After much anticipation, the European Union’s General Data Protection Regulation (EU GDPR) has finally taken effect. Although businesses have had ample time to prepare, as many as 90 percent may still not be ready. This is especially true of companies based in the U.S. – some of which have incorrectly assumed that the EU legislation does not apply to them.
In reality, the GDPR applies to any organization that collects, processes or stores data on any EU citizen. That means that if a U.S. company has even one customer that is a citizen of the EU, or otherwise handles the data of any EU residents, it must comply with the GDPR. And, failure to comply is costly. Businesses can face fines of up to 4 percent of their annual global revenue, or €20 million (whichever is greater), and face class action lawsuits from EU citizens.
However, there is some good news. U.S. companies that are already compliant with the Payment Card Industry Data Security Standard (PCI DSS) – which includes any business that handles payment card data – will likely have some measures in place that will help steer them down the right path to GDPR compliance. With its numerous sub-requirements and potentially hundreds of controls, PCI DSS is one of the most complex industry-wide standards and is still probably the closest thing the U.S. has to a national data protection regulation.
But while the PCI DSS and the GDPR overlap in some respects, they differ in others – just because a company is PCI DSS compliant, it does not necessarily mean that it is compliant with the GDPR. To help organizations understand the differences and similarities between GDPR and PCI DSS, and what they can do to help ease cross-compliance, let’s explore this complex topic in more detail.
Law vs. Standard
When discussing the GDPR and PCI DSS, it’s important to first distinguish one of their main differences: the GDPR is the law of the land throughout the EU and beyond. In contrast, PCI DSS is not actually a law. It is an industry standard aimed at securing payment transactions and protecting card holders against the misuse of their personal information. It is not a federal requirement and does not carry the weight of law.
However, as a practical matter, any organization that processes, stores or transmits payment card data, including merchants and service providers, must aim to comply with PCI DSS. While the PCI Security Standards Council (PCI SSC) does not have legal authority to impose fines on businesses that are not compliant with the industry standards, the payment card brands can impose costly penalties on a merchant’s acquiring bank if that merchant suffers a data breach and was found to be noncompliant. The bank then typically passes those costs along to the merchant, which can range from $5,000 to $500,000 per month. For repeat offenses, the payment card brands can even revoke the rights of the merchant to process transactions using their cards.
Data in Scope
Another way the GDPR and PCI DSS differ is in the type of data involved. The PCI DSS deals strictly with payment card data and cardholder information, such as credit/debit card numbers, primary account numbers (PAN), and sensitive authentication data (SAD) such as CVVs and magnetic stripe data, from all the major card schemes.
The GDPR has a much wider scope and covers any personally identifiable information (PII). The type of data in scope for GDPR includes PII related to any EU resident, whether it is connected to his or her private, professional or public life. This can include a name, home address, photo, email address, bank details, medical information, posts on social networking websites, or a computer’s IP address. What’s important to understand here is that a breach that violates PCI DSS compliance also violates the GDPR. However, a breach that violates GDPR compliance does not necessarily violate the PCI DSS.
Reporting a Breach
The GDPR and PCI DSS vary dramatically in terms of reporting requirements (or lack thereof) when a data breach occurs. The GDPR requires that in the event of a breach, data controllers must notify the proper supervisory authorities no later than 72 hours after becoming aware of the incident. The PCI DSS, on the other hand, has no requirement for notifying the public of a data breach, or even notifying the PCI SSC.
However, organizations do have an obligation to notify their payment processor, who then shares that information with the card companies. But, this is a moot point as many organizations first learn they are breached because the card companies notified them, often due to a pattern of fraudulent transactions. Even so, the U.S. has no nationwide data breach notification regulation, relying instead on a patchwork system of different state-level requirements.
Handling PII
Despite some significant differences, the GDPR and PCI DSS do share some similarities. For example, they are comparable in some of their requirements for handling sensitive data. PCI DSS requires that businesses know where cardholder data resides, as well as requiring cardholder data be encrypted to a certain standard. PCI DSS requirement 10.6.1 also requires that logs be kept and reviewed daily to ensure personal data is being adequately controlled. The GDPR also requires logs be kept relating to the processing of personal data so that any access can be closely monitored. As a result, businesses will find that some of the practices they already have in place for PCI DSS compliance will help them in their efforts towards GDPR compliance as well.
How to Ease Cross-Compliance
Because both GDPR and PCI DSS compliance can be complicated and costly, businesses naturally want to seek ways to streamline their efforts. One way to do this is to treat all PII as toxic and keep as much sensitive data as possible out of the network.
For example, enterprises with contact centers that take payments over the phone can leverage descoping technologies like dual-tone multi-frequency (DTMF) masking solutions. Such solutions can capture payment card information as customers enter it into their telephone keypad. The keypad tones (DTMF tones) are masked with flat ones so they are indecipherable. This prevents the card information from being captured on call recording systems or heard by customer service representatives (CSRs) who could potentially write the numbers down and use them later for fraudulent purchases. The segregated data is then securely routed directly to the payment processor, bypassing the contact center’s IT systems entirely. Because they no longer handle, process or store the payment data, these areas of the business are no longer under the scope of compliance for PCI DSS. They have also reduced the amount and type of data on hand that is subject to GDPR compliance. Keeping as much PII as possible out of the organization’s IT infrastructure also makes a company a much less attractive target for hackers and fraudsters, thereby helping protect the organization’s brand reputation from high-profile data breaches.
Ultimately, companies will find that many of the processes and controls they already have in place for PCI DSS compliance will also help them on their path to GDPR compliance. However, with that said, it’s important to note that the GDPR goes much further than merely setting requirements for how companies must handle sensitive information or report data breaches. It makes privacy and consent cornerstones in the relationship between a business and its customers by, among other things, requiring informed consent from an individual before an organization can handle their personal data. So, while companies will need to appoint a Data Protection Officer (DPO), assess what data they hold and review the consents they have for that data in order to be GDPR compliant, there should be no need to completely reinvent your approach to data security if you are already PCI DSS compliant.
We will likely see more countries and regions around the globe follow in the EU’s footsteps and pass data privacy regulations similar to the GDPR, so it is beneficial for organizations to adopt the practices necessary for compliance now, even if the GDPR does not currently apply to them. Doing so will lay the foundation for an easier and less costly compliance experience down the road and will help organizations have stronger data security, no matter which new laws and standards arise in the future.