Achieving full compliance with the General Data Protection Regulation (GDPR) may be one of the most important—if not the most important—consideration for businesses around the world this year. It is an ongoing and interweaving endeavor for diligent information technology leaders.
One silver lining about the GDPR is that some or many of its requirements may likely overlap with some of the already existing regulations like the Payment Card Industry Data Security Standard (PCI DSS). Even better, the PCI DSS implemented updates in February 1, 2018, which brought the credit card industry standard even closer to the GDPR mark.
According to IT Governance, the International Director of the Payment Card Industry Security Standards Council (PCI SSC), Jeremy King recently said, “People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.”
Why Are PCI DSS and the GDPR Complementary?
The goals of both PCI DSS and the GDPR are essentially the same: ensuring that organizations secure and protect confidential consumer data. While the GDPR’s focus is on the confidential data of the citizens living in the European Union, the PCI DSS concentrates its protection efforts on all payment card and cardholder data. The primary difference between the two is that PCI DSS is fairly prescriptive while the GDPR is less so.
The PCI DSS lays out a detailed plan to ensure that businesses properly and thoroughly secure customer data. On the other hand, the GDPR provides all the requirements involved but does not offer any sort of methodology for businesses to achieve compliance.
The Importance of the Recent PCI DSS v3.2 Update and the Prioritized Approach
The PCI SSC developed the updated PCI DSS v3.2 in 2016, and considered its adoption and implementation a matter of best practices until January 30, 2018. Official enforcement of the new standard compliance requirements for the credit card industry began on February 1, 2018.
The Prioritized Approach to PCI DSS v3.2 compliance groups the original 12 requirements of the PCI DSS into six security milestones to offer merchants and other organizations a roadmap to compliance. These milestones help organizations secure their customer data against high-risk factors and ever-escalating threats while working to ensure the pinnacle of PCI DSS compliance.
Using the six security milestones as a tool, merchants can develop, implement and monitor all security policies and protocols that assist assessors when performing audits or otherwise evaluating security controls.
Broken down, the primary benefits associated with the Prioritized Approach and its milestones are:
- Roadmap or guidepost to help an organization address all of its risks in order of priority
- The simple and pragmatic approach allows for “quick wins”
- Supports operational and financial planning
- Provides and promotes measurable and objective indicators of progress
- Features tools and strategies that promote consistency among assessors
Similar to the GDPR, PCI DSS v3.2 and its Prioritized Approach bases its compliance on activities on the risk frequently associated with storing, processing and/or transmitting cardholder data. With these efforts, the ultimate goal is to keep consumer information safe in any case, but certainly in the case of a data breach.
The six security milestones are:
1. Remove Sensitive Authentication Data and Limit Data Retention.
Basically, this milestone concentrates on the idea that “less is more” in the case of a data storage and maintenance. In essence, anything you do not need, or do not need any longer, you should remove from your system and networks to avoid consumer data compromise if you suffer a data breach.
2. Protect All Systems and Network and Prepare for a Breach.
This milestone allows you to set target controls for points of access where you might experience a system compromise. Here, you will also develop processes for responding to breaches.
3. Secure Payment Card Applications.
Payment card applications are chock full of information that hackers want. With this milestone, you can work to set controls to protect all applications and application processes and servers.
4. Monitor and Control Access to Your Systems.
It is always important to make sure you have set the proper authorization controls to protect consumer data. With this milestone, you can detect all the details of anyone accessing the network and cardholder data area and whether there is reason for concern. Additionally, administrators of your systems must have multi-factor authentication (MFA) before being allowed to access the cardholder data environment.
5. Protect Stored Cardholder Data.
If you have analyzed your business processes and have determined that there is data that you must store, such as primary account numbers, this milestone focuses on key protection mechanisms for the stored data involved.
6. Finalize Any Remaining Compliance Efforts to Ensure All Necessary Controls are In Place.
With this milestone, it is time to finalize any remaining related policies, procedures and processes you need to protect your business’s cardholder data environment.
PCI DSS Can Help Businesses Achieve GDPR Compliance in 4 Key Ways
A quick scan of the Prioritized Approach and its six security milestones has probably already caught your attention regarding the similarities between PCI DSS and GDPR.
Let’s take it one step further to show you how PCI DSS can serve as a roadmap for solid GDPR compliance in the following four key ways.
1. A PCI Data Breach Is the Same as a GDPR Data Breach
Any time that a cardholder or customer’s identifiable data is exposed to anyone without system authorization, it is considered a breach for both PCI and GDPR. If your organization undergoes a data breach, you may be equally liable under both the PCI DSS and the GDPR.
The milestones that you address in your PCI DSS compliance schedule are likely to cover the GDPR requirements intended to avoid data disasters, such as storing only data that is absolutely essential.
2. Limiting Access to Data for PCI DSS Benefits GDPR
Ensuring that only the right people have authorization for access to consumer data is a key step to compliance for both PCI DSS and the GDPR. The best tack toward setting these limits is basing on whether the person has any reason to access the cardholder data environment. The less authorizations your team has the manage, the easier it is to control access and limit risk.
3. Penetration Testing in PCI DSS Can Help Uncover Vulnerabilities in GDPR
Performed by a professional auditor, penetration testing is basically a controlled hacking event. The person performing the penetration test uses the same methods and techniques that a cybercriminal would take to uncover vulnerabilities in your organization’s networks or applications. That same vulnerabilities that would endanger your credit cardholder data would also put your GDPR data at risk.
4. Developing, Maintaining and Updating Information Security Policies and Procedures
Once reviewing the security policies and procedures you have developed, maintained and regularly updated for PCI DSS, you will find likely find that they are applicable to GDPR.
A few details to keep in mind for your own policies and procedures include:
- Staying up-to-date on the documentation of all data processing activities
- Developing and implementing measures that help you assess the impact of data collection and storage
- Adopting organizational measures, such as hiring a professional auditing firm, to demonstrate full and consistent compliance with PCI DSS and the GDPR
Do You Believe Your PCI DSS Is Helping to Ensure Your GDPR Compliance?
With these four basic ways that PCI DSS can help you achieve GDPR compliance, you may feel like you are set for success. However, if you still need help seeing the finer points of how useful PCI DSS can be for your GDPR compliance confidence, our I.S. Partners, LLC. team can help. We understand how tall an order it is to add one more regulation to the mix, and GDPR adds a whole new dimension to compliance, so we are ready and happy to pitch in to help you get your footing.