PCI DSS and GDPR compliance

Something happened in the IT world that has stirred up a storm of different feelings and opinions. Let’s talk about this very important and unprecedented event.

As of May 25, 2018, a new requirement for the protection of personal data, GDPR — General Data Protection Regulation, came into force in Europe. This is an unprecedented development in the history of information security. According to this new requirement, the responsibility for data protection lies directly with top company management .

Detected violations of GDPR requirements may lead to the imposition of fines. The court may demand a fine of 4% of the company’s total income for the previous fiscal year, but not less than EUR 10 million. Such figures have shocked business leaders and owners.

For skeptics who do not believe in the seriousness of this requirement, let’s put it this way: 500 auditors have been trained in Brussels and have the right to audit any company in the EU. And who knows when and which companies and businesses these audits will target?

GDPR requirements are focused on protecting the data of EU citizens. Moreover, a company subject to GDPR may not operate in the EU but only collect data from citizens. Such companies include, for example, the social network Facebook.

Here is some important information about GDPR requirements:

• A company collecting, storing or processing personal data must clearly define the purpose for doing so. Such a company must obtain permission from each individual to collect and process their data. It is prohibited to use personal data for purposes other than those stated or to transfer this data to third-party companies without the owner’s permission!

• Each company must provide procedures and technologies that allow citizens to make inquiries about all their personal data and demand their deletion from databases.

• Companies are obliged to notify personal data owners when their IT infrastructure has been hacked or in cases of data leakage (loss).

The GDPR has caused a stir not only in the European market but also around the world. Many companies have announced that they will stop collecting any personal data and doing business in the EU.

Some analysts say that GDPR requirements may conflict with PCI DSS requirements and that PCI DSS certification will become much more complicated with the advent of GDPR.

Is that true? Let's try to figure it out.

PCI DSS defines the requirements for protecting cardholder data. At the same time, the PCI DSS very clearly lists what this data includes:

• First and last name;
• Card number;
• Card expiration date;
• Contents of the magnetic stripe;
• EMV chip content;
• PIN code;
• CVV/CVC2 verification code.

Clearly, the only personal data in the list above is the first and last name. The card-issuing bank usually collects various data about its customers but PCI DSS has nothing to do with it. At the same time, clause 3 of the PCI DSS requires that all of the specified data be stored only when necessary. In other words, the storage of personal data must be justified by a business need.

Accordingly, if a first and last name is not required for bank transactions, then the bank, merchant or provider may not store or collect this data. Since the data is not stored or collected, such companies are automatically excluded from the GDPR standard.

Other PCI DSS requirements oblige companies to securely encrypt data during storage and transmission and to delete it after the card expires. This requirement not only corresponds to the content and essence of GDPR requirements, but also provides practical recommendations for personal data protection.

Compliance with all the requirements of the PCI DSS will improve data security, which will help reduce the likelihood of IT infrastructure hacking and data theft.

The conclusion is simple: CEOs who are PCI DSS-certified don’t have to worry about GDPR compliance. Meeting the requirements of the PCI DSS is an excellent basis for meeting GDPR requirements.

The experts of IT Specialist provide consultations on how to meet the requirements of PCI DSS and GDPR. After a consultation, the client will be offered a plan for implementing the necessary security measures. Everything is quite simple if you entrust your company’s cybersecurity to the professionals!

Do you have any questions?

Fill out the feedback form, and our experts will provide advice as soon as possible.

Thank you!

We will contact you shortly

Can't send form.

Please try again later.

Made with