Sales director Tony Smith featured in Fintech weekly – click here to read the full article.


Is PCI compliance important when considering the GDPR?

PCI DSS is concerned with cardholder data, which is considered personal data in regard to the GDPR. This means that the use, processing and storage of card data will fall under the GDPR and, consequently in the case of a breach, will also mean that the sanctions and weight of fines will also fall under it.


Will PCI compliance mean GDPR compliance?

Meeting the requirements of the GDPR is similar to completing a jigsaw puzzle; there’s a number of pieces which need to fit together to be compliant. Cardholder data is just one part of what is considered personal data, so as a stand- alone being PCI compliant will not ensure you’re compliant across the board, but it will give you a head start. Another benefit is that PCI DSS is much more descriptive on how to achieve compliance.


What could we expect to happen following a data breach after May 25th?

The process of investigation will be the same. Both the GDPR and PCI DSS are regulated by the Information Commissioner’s Office (ICO) in the UK and if there’s a data breach, whether of personal information or specific cardholder data, it’s likely to be investigated by the ICO. The ICO will assess the severity of the breach, how and why it happened and, determine from there the penalties imposed. What will differ is the severity of the penalty levied. This isn’t the only aspect to consider however. As we have seen most recently with the Cambridge Analytica breach, the negative publicity has been severe enough to shut the company down.

Being PCI compliant will not automatically mean you’re GDPR compliant, but it will ensure that a significant part of the regulation is met.


To discuss how PCI Pal can assist you, get in touch with one of our experts.