GDPR applies to any organization that processes or holds the personal data of persons residing in the European Union. PCI applies to organizations that handle credit cards from the major card brands.
If you are a merchant and already deal with PCI compliance, you’ve probably heard about the recently implemented EU mandate: General Data Protection Regulation (GDPR). You may have questions like: "Does GDPR apply to me if I only take credit cards?" "If I comply with PCI DSS, does that make me GDPR compliant?" "Do GDPR and PCI DSS do the same thing?"
Remember that the GDPR applies to any organization that processes or holds the personal data of persons residing in the European Union, whether or not the organization itself is located in the EU. It applies to data processors and controllers.
Learn about data processors and controllers in our GDPR blog series: Part 1, Part 2, Part 3.
The PCI Data Security Standard (DSS) applies to organizations that handle credit cards from the major card brands. Both are mandates that contain best practices for securing personal data and protecting the privacy of individuals.
See also: GDPR 101 Webinar
First, one of the most important aspects to understand about PCI and GDPR is scope. Because GDPR encompasses all personally identifiable data (PII) of persons in the EU, its scope is much, much larger than the PCI DSS. Compared to GDPR, the PCI DSS applies to a very small subset of data: cardholder data. Cardholder data--while still considered PII--is a small portion of all the personal data covered by the GDPR.
So, if all you take is credit cards, but some of those credit cards are of EU citizens, then yes—the GDPR applies to you. With all the types and subsets of EU citizen personal data, it’s likely that your business may store, transmit, or process some GDPR-relevant data.
The graph below illustrates the difference between the PCI DSS scope and the GDPR scope.
PCI DSS is intended to prevent merchant data breaches and protect cardholders, customers, and the payment ecosystem. To do so, it is used to regulate the storage, processing, and transmission of cardholder data.
Compare that to the GDPR, which aims to protect individual data subject rights by regulating the processing of personally identifiable information in a much broader sense, not just the actual charging of a payment card. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,” article 4, paragraph 2.
Where PCI DSS is concerned with a few major data elements, GDPR is concerned with any non-personal use of personal information.
See also: GDPR FAQs
At the heart of GDPR is the duty to protect the privacy of data subjects by preventing misuse, theft, or unlawful disclosure of their sensitive personal data. GDPR puts the individual in charge of their own data and grants them specific, legal rights to protect and control it. GDPR requires that organizations provide persons in the EU the means to exercise those rights.
At the heart of the PCI DSS is a duty to protect cardholder data from hackers and cybercriminals and keep the entire payments ecosystem safe. This data security standard, first put forth by major card brands in 2006, is concerned with the day-to-day practices of data security: firewall management, encryption, anti-virus, and the like.
See also: PIIscan: Find and Secure Unencrypted Personal Data
If you have questions about GDPR , PCI compliance, HIPAA, or general data security, please contact us here.
.svg)
