With less than 12 months until the General Data Protection Regulation (GDPR) is enforced, organisations across Europe must consider how the far-reaching changes introduced by the Regulation will affect how they handle and protect personal data. While some will be worried about how to comply with the new law, those that are already compliant with the Payment Card Industry Data Security Standard (PCI DSS) – or are moving towards compliance – have a head start and can use their existing PCI compliance efforts as a stepping stone towards GDPR compliance.
“People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.”
Jeremy King, International Director at the Payment Card Industry Security Standards Council (PCI SSC).
Both the PCI DSS and the GDPR aim to ensure organisations secure personal data. The PCI DSS focuses on payment card and cardholder data, while the GDPR focuses on European residents’ personal data. The important difference is that the GDPR is less prescriptive than the PCI DSS.
The GDPR provides guidance on what needs protecting but does not provide a detailed action plan. Conversely, the PCI DSS details clearly what needs to be achieved and provides a clear methodology for securing cardholder data.
The PCI DSS as a tool to achieve GDPR compliance
The PCI DSS establishes a set of controls for keeping cardholder data secure, supported by a regulatory framework. If deployed to the rest of the business – without extending the cardholder data environment – these same controls and processes could provide organisations with a head start in meeting the sixth principle of the GDPR (integrity and confidentiality). This principle requires data controllers and processors to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and that controls to protect it are working effectively.
A PCI breach is a GDPR breach
- Under the GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4, clause 1).
- As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, cardholder data is, at a minimum, the full primary account number (PAN), but may also appear in the form of the full PAN plus one of the following: cardholder name, expiration date and/or service code.
Where cardholder data includes any information that could be used to identify the individual, then it is personal data as defined by the GDPR. If that data is compromised in a data breach, the breached organisation is likely to be liable under both the PCI DSS and the GDPR.
Under the GDPR, all personal data breaches must be reported to the supervisory authority – in the UK, the Information Commissioner’s Office (ICO) – within 72 hours. Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover, whichever is higher. Breaches or failure to uphold the sixth data protection principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover (whichever is higher). The ICO is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data, so any cardholder data breach will, therefore, attract GDPR monetary penalties in addition to fines and penalties from acquiring banks.
Scoping the data environment
Identifying where cardholder data resides is one of the key steps needed for compliance with the PCI DSS. As part of a gap analysis, PCI consultants review in-scope systems and networks to identify unencrypted cardholder data storage. Because of the relative similarity in how cardholder and personal data are stored, an assessor’s audit and discovery skills could be highly valuable for an organisation wishing to map its GDPR data environment. A review by a skilled assessor may help determine whether the organisation should spend more resources reviewing its systems for personal or cardholder data.
Protecting stored data
Requirement 3 of the PCI DSS sets out technical guidelines for protecting stored cardholder data and the requirements for encryption. At a minimum, the Standard requires the PAN to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs. This is essentially a process of masking what could otherwise be an identifiable and useful information asset. The GDPR, likewise, requires the organisation to render some elements of personal data unidentifiable, such as through encryption or pseudonymisation. Extending your PCI encryption processes to cover personal data, then, is a relatively straightforward step towards GDPR compliance.
Logging and auditing systems
To improve security further, Article 25 of the GDPR states that logs (i.e. the records of the people and activities associated with an information network) must be kept for processing operations so that any access can be monitored, and reviewed in the event that any unauthorised access or action takes place.
This falls in line with PCI DSS requirement 10.6.1, which mandates a daily review of security events and logs to ensure cardholder data is appropriately controlled. Organisations that already comply with the PCI DSS will, therefore, be able to take advantage of their experience with logging solutions, reducing the pressure on those responsible for managing systems that must be logged.
Maintaining an information security policy
The purpose of performing risk assessments is to make informed decisions about managing the risks that an enterprise faces. The GDPR and the PCI DSS share common ground for conducting data protection impact assessments. Article 35 of the GDPR states that an organisation shall assess the impact of any type of processing (and especially the adoption of new technologies) that is likely to result in a high risk to the rights and freedoms of individuals. Requirement 12.2 of the PCI DSS essentially deals with the same issue, with specific guidance on how to perform the task.
If your organisation is PCI DSS compliant then you should already be conducting annual reviews of cardholder data. This schedule of reviews gives you a framework that can also be used when implementing measures to comply with the GDPR. In addition, if you’re PCI DSS compliant, then your organisation will have invested in secure technologies. By adopting a set of controls for keeping cardholder data secure, you may find that you already have many of the technologies, processes and procedures necessary to protect personal data.