GDPR principles lean on PCI DSS - what we can learn

Achieving PCI DSS compliance can be a relatively long, and costly, experience. The need to analyse and document every aspect of the card payment processing process within your company consumes resources and time. There is the also not insignificant investment in improved security and encryption technologies to consider.

For the CIO, the General Data Protection Regulation promises to further complicate issues – and increase costs too. The good news is that your experience with the PCI DSS compliance process could actually help to reduce GDPR costs. Here are three ways to save:

1. You already understand the data audit process

The starting point of any PCI DSS compliance exercise is understanding how personal data moves through your network, and where it is stored. In order to demonstrate compliance, you need to document your findings – and keep these records up to date.

The Global Data Protection Regulation extends to all personally identifiable data (PID) – not just payment-related information. In order to protect all PID, you must first know where it is being stored, how it moves in and out of the business, and the security measures employed to protect it.

This familiarity will help to speed up the discovery and documentation process, helping to make it cheaper too.

2. You already have external security defences in place

PCI DSS demands that personally identifiable payment data is encrypted in transit, and at rest. Data is also placed behind firewalls and permissions-based safeguards to restrict access, and to place stolen information beyond recovery.

The principle of securing PID for GDPR compliance is virtually the same – just applied on a wider scale. It is extremely likely that many of the safeguards employed to protect payment data can be configured to include the rest of the PID you store.

By using existing security systems, your business can avoid significant additional capital spend, dramatically reducing the financial cost of GDPR compliance.

3. Your staff are already trained in data protection

Protecting payment information is not purely a technical matter. Your employees also routinely handle PID – and they must be trained to do so safely, to prevent loss, leakage or theft.

Again, the disciplines behind protecting payment data are almost exactly the same as the other PID you hold. Principles include:

• Using information only for the purpose agreed by the individual.
• Restricting access internal according to need.
• Reporting suspected breaches or loss immediately.

You may need to provide refresher training to your employees, but they are already working to the PCI DSS standard. This grounding gives them a head start, so they will not need to be taught from scratch again.

Not only will this existing knowledge help to reduce training spend, but also the overall learning curve – which means that your customers’ data is far less likely to be exposed. Which means that your business is far less likely to be prosecuted and fined for breaching the GDPR.

Plugging the gaps in your PCI DSS and GDPR knowledge

Ultimately, PCI DSS has laid the groundwork for GDPR – if you adhere to the payment industry framework, you are well on your way to achieving GDPR compliance. Better still, your existing knowledge could help to reduce the cost of securing all PID held by your organisation.

However, the reality is that the GDPR is different to the PCI DSS standard. Rather than take a chance and hope that your provisions are sufficient, you should partner with an experienced GDPR specialist like Advantio who can help plug gaps in knowledge and safeguards.