18/08/2025

Why protecting card and personal data is vital

In the digital age, when cyber attacks are becoming more sophisticated, protecting clients' personal and financial data is not only a legal requirement, but also the foundation of a company's reputation. The two main standards that provide protection are:
● GDPR — General Data Protection Regulation (EU)● PCI DSS — International Payment Card Security Standard
Together, they form a comprehensive approach to information security.

What is GDPR and how does it work?

GDPR (General Data Protection Regulation) is the legal basis for personal data protection, which regulates the processing of:● personal information (name, telephone number, address);● digital identifiers (IP, cookie, geolocation);● bank details (card number, CVV), if they allow a person to be identified.
Key GDPR requirements for businesses● The existence of a legal basis for data processing (consent, contract, etc.).● Exercise of data subject rights (access, rectification, erasure).● Incident reporting within 72 hours.● Appointment of a DPO, if a company performs systematic processing of large-scale data.

What is PCI DSS and why is it important?

PCI DSS is technical security of payment information.
PCI DSS does not regulate the rights of individuals or consent matters — it focuses solely on the protection of payment information:● card number (primary account number, PAN);● CVV/CVC;● magnetic strip or chip data.
Main requirements of PCI DSS● Encryption, masking and protection of PAN (requirements 3.4, 4.1).● Access control (requirements 7, 8).● Event logging (requirements 10.2–10.3).● Vulnerability scanning, penetration testing (requirements 11.2–11.3).● Incident response (requirement 12.10).

PCI DSS ≠ GDPR, but they work together

Although GDPR and PCI DSS have different focuses, they do not contradict each other, but complement each other:● GDPR regulates individual rights and the legal basis.● PCI DSS ensures technical data security.

Comparison table: GDPR vs PCI DSS