2021. What an interesting year. With the world turned upside down by a pandemic that seemingly had its sights set on...
Killing two regulatory burdens with one stone:
PCI DSS and GDPR 7 ways the PCI DSS and GDPR overlap
comforte
DanBecoming GDPR compliant can seem like a daunting task. So daunting in fact that some firms outside the EU are resorting to quick, albeit rather extreme fixes, like withdrawing from the EU market entirely or blocking all traffic from EU based IP addresses. Fortunately, there are other tricks to becoming GDPR compliant that don’t involve severing ties with an entire economic region. If your organization is already PCI compliant or even heading in that direction, then you may be further on your way to GDPR compliance than you thought. Many of the same processes and technology you’re using to protect cardholder data can be used for protecting personal data. Below is a list of overlapping requirements of the PCI DSS and the GDPR, which apply whether you support mainly the HPE NonStop system, or are on a team supporting all systems in your enterprise:
1.    Identify sensitive data
In order to protect sensitive data, the first step is to figure out how much of it you have and where you have it.
2.    Reduce the amount of sensitive data
If you’re storing sensitive data you don’t really need, you’d be better off just getting rid of it.
3.    Secure the data you keep
For the data you’d like to hold on to, you have to have a data protection strategy that includes a combination of tokenization, encryption, or other forms of cryptography.
4.    Limit Access
Only the people who need to access sensitive data should be able to do so and those people should only be able to access the data they need to do their specific job.
5.    Log Access
Keep logs of who accessed what data and when in order to discourage neglect and malfeasance and so you can more easily identify the source in the event of a breach.
6.    Assess preparedness
Regularly assessing your data security apparatus is not only common sense, it’s required by both the PCI DSS and GDPR and it’s the only way to keep up with the constantly changing threats to data security.
7.    Prepare to respond to data breaches
Develop a breach response plan that specifies who to notify, how to contain a breach, how to determine the source, and who at your organization is responsible for each of the above.
Â
Further reading
Want to know the exact difference between personal data and cardholder data? Or which specific PCI DSS requirements overlap with which articles of the GDPR? If so, check out our white paper by clicking the button below: