The objective of both the PCI DSS and the GDPR is to ensure an organization’s personal data is in a secured manner. The main focuses of PCI DSS are on payment card and cardholder data, whereas the GDPR focuses on European residents’ personal data. The main difference is that the GDPR is less prescriptive than the PCI DSS.
The GDPR provides guidance on what needs to protecting but does not clearly defined a detailed action plan, but PCI DSS has clearly defined an objective that what needs to be achieved and given clear direction for securing the payment card and cardholder data.
The PCI DSS as standards to achieve the objective of GDPR
The PCI DSS has established a set of requirements for keeping cardholder data secure, supported by a regulatory framework. If deployed to the rest of the business – without extending the cardholder data environment – these same controls and processes could provide the organization with a head start in meeting the principles of the GDPR (integrity and confidentiality). This principle requires data controllers and processors to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and that controls to protect it are working effectively.
Data breach is common in both PCI and GDPR.
Under the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4, clause 1).
As defined in the PCI DSS standards cardholder data is, at a minimum, the full primary account number (PAN), but may also appear in the form of the full PAN plus one of the following: cardholder name, expiration date and/or service code.
Where cardholder data includes any information that could be used to identify the individual, then it is personal data as defined by the GDPR. If that data is compromised in a data breach, the breached organization is likely to be liable under both the PCI DSS and the GDPR.
There will be two levels of fines under the GDPR and all personal data breaches must be reported to the data supervisory authority (DPA) within 72 hours. Failure to report data breaches may fine of up to 10 million EUROs or 2% of annual global turnover, whichever is higher. Breaches or failure to uphold data protection principle (maintaining confidentiality and integrity of personal data) can fine of up to 20 million EUROs or 4% of annual global turnover (whichever is higher). It is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organizational controls” to protect personal data, so any cardholder data breach will, therefore, attract GDPR monetary penalties in addition to fines and penalties from acquiring banks.
The scope of the data environment
The scope of PCI DSS is to identifying where cardholder data stored is one of the key steps needed for compliance. As part of risk assessment, PCI DSS consultants review in-scope systems and networks to identify unencrypted cardholder data storage. Because of the relative similarity in how cardholder and personal data are stored, an assessor’s audit and discovery skills could be highly valuable to an organization wishing to map its GDPR data environment. A review by a qualified security assessor (QSA) will help to determine whether the organization should spend more resources reviewing its systems for personal or cardholder data.
Maintaining an information security policy
The purpose of performing risk assessments is to make informed decisions about managing the risks that an enterprise faces. The GDPR and the PCI DSS share the common ground for conducting data protection impact assessments. In article 35 of the GDPR, Data Protection Impact Assessment (DPIA) states that an organization shall assess the impact of any type of processing and especially the adoption of new technologies that is likely to result in a high risk to the rights and freedoms of individuals.
Requirement 12.2 of the PCI DSS essentially deals with the same issue, with specific guidance on how to perform the task.
Protecting stored data
Requirement 3 of the PCI DSS sets out technical guidelines for protecting stored cardholder data and the requirements for encryption. At a minimum, the Standard requires the PAN to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs. This is essentially a process of masking what could otherwise be an identifiable and useful information asset. The GDPR requires the organization to render some elements of personal data unidentifiable, such as through encryption or pseudonymization. Extending your PCI encryption processes to cover personal data is a relatively straightforward step towards GDPR compliance.
If any organization is PCI DSS compliant then they should already be conducting annual reviews of cardholder data. This schedule of reviews gives you a framework that can also be used when implementing measures to comply with the GDPR. In addition, if any organization is PCI DSS compliant, then this organization will have invested in security technologies. By adopting a set of controls for keeping cardholder data secure, the organization may find that they already have many of the technologies, processes, and procedures necessary to protect personal data.
Authored By - Nehul Manohar Kudale
TCS Cyber Security Practice