Marrying PCI-DSS with the EU-GDPR
Updated: May 24
On the 25th May 2018, the European Union (EU) introduced a new data protection regulation (the General Data Protection Regulation (GDPR)), designed to ensure that businesses (anywhere in the world) handling the personal data of European members used this data in an appropriate manner, whilst protecting this data from harm across its defined data life-cycles.
The EU-GDPR article 4 defines personal data as being:
"Any information relating to an identified or identifiable natural person (‘data subject’);
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
This was a significant update to previous legislation and brought with it 2 tiers of regulators fines:
Tier 1. €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher (infringements listed in Article 83(4)).
Tier 2. €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher (infringements listed in Article 83(5)).
With cardholder data clearly coming under the definition of 'Personal Data', the introduction of the EU-GDPR significantly changed the regulatory landscape for any Data Controller or Data Processor involved in the processing, storage or transmission of cardholder data belonging to EU data subjects.
Imagine the impact on Card Not Present (eCommerce, Telephone, etc.) operations, where EU data subjects are able to make purchases, using their payment card, to any business located anywhere in the world.
For any company wishing to take card payment purchases from EU data subjects are brought into scope for the EU-GDPR, as per the very nature of article 3:
1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or(b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3.This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Suddenly, these businesses need to ensure that they:
Have legitimate to use this data, they have the consent of the data subject or have the lawful reason for using this cardholder data (and associated personal data (e.g. postal address, telephone number, email address, etc.) needed for the goods/service order)) and that the data is only retained for specific time periods (data life-cycle) , and
That the data is securely stored, processed and transmitted across this data life-cycle.
This has changed the legal and regulatory compliance landscape, with being able to provide these businesses with a benchmark of mitigation controls for protecting cardholder data.
As we saw from the Marriott and British Airways data breaches, it was the EU regulators and not the Card Brands who proposed the fines for their poor security practices.
It is refreshing to see that some security professionals have recognised this close marriage between PCI DSS and the EU-GDPR. However, 2 years on this message does not seem to have been received by the business decision-makers, with an increasing number of organisations still struggling with PCI DSS compliance.
PCI DSS has been in development for almost 20 years now, so why are business' still not recognising the value and importance of having secure card payment operations?
Disregard for their customers?
The entire reason for the changes to the EU personal data laws (as with the other changes we are seeing taking place across the globe) was as the result of a survey of EU data subjects, where an increasing number had a distrust of how businesses were using their personal data.
Is it any wonder when you see how companies (such as Facebook and Cambridge Analytica), where seen to be freely misuse this information for their commercial profits and how we are seeing a significant increase in the numbers of large scale data breaches?
Why should it be acceptable for consumers to be faced with potential payment card fraud, being made against their accounts, in exchange for the purchase of goods and services?
Is it not reasonable for a consumer to expect that their personal data to be protected from harm, after having entrusted this data to an organisation?
Of the 99 articles from the EU-GDPR, the PCI DSS controls framework provides mitigation controls for around 2 thirds of these articles.
If you are a Data Protection Officer (DPO) or have been appointed the personal data protection responsibilities and your organisation is involved with cardholder data, you should be considering what impact the PCI DSS program has on your role? Do you know the compliance status of the PCI DSS program?
What policies, processes or principles from the PCI DSS program can be transferred for the protection of other types of personal data?
Article 25 (Secure By Design and By Default) - PCI DSS Goal 1 (Build and Maintain a Secure Network and Systems).
Article 5(1)(e) (Storage Limitation) - PCI DSS 3.1 (Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes).
Any business that has any involvement with cardholder data should familiarise themselves with the principles and objectives of the PCI DSS controls framework, whilst the DPOs should be working with the Information Security Managers to help marry their roles and responsibilities, to help ensure that the PCI DSS and Data Protection programs can be harmonised to provide the business with an integrated data protection strategy.
Since the introduction of the EU-GDPR, the protection of personal data has become a global business consideration and PCI DSS provides businesses with a unique framework, which when applied correctly can really help to enhance sensitive data operations.
Consequently, if you want to show that you respect the fact that your customers have entrusted you with their personal data, you should consider return their trust by putting data protection at the forefront of your business objectives.
By gaining an improved understanding of PCI DSS and giving this program an equal status to your EU-GDPR program, you will soon start to see how this framework can only enhance your business' defensive stature and, thus, help make you less vulnerable to suffering a system compromise or data breach.
The nearest analogy to best explain this could be taken from my Counter Intelligence days.
SECURITY OF ARMS, AMMUNITION AND EXPLOSIVES
All are independently as important as each other but you mind find that the physical security measures rely on segmented environments (Secure Rooms), within a single infrastructure (Secure Buildings), housed within its own secure enclave (Secure Compound).
Think of your business as being the military base, the base has an owner(s) (The Board) and many different business processes, and assets that support those processes.
The Secure Compound has an appointed owner/manager, this represents your organisation's Data Protection activities. Within the compound there are different assets (e.g. Explosives, Arms & Ammunition) and each of these assets are separately stored and afforded their own defences and each weapons store, arms bunker, explosives store has its own manager with responsibilities for maintaining the protective security measures.
All this works in harmony to provided an integrated approach!