News top

GDPR vs. PCI-DSS

The PCI-DSS (Payment Card Industry Data Security Standard) was created by the major credit and debit card processors and aims to standardize the security controls related to card data across all organizations, according to their size. The PCI DSS requirements focus on key aspects of the processes related to payment cards – transmission, storage and processing. The purpose of the standard is to protect the cardholder data associated with the payment cards, in order to prevent fraud and data leaks.

 

On the other hand, we now have the GDPR (General Data Protection Regulation) and its purpose is to reinforce EU citizen’s right to privacy, by giving them greater knowledge and control over who collects, processes and transfers their personal data.

The first major difference between PCI DSS and GDPR is also the most obvious one – PCI DSS’s scope is limited to cardholder data – PAN, cardholder name, CVV2, magnetic stripe data, transaction data, etc. While GDPR does encompass, to a degree, the same scope, the actual scope of the EU regulation is much larger and includes any kind of personal information that might identify a legal person.

Another major difference between them is the focus on data security. While PCI DSS is focused on preventing data leakage, either accidental or malicious, by implementing controls spanning from physical security to IT security policies, GDPR is much less focused on IT security and, subsequently, much less specific regarding the controls that it requires.

To build on the argument of the specifics of security controls, the GDPR places a burden of proof on the organization to prove to the regulating authority that the controls are indeed adequate enough. In contrast the 12 requirements of PCI DSS call for specific technologies and methodologies and give specific examples for cardholder data protection.

By their very nature, while PCI DSS is a heavily IT focused and can be defined as an IT project, GDPR has a wider, and to a larger extent, legal implication. PCI DSS is a good standard that dictates the minimal security requirements for most types of organizations, but risk-based controls are still crucial for achieving an optimal efficient level of security. The IT controls required by PCI DSS are crucial and definitely support the GDPR compliance process, but they are not the beginning and end – not by a long shot. If you are more interested in GDPR compliance, our experts have distilled the official regulation into a clear, concise, and easy-to-understand assessment tool. Start your journey on the path to GDPR compliance today using GDPRQ and receive a detailed GAP Analysis for your organization! Link below:

https://www.gdprq.eu/

gdprq.png

A honlap utolsó módosításának időpontja: 2018.09.21