Blog | comforte

7 Ways PCI DSS and GDPR Overlap

Written by Dan Simmons | Jun 14, 2018

How to kill two regulatory burdens with one stone

Becoming GDPR compliant can seem like a daunting task. So daunting in fact that some firms outside the EU are resorting to quick, albeit rather extreme fixes, like withdrawing from the EU market entirely or blocking all traffic from EU based IP addresses.

Fortunately, there are other tricks to becoming GDPR compliant that don’t involve severing ties with an entire economic region. If your organization is already PCI compliant or even heading in that direction, then you may be further on your way to GDPR compliance than you thought. Many of the same processes and technology you’re using to protect cardholder data can be used for protecting personal data.

Below is a list of overlapping requirements of PCI DSS and GDPR:

1. Identify sensitive data

In order to protect sensitive data, the first step is to figure out how much sensitive data you have and where you have it. This can be a particular challenge as many organizations, oftentimes even unwittingly, have sensitive data stored across databases, in the cloud, etc. without any centralized way of keeping track of it.

2. Reduce the amount of sensitive data

If you’re storing sensitive data you don’t really need, you’d be better off just getting rid of it. Some organizations may find they are stuck in a catch 22 where they have data that they could use for business insights, so they'd like to hang onto it, however they're unable to analyze the data without compromising security. In some cases, tokenization can enable analytics on protected data.

3. Secure the data you keep

For the data you’d like to hold on to, you have to keep it protected. Under PCI DSS this is described as being "rendered unreadable," while GDPR uses the term "pseudonymisation." Most organizations will want to have a data protection strategy that includes a combination of tokenization, encryption, masking, and other forms or cryptography, depending on the use case.

4. Limit Access

Only the people who need to access sensitive data should be able to do so and those people should  be able to access only the data they need to do their specific job. Do not cut corners by allowing multiple people to use the same account to access sensitive data. There have already been high profile fines for exactly that mistake.

5. Log Access

Keep logs of who accessed what data and when in order to discourage neglect and malfeasance, and so you can more easily identify the source in the event of a breach.

 

6. Assess preparedness

Regularly assessing your data security apparatus is not only common sense, it’s required by both the PCI DSS and GDPR and it’s the only way to keep up with the constantly changing threats to data security.

 

7. Prepare to respond to data breaches

Develop a breach response plan that specifies who to notify, how to contain a breach, how to determine the source, and who at your organization is responsible for each of the above. Note that if sensitive data is in a protected state, meaning that attackers can't extract any exploitable information from it, then the data may be out of scope.