines personal customer data as “any information relating to an individual, whether it relates to his or her private, professional or public life.” Under this definition, personal data could include any of the following:
- Home address
- Email address
- Bank details
- Posts on social networking websites
- Medical information
- A computer’s IP address
In addition to the scope of the type of data that is covered under each standard, there is also a difference in who’s data is covered. While the GDPR applies to the personal data of citizens of the European Union, the PCI DSS applies to the data of every cardholder, regardless of where they reside or complete a transaction.
What overlap exists between the PCI DSS and GDPR?
While there are a number of major differences between the two standards, there is also some overlap. Fundamentally, the underlying philosophy between the two standards is the same: protecting the sensitive data of consumers. Because the PCI DSS has been around for more than a decade and any company that processes credit card transactions will have already had to implement measures to comply with it, the GDPR can be seen as an extension of the PCI DSS, with the PCI DSS serving as a solid foundation, already incorporating security best practices and common-sense protocol.
How to Comply With Both the PCI DSS and GDPR
With the 12 requirements of the PCI DSS serving as a solid base for GDPR compliance, we recommend several additional best practices to ensure ongoing compliance with both:
- Regularly train staff on proper security procedures for handling sensitive data, and make sure they can identify a threat when they encounter one.
- When it comes to outsourcing, only work with trusted third-party partners who make security a priority and understand how to comply with various regulatory requirements.
- Minimize your risk. Whenever possible, reduce the amount of personal data you collect. If you don’t need a piece of information, don’t bother collecting it in order to keep it out of your business infrastructure entirely.