Skip to main content
banner image
venafi logo

Will PCI DSS Compliance Give You a Head Start Meeting GDPR Requirements?

Will PCI DSS Compliance Give You a Head Start Meeting GDPR Requirements?

gdpr and pci
May 7, 2018 | Guest Blogger: Tom Wood, IT Governance Publishing

Unprepared organisations face a significant challenge in meeting the requirements of the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018.

According to Claranet’s Beyond Digital Transformation report, more than two-thirds of British businesses are not securing customer data effectively. 45% said they are having problems securing customers’ details when trying to improve the digital user experience.

Although most businesses are worried about the GDPR, those compliant with the Payment Card Industry Data Security Standard (PCI DSS) may already have a head start.

The link between the PCI DSS and the GDPR

The PCI DSS and the GDPR both improve the protection of customer data. However, the PCI DSS focuses on payment card data whereas the GDPR focuses on European residents’ personal data.

The key difference between the two is that the GDPR sets out what businesses need to do but doesn’t say precisely how, whereas the PCI DSS highlights what needs to be achieved and how to achieve it.

The PCI DSS and the sixth principle of the GDPR

The sixth data protection principle of the GDPR (confidentiality and integrity) requires data controllers and processors to assess risk, implement appropriate security for the data concerned and check that it is up to date and that protection controls are working.

The PCI DSS creates a set of controls for keeping cardholder data secure that is supported by a regulatory framework. This can be carried out across a whole business (without extending the cardholder data) and these controls and processes could provide the necessary building blocks to meet the sixth principle’s requirements. 

Extending PCI DSS encryption to your GDPR project

Requirement 3 of the PCI DSS provides guidelines for protecting cardholder data and the specific requirements for encryption. For example, it requires that the primary account number (PAN) must be rendered unreadable wherever it is stored. This includes digital media, backup media and logs.

The GDPR also wants organisations to render certain elements of personal data unreadable; this can be done using pseudonymisation, encryption or both.

Extending your PCI DSS encryption to cover all personal data will be another step towards meeting the GDPR’s requirements.

Breaching the PCI DSS means breaching the GDPR

Cardholder information is defined as personal data by the GDPR. This means a breach of this information would make the organisation not only liable for the PCI DSS but also the GDPR. This reinforces the importance of encrypting and securely storing cardholder information.

With the GDPR, all personal data breached must be reported to the supervisory authority within 72 hours. Failing to do this can result in a fine of up to €10 million or 2% of annual turnover, whichever is greater.

Inadequate or non-implementation of the PCI DSS will be seen by the Information Commissioner’s Office (ICO) as a failure to implement appropriate “technical and organisation measures” to protect personal data. Therefore, a cardholder breach will attract GDPR penalties in addition to bank fines.

In summary

An organisation that is PCI DSS-compliant reviews its cardholder data annually. These scheduled reviews give a working framework that can be transferred or expanded to comply with the GDPR.

Tom Wood is an member of the IT Governance Publishing team

Related blogs

Like this blog? We think you will love this.
NIST SP 1800
Featured Blog

Why Is NIST SP 1800-16 So Important? [Think Executive Buy-In]

"The executive summary is a perfect tool to reach out to your executives and gain their sponsors

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Tom Wood, IT Governance Publishing
Guest Blogger: Tom Wood, IT Governance Publishing
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more