Nowadays, data security and data protection are crucially important not only for the business but also for the public sector. To safeguard the customers’ rights, organizations must follow established rules and regulations and the best security standards such as the GDPR and PCI DSS.
Overall
In essence, the GDPR and PCI DSS overlap in some respects, however, they have differences as well. The GDPR represents the European Union laws. If an organization is not GDPR compliant and violates the rights of the European citizens, it might be prosecuted by the regulatory authorities. In contrast, the PCI DSS is not actually a law, it’s a standard required by the credit card companies.
GDPR and PCI DSS: Protecting personal data
Despite some dramatic differences, both the GDPR and PCI DSS are focused on protecting personal data. The main purpose of the GDPR is to establish standardized data protection laws valid for all EU citizens. This should make it easier for them to understand how the companies use their personal data, and raise a complaint, regardless of the location of the company. With the GDPR enforcement, the EU citizens have more control over their personal data and the way it is processed. It aims to protect their privacy and prevent the occurrence of data breaches in an increasingly data-driven world. The GDPR provides the data subjects with more rights over their personal data so they can control it.
According to the GDPR, personal data is defined as any information that can be used to identify a person. That includes different pieces of information that can lead to identifying a person when put together.
On the other hand, Payment Card Industry Data Security Standard (PCI DSS) aims to help businesses process card payments securely and reduce card fraud. To achieve that it implies strict security controls for storing, transmitting, and processing cardholder’s data. The primary goal of implementing PCI DSS is to protect the cardholder information. That also includes personal information as defined by the GDPR.
GDPR and PCI DSS: Compliance
Both the GDPR and PCI DSS are designed to protect personal data, however, if an organization is PCI DSS compliant, this doesn’t mean it is GDPR compliant or vice versa. Generally, the scope of the GDPR is wider as it protects all personally identifiable data whilst PCI DSS is focused on the cardholders’ data. No matter the scope, both the GDPR and PCI DSS require to keep as little personal data in the organization as possible. This aims to turn a company into a less attractive target for hackers, effectively decreasing the organizational risk exposure.
| GDPR | PCI DSS | |
| Legislation | ✓ | X |
| Protecting personal data | ✓ | ✓ |
| Fines | ✓ | ✓ |
| The requirement to keep logs | ✓ | ✓ |
GDPR and PCI DSS: Legislation and Fines
After the GDPR enforcement, many firms seek to comply with the Regulation requirements in order to avoid substantial administrative fines for infringements. Depending on the severity of the abuse, organizations may face fines up to €20 million or 4% of the global annual turnover of the previous financial year, whichever is higher. In the same manner, the payment card industry is also concerned about the security and protection of the cardholders’ information, therefore, they have established fines of up to $ 500,000 per incident for security breaches when merchants are not PCI compliant.
GDPR and PCI DSS: Requirement to keep logs
Another important similarity between the GDPR and PCI DSS is that both require the logs to be kept. To minimize the risk of potential breaches, PCI DSS requires the logs to be stored and reviewed daily, especially for the security events. The GDPR also requires the logs to be kept so any data access to personal information can be closely monitored.
LogSentinel has developed an advanced log reporting tool that helps the authorized parties to monitor the critical business activities and react to unusual behavior in a timely manner. Furthermore, the fraud detection functionality assists organizations to prevent financial and reputation loss, maintaining high-level security standards.
If your organization must comply with the GDPR or PCI DSS, LogSentinel can help. Request your free DEMO today:
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.
