How PCI DSS Compliance can help meet EU GDPR mandates?

By - Omni
19/04/20 10:42 PM
For storage, processing, and transmission of personal data, both PCI DSS and GDPR base compliance on a Company's risk management efforts. Developing strong Data Security Policies helps offset these vulnerabilities and provides opportunities for a business to efficiently address PCI DSS and GDPR compliance simultaneously. Although GDPR includes all Personal Data and Cardholders’ details, applying the latest version of PCI DSS strategies can help with Personal Data Protection that is required for GDPR compliance. By achieving PCI DSS compliance, organizations can meet the baseline security control standards that are required under GDPR.

Basics of GDPR Compliance

Besides security controls, there is more to GDPR compliance. Th following principles define how personal data is gathered, processed and stored:
  • Personal data must be processed transparently, fairly and lawfully.
  • Personal data should be gathered for explicit and legitimate purposes.
  • Personal data gathered must be relevant and restricted to what is essential for processing.
  • Personal data must be accurate and kept updated.
  • Personal data should be kept in a form that the data can be identified only if it is necessary for processing.
  • Confirming compliance regarding data consent, access and security are the three critical issues that are outlined in both PCI DSS and GDPR compliance.
If an organization achieves PCI DSS compliance, then it can meet the baseline security control standards required under GDPR.

Credit Cards & EMV Technology

Credit cards use EMV technology (Europay, MasterCard and Visa), where a computer chip located on the card is used to lower the chances of consumer fraud and limit bank liability and credit card for fraudulent payment chargebacks. To use these chipped cards, entities should accept payment from these cards to upgrade their Point of Sale systems to accommodate the EMV Chip Card. Using PCI validated Point-to-Point Encryption and tokenization helps in filling the security gaps that are created during initial EMV transactions. This is because they protect both, data-at-rest and data-in-transit in the Merchant's environment. The EU's revised Strong Customer Authentication and Payment Services Directive are compliance requirements for all digital transactions. PSD2 is the European version of PCI DSS. Both PSD2 and GDPR came into effect around the same time. All Merchants and Card Issuers must support SCA and must use Two-Factor Authentication which requires a User to prove their identity using two different elements from the following:
  • Something they know (like a Password or PIN Code)
  • Something they possess (such as a Card or Mobile Device)
  • Something they are (which include biometrics such fingerprint or their face-map)
This requirement guarantees that electronic payment services are conducted in a secure manner and that organizations adopt technologies that ensure the safe authentication of the user. Payment methods like near-field communication utilize technologies in which a form of electromagnetic induction is used to communicate with other devices in close proximity. These technologies are becoming an essential element in maintaining security and compliance. Organizations aiming for both PCI DSS and GDPR compliance must consult with security standards so as to make sure that all-important criteria are met for compliance audits. Any business attempting both PCI DSS and GDPR compliance must aim at recognizing and rectifying compliance gaps through vulnerability scans, reviewing all new and pending regulations that can possibly affect business practices and maintaining a strong compliance program. Performing frequent vulnerability and risk assessments is quite essential and also valuable for businesses’ compliance efforts, which include cybersecurity policy reviews, annual assessments, and vulnerability scans.

Best Practices For PCI DSS Compliance

For PCI DSS compliance, policies must comply with commonly accepted cybersecurity practices for building and maintaining a secure network, like:
  • To protect Cardholder Data , a Firewall must be implemented and properly configured around the environment that holds the CHD.
  • Vendor-supplied default passwords should not be used for systems and other security parameters. Only approved PIN entry devices must be used at your PoS.
  • All stored CHD must be secured and protected.
  • For transmission of CHD across open, public networks and regular checks of PIN entry devices and skimming devices, P2PE should be used.
  • Antivirus software is a must and should be regularly updated. 
  • Validated payment software at the PoS or Website's shopping cart should be used.
  • Secure systems and Applications should be developed and maintained.
  • Access to CHD should be restricted by the business on "need-to-know" & "need-to-access" access. A unique ID should be assigned to each person who has logical access to the CHD environment and the physical access to CHD should be restricted.
  • All access to network resources and CHD must be tracked and monitored.
  • The security systems and processes should be tested regularly, and information security education programs should be provided to Employees and Third-party Vendors so as to ensure that all of them are PCI DSS-compliant.

These practices also assist with GDPR compliance requirements that obligate businesses to frequently demonstrate accountability, regardless of whether a cybersecurity incident occurs or not. The most efficient method to demonstrate this accountability is for a business to become compliant with the security standards of PCI DSS. For instance, all businesses can take advantage from a reduction of information storage on their Customers or Employees, which is a required GDPR Policy. It is also one of the first activities conducted during a PCI DSS assessment known as scope reduction. Another vital component of PCI DSS is to reduce the number of systems where CHD is stored and to cut back the number of people with access to sensitive data. This policy ensures that data is adequately protected, which is another key element in complying with GDPR. In addition to this, other controls from the PCI DSS framework can be employed to show compliance to GDPR, like
continuous Employee training and education, vulnerability identification via Approved Scanning Vendor and risk management procedures.


Neumetric provides the entire range of cyber security services, products & consulting to organizations that have a need to obtain information security certification, improve their security compliance or boost information security assurance for their clients.