6

Next month, the EU's General Data Protection Regulation (GDPR) takes effect.

Our organization is already PCI-DSS compliant.

Do we need to do anything additional to make sure we are consistent with GDPR standards? Or are all the requirements of GDPR included within the PCI-DSS requirements?

John Wu
  • 9,101
  • 1
  • 28
  • 39

3 Answers3

9

Assuming GDPR apply to your organization, yes you should worry about GDPR.

PCI-DSS compliance doesn't imply GDPR compliance.

There are many concept present in GDPR and not in PCI-DSS or not with the same scope/expectations. For me you will have to take a close look of some principle of the GDPR like :

  • Admissibility of the user for the processing of his personal data
  • Necessity of the data processing
  • Transparency to the data subject
  • Limitation of use to specific purpose
  • Principle of data reduction (collecting as little personal data as possible)
  • Data deletion
  • Data controller and subcontractor

The two regulations have different scopes.

The GDPR scope is much more wider than PCI-DSS which is focusing on the handling and protection of card holder data. GDPR scope include all the personal data your organization is potentially handling. So it will affect many different department of you organization and not only the part which is manipulating card holder data. For example your HR department will be in scope of GDPR for sure as they are collecting & storing personal data of the company employees.

Whysmerhill
  • 562
  • 4
  • 14
3

If you are selling goods or services to EU residents, then yes. GDPR regulation is different from PCI-DSS. Even if you are compliant with PCI-DSS, that doesn't mean you are compliant with GPPR. However, GDPR doesn't apply to those organisations whose target audience isn't EU residents.

Do we need to do anything additional to make sure we are consistent with GDPR standards?

Yes, follow this link for more info: https://techblog.bozho.net/gdpr-practical-guide-developers/

Or are all the requirements of GDPR included within the PCI-DSS requirements?

No.

Useful links:

Andrew T.
  • 563
  • 5
  • 14
Script_Junkie
  • 37
  • 2
0

GDPR requires you to take 'appropriate technical and organisational measures' to protect the confidentiality, integrity, availability and resilience of personal data (Article 32).

PCI DSS goes some way to help protect one type of personal data - i.e. cardholder data. I wrote an analysis of the extent to which PCI DSS meets the requires of GDPR in respect of cardholder data.

http://withoutfire.com/2018/03/gdpr-and-pci-dss-appropriate-bedfellows/

However, PCI DSS will not be much help in protecting all other types of personal data or satisfying the other 40 or so articles (i.e. requirements) that apply to you.

withoutfire
  • 1,000
  • 4
  • 7