Use PCI DSS To Achieve GDPR

With the GDPR (General Data Protection Regulation) now in effect, businesses across the EU are obliged to follow the regulation and compliant when it comes to handling and protecting personal data. While some may see this as a burden, those businesses already compliant with the Payment Card Industry Data Security Standard (PCI DSS) are seeing it as a good kick-start towards GDPR Compliance. This is mainly so because of the GDPR requirements most likely overlap with some of the existing regulations of the Payment Card Industry Data Security Standard (PCI DSS).

How is the PCI DSS and the GDPR regulation Complementary?

Goals of both PCI DSS and the GDPR are essentially the same. Both the regulations ensure that organizations protect customer’s confidential data. While the GDPR focus is on the confidential data of the citizens living in the European Union, the PCI DSS concentrates its protection efforts on all payment card and cardholder data across different countries.  The PCI DSS regulation clearly lays out a detailed guide or plan of action to ensure businesses secure customer data. The GDPR on the other hand has only drawn out requirements and criteria for Compliance, but not offered any fixed methodology for businesses to achieve Compliance. 

Let us today understand how PCI DSS can help businesses achieve GDPR Compliance.

How PCI DSS Can help businesses achieve GDPR Compliance?

Let us see how PCI DSS can serve as a roadmap for achieving the GDPR Compliance in the following  ways. 

  • Data breach

If ever a cardholder or customer’s identifiable data gets leaked or exposed, it will be considered as a breach under both PCI and GDPR Regulation. In such a scenario, the organization may be equally liable under both the PCI DSS and the GDPR. So, here the issues that you address for the PCI DSS Compliance will most likely also cover the GDPR requirements that are intended to avoid data disasters, such as storing only data that is absolutely essential.

  • Limited access to confidential data 

The key step to ensuring Compliance for both PCI DSS and GDPR, is to limit the data access to only the authorized team. Setting parameters as to whether or not a person has any reason to access the confidential data will ensure Compliance.  The less authorizations you give, the easier it is to control access and limit any fraudulent activity or risk of data breach.

  • Penetration Testing in PCI DSS will also cover Vulnerabilities in GDPR-

Pen Test or Penetration testing as we call it, which is performed by a professional auditor, uncovers vulnerabilities in your organization’s network. The test used for uncovering risks and complying with PCI DSS can also be applicable for the GDPR Compliance. With similar methods and techniques adopted to uncover vulnerabilities in an organization’s network or application, can also be used for detecting the risk of data breach in GDPR. 

  • Information Security Policies and Procedures 

The security policies and procedures developed, maintained and updated for PCI DSS, can also be applicable to GDPR. This would include

  1. Keeping all the documentations of confidential data updated. 
  2. Developing and implementing measures to assess the impact of data collection and storage
  3. Adopting measures and hiring professional auditors to ensure compliance with PCI DSS and GDPR.

You can watch the webinar On PCI DSS and GDPR Compliance


If your organization is PCI DSS compliant then you will already have a framework in place that can be used for implementing measures to comply with the GDPR. Further, if you are PCI DSS Compliant, then your organization will have already invested in secure technologies for protecting  all the confidential data. This means your organization will already have many of the technologies, processes and procedures necessary to protect personal data in place and help you additionally in achieving GDPR Compliance as well.  

Previous articleUnited States: Beware – COVID-19 Layoffs may trigger liability for partial plan terminations
Next articleInitial lessons learned as COVID-19 exposes critical gaps in information security