tiero - Fotolia
How PCI DSS compliance milestones can be a GDPR measuring stick
Constantly evolving regulations can cause confusion for security officers, but sometimes, there is process overlap. Here's how achieving compliance with PCI DSS can help meet GDPR mandates.
Both GDPR and the latest version of PCI DSS base compliance on companies' risk management efforts for the storage, processing and transmission of personal data. Developing strong data security policies not only helps offset these vulnerabilities but also provides opportunities for organizations to efficiently address PCI DSS and GDPR compliance simultaneously.
Although GDPR encompasses all personal data and not just cardholders', applying current PCI DSS strategies also helps with personal data protection required for GDPR compliance. By achieving PCI DSS compliance, your organization will meet the baseline security control standards required under GDPR.
The GDPR compliance basics
Of course, there is more to GDPR besides security controls. GDPR outlines the following principles defining how personal data is collected, processed and stored:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data is collected for specific, explicit and legitimate purposes.
- Personal data collected is relevant and limited to what is necessary for processing.
- Personal data must be accurate and kept up to date.
- Personal data must be kept in a form such that the data subject can be identified only if it is necessary for processing.
Ensuring compliance regarding data consent, security and access are the three critical issues outlined in both GDPR and PCI DSS compliance.
In credit cards, EMV technology uses a computer chip located on the card to reduce consumer fraud and limit credit card and bank liability for fraudulent payment chargebacks. Using these chipped cards require entities accepting payment from these cards to upgrade their point of sale (POS) systems to accommodate these EMV chip cards.
Employing PCI-validated point-to-point encryption (P2PE) and tokenization help to fill the security gaps created during initial EMV transactions because they protect data both in transit and at rest in the merchant's environment. The EU's revised Payment Services Directive (PSD2) and Strong Customer Authentication (SCA) are compliance requirements required for all digital transactions. PSD2 -- the European version of PCI DSS -- and the GDPR came into effect roughly around the same time. All card issuers and merchants must support an SCA solution and use two-factor authentication that requires users to prove their identity using two separate elements from the following:
- Something they know (PIN code or password)
- Something they possess (mobile device or card)
- Something they are (biometrics)
This requirement ensures that electronic payment services are conducted securely and that companies adopt technologies that guarantee the safe authentication of the user. Technologies used in payment methods, such as near-field communication, which uses a form of electromagnetic induction to communicate with other devices within a close or near proximity, have become a crucial element in maintaining security and compliance.
Organizations aiming for both GDPR and PCI DSS compliance should consult with security standards to ensure all pertinent criteria are met for compliance audits. Identifying and remediating compliance gaps through vulnerability scans, audit report analysis, and reviewing new and pending laws and regulations that can potentially affect business practices, while maintaining a strong compliance program, should be the goal of any organization attempting both GDPR and PCI DSS compliance.
Performing continual vulnerability and risk assessments is crucial and valuable for companies' compliance efforts as well. These include cybersecurity policy reviews, annual assessments and vulnerability scans.
PCI DSS compliance best practices
For PCI DSS specifically, policies should comply with generally accepted cybersecurity practices for building and maintaining a secure network, such as the following:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters, and use only approved PIN entry devices at your POS.
- Protect stored cardholder data.
- Use P2PE for transmission of cardholder data across open, public networks, as well as regular checks of PIN entry devices and skimming devices.
- Use and regularly update antivirus software, and use only validated payment software at your POS or website shopping cart.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know access. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes, as well as provide information security education programs for employees and third-party vendors to ensure that all of them are PCI DSS-compliant.
These steps will also assist with GDPR compliance requirements that mandate organizations to constantly demonstrate accountability, regardless of whether a cybersecurity incident occurs or not. One of the best and most efficient methods to demonstrate this accountability is for an organization to become compliant with the security standards of PCI DSS.
For instance, all organizations can benefit from a reduction of information storage on employees or customers. This is a required GDPR policy and is one of the first activities conducted during a PCI DSS assessment known as scope reduction.
Another key element of PCI DSS is reducing the number of systems where cardholder data is stored and decreasing the number of people with access to sensitive data. The PCI DSS policy of reducing the number of people and systems that store cardholder data and ensuring that data is adequately protected is another key element in complying with GDPR. Additionally, other controls from the PCI DSS framework can be employed to show compliance to GDPR. These include continuous employee training and education, risk management procedures and vulnerability identification via Approved Scanning Vendors.