You’re already PCI DSS compliant. What does that mean for GDPR?

Posted by Marco Borza on Mar 27, 2020 11:25:51 AM
Marco Borza
Find me on:

If your organisation is already PCI DSS compliant, you are well on your way to achieving GDPR compliance too. As you work to comply with the Global Data Protection Regulation you will notice that some of the principles and safeguards look very familiar.

This familiarity is important – it means you already have a good understanding of the principles that underpin the GDPR.

Here are 5 commonalities between PCI DSS and GDPR

1. Both focus on protecting personal data

Personally identifiable data (sometimes called PID) is the core concern of both PCI DSS and GDPR. Every recommendation and requirement of both frameworks is focussed on protecting your customers. Although PCI DSS and GDPR both involve technical details like encryption and firewalls, these are merely included top facilitate the protection of PID.

2. Both rely on identifying personal data

Both PCI DSS and GDPR rely on your business properly identifying the personal data your business holds. In the case of PCI DSS, this data discovery is only related to payment data – GDPR requires you to identify all personally identifiable information you have stored. To maintain compliance you will need to keep some kind of internal register of personal data stores that can be audited.

3. Both tightly regulate access to personal data

More than simply knowing where personal data is stored on the network, both regulations also outline expectations about access to that information. Clearly access by third parties in forbidden in almost all circumstances, but there are also demands that permission to use personal data is restricted to only those employees who need it for the purpose of providing services to customers.

4. Both frameworks require regular reviews of your security provisions

PCI DSS already demands that you review security provisions every year. The GDPR does not define any specific timeframes for security review, but the expectation is that every business routinely checks for (and repairs) weaknesses in their information security provisions.

5. Both attract heavy fines for non-compliance

Breaching PCI DSS or the GDPR attracts potentially enormous fines. Fines for PCI DSS breaches are calculated based on the number of consumers affected, multiplied by a fixed rate determined by the card issuer. GDPR fines will be determined by European courts and could reach as high as €20m or 4% of global turnover for the most serious breaches.

Putting your GDPR experience to work

As you can see, if your business has already achieved PCI DSS compliance, then you probably already understand many of the principles and risks associated with the General Data Protection Regulation. Which means that you have a head start when it comes to securing all personal data held – not just that relating to card payment information.

However you need to be quick. GDPR comes into force on May 25th, leaving just a few weeks to secure your business. For more help and advice on what you need to do, and how you can get help with PCI DSS and GDPR compliance, please get in touch or start internally with the GDPR Mapping Questionnaire. 

Take the first step in your compliance journey:  Download our GDPR Mapping Questionnaire