No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How PCI DSS Compliance Can Crossover to Help Businesses Adhere to GDPR

Where PCI DSS and GDPR Overlap

by Jonathan Deveaux
November 25, 2019
in Data Privacy, Featured
multicolor stack of credit cards on white background

Is your organization still working toward GDPR compliance? You may be closer than you know. comforte AG’s Jonathan Deveaux outlines the key similarities between the requirements of the PCI DSS and the GDPR.

It is now apparent that data has become one of the most valuable commodities to businesses today (if not the most valuable commodity). This has coincided with the digital transformation boom, where organizations are encouraging consumers to interact and share information through online services.

With greater amounts of data being consumed, stored and transmitted, it has become difficult for legislators to consistently mandate what should be expected when it comes to securing critical information. Furthermore, consumers seem to be more engaged when it comes to enterprises securing their data. To bridge the gap and protect citizens, the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR) were created.

Defining Critical Data for PCI DSS and GDPR

The EU then created the General Data Protection Regulation (GDPR), which superseded the Data Protection Directive (DPD) of 1995 and demands the protection of personal information for all European citizens. GDPR applies to every enterprise or business that uses, stores or transfers the information of European citizens, regardless of what location they are based. Failure to comply to GDPR will result in severe penalties that can reach as high as 4 percent of global annual revenue or more than $25 million at the current exchange rate, whichever is higher. This has instilled fear in the C-suite, as fines of this magnitude could lead to bankruptcy or closure for many businesses.

According to research, more than half (54 percent) of businesses globally did not meet the May 25, 2018 GDPR compliance deadline, stating GDPR implementation took longer than they had anticipated. With the cybersecurity landscape in a volatile state, organizations cannot risk having inadequate data protection in place.

To help meet the high standards required for GDPR, data controllers and security personnel can look to the PCI DSS as a useful point of reference to help meet many requirements of the European market. The two may be different, but there are many areas where PCI DSS and GDPR overlap. The technology and processes used for PCI compliance are further applicable for businesses targeting GDPR compliance.

Securing the Data

No shortcuts can be taken when it comes to securing financial data or personally identifiable information (PII). Companies must deploy a form of cryptography to protect the data throughout its lifecycle. Tokenization is a highly effective and versatile form of cryptography that replaces sensitive data with non-sensitive substitutes without tampering the actual information. This is beneficial, as it doesn’t affect the system’s ability to read the data while it is tokened, and it has no value to external actors. While all sensitive information is hidden, other information that is not critical will still be visible to enable business analytics and other functions. As a result, tokenized data can be processed more efficiently while requiring significantly less computational resources to process.

The PCI DSS states primary account numbers (PANs) must be unreadable anywhere they are stored, specifically recommending technologies like tokenization to meet security demands. This is similar to GDPR, where encryption is a method mentioned for reasonable data security. Tokenization technology can be applied for both regulations, meaning that businesses processing personal information can do so knowing the data cannot be traced back to a specific individual.

Data Mapping, Data Risk and Impact Assessment

If an attack was to occur, having an understanding of where information is stored is crucial when protecting data. It is necessary to carry out regular risk assessments, logging access and data disposal – all of which are compulsory under PCI DSS and GDPR. With regular analysis, organizations can gauge how well personal data is being protected and adjust accordingly in the event of major changes such as mergers or acquisitions.

The risk assessment framework defined by PCI DSS is clearer and offers specific guidelines for both the procedure and frequency of internal reviews. This mandate can then be leveraged to help when undertaking GDPR data protection impact assessments (DPIA), which should be conducted on a regular basis.

Processing and Limiting the Access to the Data

To prevent companies harvesting data unnecessarily, PCI provides guidelines for reducing the amount of data being processed, thereby reducing risk, cost and time housing excess data. In addition to this, parameters can be set to have retention times based on legal, regulatory or business requirements. GDPR is similar in many respects, mandating that the data controller “implements data protection principles such as data-minimization” and “only personal data … necessary for each specific purpose of the processing [may be] processed.” Therefore, to limit the data collected and meet this aspect of GDPR compliance, the methods used by PCI can be applied to achieve compliance with GDPR Article 25.

It is strongly advised to limit the level of access to critical information. This is because each account with privileged access provides another possible attack vector. Therefore, it is advisable to grant access only to those who absolutely need it. In the event of a successful breach, and if an investigation was conducted, limiting access helps to narrow down the list of potential sources that could have contributed to the breach. The PCI DSS details how to restrict access so that employees only have access if it is essential to conducting daily business. As GDPR dictates user access restrictions, it is best to allow the least amount of privilege required to fulfill a given role. The guidelines provided by PCI can double as a list of best practices to follow.

What Happens in the Event of a Breach?

With cyberattacks occurring daily, organizations are now operating under the opinion that is now a matter of when – not if – they will be breached. If a breach does occur, it is up to the enterprise to demonstrate that their security was up to par and that they responded accordingly in the immediate aftermath. Failing to do so can result in considerable penalties. An incident response plan that is regularly updated is a must for PCI DSS compliance. This will involve contacting the affected payment card brands, banks and other third parties and appropriate authorities.

It’s imperative that the U.S. companies notify their appropriate data protection authority of a breach within 72 hours. Organizations can incorporate elements from the PCI DSS incident report plan into their GDPR reporting strategy to enable the company to act in a timely manner.

Compliance is a Critical Component

In the age of data protection, compliance is now a critical component for all businesses. With the external threat to data constantly mounting, both PCI DSS and GDPR provide a clear roadmap for how businesses can effectively protect their sensitive information. As both regulations overlap, if organizations are already PCI DSS compliant, they are already ahead on their mission to obtain GDPR compliance. Data security should never be seen as a burden. Instead, it should be something to strive toward. A step in the right direction involves adopting a data-centric security model that leverages tokenization, protecting data at rest, in motion and in use – even if a properly configured system is compromised.


Tags: GDPRPayment Card Industry Data Security Standard (PCI DSS)Personally Identifiable Information (PII)
Previous Post

Top Risks & Governance Strategies for the Less than Fortune 1000 Company

Next Post

How ESG Trends Impact Corporate Governance and Compliance

Jonathan Deveaux

Jonathan Deveaux

Jonathan Deveaux is Head of Enterprise Data Protection at comforte AG. He has served the information technology community for more than 25 years. Jonathan started in banking and payments processing, gained experience in systems management supporting business critical strategies and now focuses his attention on data protection, data privacy and compliance.

Related Posts

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

gdpr website screenshot

In the World of JavaScript, GDPR Consent Forms Merely Scratching the Surface

by Rui Ribeiro
December 16, 2024

Consent forms alone don’t mean much when consumers are so tired of checking boxes they don’t even read the policies

us map black and white

Minnesota Latest State to OK Consumer Data Privacy Law

by Amanda Novak
August 26, 2024

Measure set to go into effect for most covered entities next summer

Next Post
businessman sitting on stage addressing auditorium

How ESG Trends Impact Corporate Governance and Compliance

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights