Back to the Basics: The GDPR and PCI DSS
It has been almost two years since the General Data Protection Regulation (GDPR) came into effect. For the most part, businesses have taken great strides in achieving and maintaining compliance with the GDPR. However, there are several instances where businesses have been found non-compliant. These instances are almost always exposed when businesses have suffered a data breach.
Enough time has passed to be able to see the fallout of data breaches since the GDPR came into effect. As recent as July the ICO has issued an intention to fine Marriott International Inc over £99 million for a data breach involving over 383 million records. Although this has been put on hold along with other fines due to the current corona virus pandemic, these cases show that the GDPR has teeth.
So, it comes as little surprise that we are still asked the question, ‘How can being PCI compliant help with GDPR compliance ?’ In order to answer this, we need to go ‘back to basics’.
Having come into effect in 2018, the General Data Protection Regulation has three main objectives:
- To give control to individuals over their personal data
- To ensure Personal Identifiable Information (PII) is protected
- To simplify the regulatory environment for international businesses and organisations by unifying the regulation within the EU.
By comparison, the Payment Card Industry Data Security Standard (PCI DSS) is a global standard established in 2004 by the major credit card brands (Visa, Mastercard, American Express, JCB and Discover Financial Services.) It is managed by the Payment Card Industry Security Standards Council (PCI SSC) and is concerned with the protection of payment card data only, as can be seen in the diagram below:
The GDPR has more scope than the PCI DSS as it involves numerous types of PII. Having said that, the two do cross paths. Cardholder data is considered PII and therefore in scope of the GDPR, which is why in the EU both the GDPR and PCI DSS are regulated by the same national organisations (i.e. the Information Commissioner’s Office in the UK.) A breach of PCI compliance is also a breach of the GDPR and therefore subject to the same scrutiny and potential fines.
Why is this significant? The latest Verizon report found that over 70% of data breaches are financially motivated. Businesses who are PCI compliant are therefore mitigating the risk of the severest penalties under the GDPR by securing the main target for cyber criminals. Moreover, our own research has shown that over 40% of UK consumers would stop spending with a brand should they suffer a data breach, and around the same number would only start spending with a brand again after a breach if they announce compliance with the PCI DSS or GDPR. With all this considered, it is vital that securing data is a necessity for businesses.
How can PCI Pal help?
One of the biggest advantages of the PCI DSS is that it is very descriptive in how to achieve compliance compared to the GDPR. Businesses can use this to their advantage by utilising several aspects of the PCI DSS to achieve cross compliance with the GDPR (our infographic goes into more detail on how this can be achieved). As Data Protection Laws tighten it is vital that businesses adopt processes and technologies which enable cross compliance.
Contact centres are a hotbed of PII. PCI Pal’s Solutions such as Agent Assist, Rapid Remote, IVR and Digital descope contact centres from the requirements of PCI DSS. No credit card data enters the contact centre environment which means that it cannot be taken by cyber criminals. Not only does this comply with the PCI DSS, it also provides a solid foundation for compliance with other data protection regulations. For any business it is important that in order to comply with the GDPR, they should start with PCI compliance.