Data security and privacy are today a prime focus for most organizations globally. While there have been several regulations and standards introduced to improve data security, the evolving landscape makes it challenging for organizations to stay compliant. For many organizations, GDPR and PCI DSS are the first topics that come to mind when privacy is concerned.
While GDPR is an international data privacy law for securing personal data, PCI DSS is a data security standard that is designed to secure personal cardholder data. Although both focus primarily on securing data, their scope and applicability greatly differ. However, there are enough overlaps in the requirements of both GDPR and PCI DSS that make the compliance process a lot easier.
In fact, if an organization is already meeting PCI DSS requirements, it can leverage many of those features to achieve GDPR compliance.
Similarities between PCI DSS & GDPR Requirements
PCI DSS and GDPR are designed to enhance the security measures for protecting data that is classified as sensitive and/or personal. While PCI DSS is focused on securing sensitive cardholder data, GDPR is focused more on protecting the privacy of personal data. The ultimate goal of both the PCI DSS standard and GDPR is to secure and ensure the privacy and confidentiality of data. So, since the fundamental security principles and goals are similar, the requirements for security under certain areas in both PCI DSS and GDPR are also similar.
Data Security Requirements
Both GDPR and PCI DSS require strong and effective security measures to be implemented for maximum data protection. In both cases, organizations are required to adopt techniques like encryption or tokenization to protect the data throughout its lifecycle. Such techniques are highly effective for securing sensitive data and preventing unauthorized access or tampering with information. Both the PCI DSS standard and GDPR call for reasonable data security, specifically, recommending technologies like encryption and tokenization to meet security demands. Such security techniques can be adopted for both standards to ensure maximum data protection.
Data Impact & Risk Assessment Requirements
Data risk and impact assessment are crucial for both PCI DSS and GDPR. Understanding where the information is stored is central for protecting data. So, it is essential that organizations regularly perform risk assessments and data impact assessments, exercises which are both requisites under PCI DSS and GDPR. With regular audits and risk assessments, organizations can gauge the effectiveness of data protection and improve their measures based on the requirements. While PCI DSS clearly outlines guidelines for implementing procedures and frequencies of assessments, this can be leveraged for meeting Data Protection Impact Assessments (DPIA), which is a mandate under GDPR. This way, the process of achieving compliance can be a lot easier.
Access Control Requirements
Data access controls are an integral part of data security. Implementing access control measures ensures compliance with both PCI DSS and GDPR. Access control measures prevent unauthorized access to sensitive data. Doing so reduces data theft, data breach, or any other fraudulent activities. Limiting the data access to only authorized individuals will ensure confidentiality of the data and, in turn, ensure compliance. So, organizations that have achieved PCI DSS compliance will find it easy to use this in their GDPR compliance journey.
Security Policies & Procedures Requirements
The security policies and procedures for data security under PCI DSS can also, to an extent, apply to GDPR. Data security policy and procedure requirements such as maintaining the documentation of all data processing activities, access control policies, security policies, and data assessment policies for PCI DSS can be used to meet the GDPR data security requirements.
Maintaining Logs
Maintaining an access log is another requirement outlined in both PCI DSS and GDPR. Both the standard and the law require organizations to maintain an access log to monitor the data processing activity and track individuals having access to data. Keeping a close tab on data processing and access activities helps minimize the risk of potential breaches. Since PCI DSS requires organizations to maintain logs and review them regularly, they automatically end up complying with GDPR's requirements for maintaining logs of data access to personal information.
Data Management Requirement
GDPR and PCI DSS share a few similarities in their data security and management requirements. PCI DSS requires organizations to maintain a record of where the cardholder data resides and the need for the data to be encrypted. Further, the standard requires that logs are reviewed regularly to ensure adequate monitoring of personal data. GDPR similarly requires the maintenance of logs with records relating to the processing and access of personal data for monitoring purposes. Having these practices already in place for PCI DSS compliance will help organizations in their efforts towards GDPR compliance.
Data Breach Fines
The data breach notification requirements of GDPR and PCI DSS vary dramatically, yet in certain aspects, the requirements overlap. This includes the obligation to notify supervisory authorities under GDPR and payment processors under PCI DSS. Further, having an incident management and response process in place in case of a data breach is equally important for both standards. There are also financial penalties and fines involved in case of a data breach for PCI DSS and GDPR. In that sense, having security measures to prevent data breach incidents under PCI DSS will automatically meet most requirements for GDPR.
Conclusion
Although there may be a huge difference between PCI DSS and GDPR, there are certain overlaps in the security requirements. Primarily, the underlying objectives of PCI DSS and GDPR are the same – that is, protecting the sensitive data of consumers. Implementing security measures to meet PCI DSS also helps towards GDPR compliance. The compliance efforts for GDPR can be seen as an extension to PCI DSS, with PCI DSS serving as a foundation for implementing best security practices.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the United States, Singapore & India. Mr. Sahoo has more than 25 years of experience in the IT industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 1994, VISTA InfoSec has worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
