The General Data Protection Regulation (GDPR) deadline of 25 May 2018 is fast approaching. Like many others, you’re probably feeling anxious about your organizations’ GDPR compliance. GDPR brings about a far trickier regulatory environment and the fines for non-compliance with GDPR are hefty to say the least.
However, if your organisation controls and stores cardholder data then in my opinion you can breathe a small sigh of relief. The reason is that your organization is already required to comply with the Payment Card Industry Data Security Standard (PCI DSS), which has got a lot in common with the GDPR.
It’s as simple as this: GDPR is for personal data, what PCI DSS is for cardholder data. In other words, strict data protection mandates already exist for cardholder data because of PCI DSS. Now, GDPR ensures that personal data is subject to similar strong data protection rights. So, if you already have data protection measures in place to ensure PCI DSS compliance, then you’re in a strong starting position to prepare for GDPR.
In this article we’ll look at the 7 ways in which PCI DSS and the GDPR cross-over. You’ll understand that PCI DSS compliance is an advantage to your organization’s GDPR compliance.
1. PCI DSS REQUIREMENTS PROVIDE A ROADMAP FOR GDPR COMPLIANCE
For the last number of years, the term GDPR has sent shivers down our backs. The reason for this, I believe, comes down to the vagueness of the regulation. GDPR provides guidance on what needs protecting but doesn’t give a clear action plan for companies to follow. PCI DSS, on the other hand, is an easier pill to swallow. It clearly details what needs to be achieved and provides a methodology for securing cardholder data.
The lack of clarity about GDPR has left organization’s wondering. But a leaf can be taken from the PCI DSS book to give us a road map of controls and processes that can be implemented to protect personal data. Certainly the 12 requirements of PCI DSS could be adequately applied to meet the sixth principle of GDPR, which relates to integrity and confidentiality of data. This principle requires data controllers and processors to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it’s up to date and that controls to protect it are working effectively.
You can apply PCI DSS requirements to personal data as well as cardholder data as a starting point for GDPR compliance. As such, you can use the PCI DSS 12 level requirements as an initial benchmark for GDPR:
- Install a firewall that protects and maintains all data.
- Don’t use standard settings for system passwords and other security parameters.
- Protect your card and personal data.
- Encrypt card or personal data that is sent via open, public network.
- Use antivirus software and update it regularly.
- Continuously develop and maintain security for your systems as well as applications.
- Restrict access to cardholder and personal data in relation to business needs, so that only as few people as possible can access the data.
- Ensure each user of your computer network is assigned with a unique ID.
- Ensure that as few people as possible should have physical access to card and personal data.
- Ensure access to your network and card data must be monitored.
- Regularly test your security systems and processes.
- Maintain a strict security policy.
2. A PCI DSS BREACH IS A GDPR BREACH
If you can imagine your data security compliance is a Russian doll, then PCI DSS sits inside GDPR. In other words, a PCI DSS breach will also be a GDPR breach.
Under the GDPR, personal data means any information relating to an identified or identifiable natural person - the ‘data subject’. Data that counts as an identifier would include, for example, a name, ID number, location data, or data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
Under PCI DSS cardholder data is, at a minimum, the full primary account number (PAN). It may also appear in the form of the full PAN plus one of the following: cardholder name, expiration date and/or service code.
Where cardholder data includes any information that could be used to identify the individual, then it constitutes personal data as defined by the GDPR. Thus, if that data is compromised in a data breach, your organization is likely to be liable under both PCI DSS regulation and the GDPR.
This is a situation you want to avoid at all costs, since it leaves your organization open to GDPR penalties in addition to PCI DSS fines.
3. SCOPING THE DATA ENVIRONMENT
One of the key steps needed for compliance with PCI DSS is to Identify where cardholder data resides. This requires gap analysis, whereby PCI consultants review in-scope systems and networks to identify unencrypted cardholder data storage.
Since cardholder data and personal data are stored in a relatively similar fashion, the results of a PCI audit could be very useful for organizations looking to map their GDPR data environment. The skills of a PCI assessor and a GDPR assessor would be much the same.
4. PROTECTING STORED DATA
PCI DSS sets out technical guidelines for protecting stored cardholder data via encryption. The PAN must be made unreadable wherever it is stored by masking digits.
Likewise, some elements of personal data must be rendered unidentifiable under the GDPR, either by encryption methods or pseudonymization.
Given that you’re already required to encrypt data under PCI, extending this practice to cover personal data as well is a fairly straightforward step towards GDPR compliance.
5. LOGGING AND AUDITING SYSTEMS
Both PCI DSS and GDPR require organizations to keep logs of their data processing operations. These must be regularly monitored to ensure that data is being appropriately controlled.
If your organization already complies with the PCI DSS logging requirement, you can take advantage of your experience with logging solutions to prepare for the GDPR requirement. This will reduce the pressure on those responsible for managing the systems that must be logged.
7. INFORMATION SECURITY POLICY
All organizations that control and store data need to have an information security policy. Furthermore, they should conduct regular risk assessments to identify and mitigate data risks.
The GDPR and PCI DSS share common grounds for conducting these data protection impact assessments. Article 35 of the GDPR states that organizations must assess the impact of any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, in particular the adoption of new technologies. PCI DSS (11.2) deals with the same issue, but provides more specific guidance on how to perform the task.
7. INFORMATION SECURITY AND DATA PROTECTION AWARENESS
Educating your staff on information security awareness is crucial these days, and not merely for compliance reasons. The aim is to protect your company, employees and customers.
Security awareness for all employees who handle cardholder data is a cornerstone of the PCI Council. Similarly, the GDPR (Article 30) specifically outlines that staff GDPR awareness raising and training is required.
It is also a quick win on the GDPR compliance checklist! Your organization should already have an information security awareness training programme in place in order to educate employees on PCI DSS. So, you don’t have to start from scratch. Employees will already have some of the building blocks of security awareness training. Now, it’s simply a case of integrating GDPR awareness and training into your programme.
So there you have it. If you’re already ticking the boxes of PCI DSS compliance then you’re on the right foot for GDPR compliance. Both require organizations to have strict data control processes in place to protect sensitive data be it cardholder data or personal data (which includes cardholder data). So think of it as augmenting and strengthening your information security systems rather than necessarily having to reinvent them.
I hope this article has been useful to you. If you have any questions or comments please feel free to leave them in the message box below and I’ll be sure to reply to you. In the meantime, why not download our GDPR 5 Next Steps Guide.