Is your organization still working toward GDPR compliance? You may be closer than you know. comforte AG’s Jonathan Deveaux outlines the key similarities between the requirements of the PCI DSS and the GDPR.
It is now apparent that data has become one of the most valuable commodities to businesses today (if not the most valuable commodity). This has coincided with the digital transformation boom, where organizations are encouraging consumers to interact and share information through online services.
With greater amounts of data being consumed, stored and transmitted, it has become difficult for legislators to consistently mandate what should be expected when it comes to securing critical information. Furthermore, consumers seem to be more engaged when it comes to enterprises securing their data. To bridge the gap and protect citizens, the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR) were created.
Defining Critical Data for PCI DSS and GDPR
The EU then created the General Data Protection Regulation (GDPR), which superseded the Data Protection Directive (DPD) of 1995 and demands the protection of personal information for all European citizens. GDPR applies to every enterprise or business that uses, stores or transfers the information of European citizens, regardless of what location they are based. Failure to comply to GDPR will result in severe penalties that can reach as high as 4 percent of global annual revenue or more than $25 million at the current exchange rate, whichever is higher. This has instilled fear in the C-suite, as fines of this magnitude could lead to bankruptcy or closure for many businesses.
According to research, more than half (54 percent) of businesses globally did not meet the May 25, 2018 GDPR compliance deadline, stating GDPR implementation took longer than they had anticipated. With the cybersecurity landscape in a volatile state, organizations cannot risk having inadequate data protection in place.
To help meet the high standards required for GDPR, data controllers and security personnel can look to the PCI DSS as a useful point of reference to help meet many requirements of the European market. The two may be different, but there are many areas where PCI DSS and GDPR overlap. The technology and processes used for PCI compliance are further applicable for businesses targeting GDPR compliance.
Securing the Data
No shortcuts can be taken when it comes to securing financial data or personally identifiable information (PII). Companies must deploy a form of cryptography to protect the data throughout its lifecycle. Tokenization is a highly effective and versatile form of cryptography that replaces sensitive data with non-sensitive substitutes without tampering the actual information. This is beneficial, as it doesn’t affect the system’s ability to read the data while it is tokened, and it has no value to external actors. While all sensitive information is hidden, other information that is not critical will still be visible to enable business analytics and other functions. As a result, tokenized data can be processed more efficiently while requiring significantly less computational resources to process.
The PCI DSS states primary account numbers (PANs) must be unreadable anywhere they are stored, specifically recommending technologies like tokenization to meet security demands. This is similar to GDPR, where encryption is a method mentioned for reasonable data security. Tokenization technology can be applied for both regulations, meaning that businesses processing personal information can do so knowing the data cannot be traced back to a specific individual.
Data Mapping, Data Risk and Impact Assessment
If an attack was to occur, having an understanding of where information is stored is crucial when protecting data. It is necessary to carry out regular risk assessments, logging access and data disposal – all of which are compulsory under PCI DSS and GDPR. With regular analysis, organizations can gauge how well personal data is being protected and adjust accordingly in the event of major changes such as mergers or acquisitions.
The risk assessment framework defined by PCI DSS is clearer and offers specific guidelines for both the procedure and frequency of internal reviews. This mandate can then be leveraged to help when undertaking GDPR data protection impact assessments (DPIA), which should be conducted on a regular basis.
Processing and Limiting the Access to the Data
To prevent companies harvesting data unnecessarily, PCI provides guidelines for reducing the amount of data being processed, thereby reducing risk, cost and time housing excess data. In addition to this, parameters can be set to have retention times based on legal, regulatory or business requirements. GDPR is similar in many respects, mandating that the data controller “implements data protection principles such as data-minimization” and “only personal data … necessary for each specific purpose of the processing [may be] processed.” Therefore, to limit the data collected and meet this aspect of GDPR compliance, the methods used by PCI can be applied to achieve compliance with GDPR Article 25.
It is strongly advised to limit the level of access to critical information. This is because each account with privileged access provides another possible attack vector. Therefore, it is advisable to grant access only to those who absolutely need it. In the event of a successful breach, and if an investigation was conducted, limiting access helps to narrow down the list of potential sources that could have contributed to the breach. The PCI DSS details how to restrict access so that employees only have access if it is essential to conducting daily business. As GDPR dictates user access restrictions, it is best to allow the least amount of privilege required to fulfill a given role. The guidelines provided by PCI can double as a list of best practices to follow.
What Happens in the Event of a Breach?
With cyberattacks occurring daily, organizations are now operating under the opinion that is now a matter of when – not if – they will be breached. If a breach does occur, it is up to the enterprise to demonstrate that their security was up to par and that they responded accordingly in the immediate aftermath. Failing to do so can result in considerable penalties. An incident response plan that is regularly updated is a must for PCI DSS compliance. This will involve contacting the affected payment card brands, banks and other third parties and appropriate authorities.
It’s imperative that the U.S. companies notify their appropriate data protection authority of a breach within 72 hours. Organizations can incorporate elements from the PCI DSS incident report plan into their GDPR reporting strategy to enable the company to act in a timely manner.
Compliance is a Critical Component
In the age of data protection, compliance is now a critical component for all businesses. With the external threat to data constantly mounting, both PCI DSS and GDPR provide a clear roadmap for how businesses can effectively protect their sensitive information. As both regulations overlap, if organizations are already PCI DSS compliant, they are already ahead on their mission to obtain GDPR compliance. Data security should never be seen as a burden. Instead, it should be something to strive toward. A step in the right direction involves adopting a data-centric security model that leverages tokenization, protecting data at rest, in motion and in use – even if a properly configured system is compromised.
Jonathan Deveaux is Head of Enterprise Data Protection at 
