PCI DSS is the dominant standard for all companies that do storage, processing or transmission of payment card data. Since 2006, the compliance to this security standard is enforced by banks and acquirers in order to minimise the risk
of fraud with payment cards. It also evolved into one of the better-known security standards, serving as a reference for many other frameworks in many different industries.
At the same time, the legal framework for protecting personal data has changed drastically. In many countries, laws came into effect in 2006 to ensure that data breaches were reported and personal data is adequately protected. For countries that belong to the European Union, as of 25th May 2018, the new General Data Protection Regulation (GDPR) will replace the current Directive 95/46/EC on protecting personal data. This new regulation came into force on 25th May 2016, granting a term of two years to review their compliance, by companies that develop activities within The European Union.
How can GDPR be related to PCI DSS?
The GDPR and PCI DSS are both different tools that can be used by organisations to increase the security and protection of sensitive data. They are, however, not comparable to each other: PCI DSS is a security framework that describes – using more than 250 predefined controls – how to protect payment card data. It is a normative framework that both describes the required control and the associated measure that needs to be taken in order to comply with the control. We call this a descriptive framework.
On the other hand, the GDPR is a regulation that describes how personal data should be protected in terms of the organisational safeguards and controls that need to be present in order to protect the personal data and keep track of data breaches. It is much more oriented towards ensuring the privacy of citizens of the EU, making sure that data is
protected and that individuals can control the data that is stored about them. The main principles are:
- The duty to inform, to provide people, owners of your data, what knowledge you have about them, the purpose and origin of their data. Demonstrate: When and how did you grant authorisation for the use of them? Further to provide contact information about the delegate of the data protection.
- The right to rectify, people can ask for modifications to your data.
- The right to be forgotten, allows people to demand to any company, to immediately delete all obtained personal data.
- ‘Accountability’, determine who has access to the data.
- Implement necessary basic security measures and evaluate the risks on the data.
- Report the incidents to the data personnel, both to the country’s local supervisory authority, as to the people affected.
At first sight, the GDPR and PCI DSS seem to be focusing on different concepts and ideas. For example, PCI DSS describes precisely what has to be done in order to comply to the framework, while the GDPR is much more generic in terms of what needs to be done: the GDPR requires an organisation to take appropriate measures but does not describe any security measure or what the regulator regards as an appropriate measure.
When you look closer, however, there are many factors that are the same for companies doing GDPR or PCI DSS. The intersection between both standards is mainly along the accountability of data security. Within the GDPR, any entity is accountable – and must show this – for the personal data that it possesses and must demonstrate this at any given time. This is a major change from the previous laws and implementations, where you only had to demonstrate this after an incident was registered. For GDPR, companies must demonstrate their accountability at all times even if they have never had any incident. One of the ways to demonstrate this accountability is to show that the organisation is compliant with a security standard like PCI DSS or ISO 27001.
The lessons learned with PCI DSS will facilitate the path to GDPR
Compliance to GDPR is not optional. It is a requirement for all European entities that deal with personal data. Almost every company is affected because storing the least information on employees or customers leads to adherence to GDPR. There are some lessons that can be learned from the payment card industry that is useful for organisations that have to deal with the GDPR.
For example, one of the first activities in any PCI DSS assessment is the reduction of the scope. In order to comply to the security standard, one of the key elements is limiting the amount of systems where cardholder data is stored and limiting the number of people that can access sensitive data – in PCI DSS described as the PAN (the number of the
credit or debit card), the expiration date and the CVV code. This practice – reducing the number of people and systems that contain cardholder data – is also one of the key elements in complying the GDPR and ensuring that data is adequately protected. In fact, it has become one of the best practices that has been adopted in almost every security standard.
The reduction of the scope and the exact description of the data storage using a so-called cardholder data matrix is one of the first steps that need to be taken for PCI DSS and GDPR. After doing scope reduction and building a detailed look at the presence of personal data, measures need to be implemented in order to protect the data. PCI DSS describes these measures in detail, while the GDPR only describes that ‘adequate’ measures need to be taken. Here, one of the other lessons from PCI SSC comes into play: if it is not on paper – it does not exist. In other words: any measure that is taken or implemented needs to be documented in order to be valid.
On a more detailed level, many controls from the PCI framework can be used to demonstrate compliance to GDPR. Examples of these are continuous training, risk management, vulnerability identification and the assignment of security responsibilities to certain roles.
Throughout this article, we have seen that the GDPR and PCI DSS share some characteristics. In many cases, organisations will use PCI DSS or an equivalent security framework in order to demonstrate their accountability and protection of personal data. And while PCI DSS is strictly concerned with payment card data, it is a trivial task to apply the same rules to personal data.
If you don’t use the PCI DSS as your security framework, you can still learn from the lessons learned on PCI DSS. Doing scope reduction, building a data matrix and taking appropriate due diligence on external parties (‘service providers’ in PCI DSS) are among the best practices that can be used immediately in order to comply with the GDPR. The information we process and possess is of great value: payment card data can be used for fraud and personal data must be handled carefully to uphold the privacy of European citizens.
Want to know more about GDPR? Read ‘What to do with GDPR when you have multiple offices in and outside the EU’
About the author
Vincent Ossewaarde is a co-founder of Fortytwo Security and registered PCI DSS QSA. He is also a member of the advisory board on information security of Nederland.ICT and a regular contributor to both printed and online publications.