More Letters: Does PCI DSS and GDPR Complement One Another? [the GDPR Series (19)]

Article excerpts from a forthcoming book – 99 Articles on the GDPR

Summary: A PCI DSS compliant organization can rest assured that the demands of PCI DSS regarding the technology, processes, and procedures can be extended into this new arena of GDPR compliance.

  • PCI DSS is an industry standard while GDPR is a legal regulation.
  • PCI DSS compliance, a payment industry standard, aids in GDPR compliance.
  • The similarities of PCI DSS & GDPR outweigh the differences.



Certain sectors, particularly finance, are under constant pressure to conform to regulations and standards. For example, the Payment Card Industry Data Security Standard (PCI DSS) was created and managed by the PCI Security Standards Council (PCI SSC). The PCI DSS is a set of requirements that protect organizations, banks, payment card brands and consumers from credit card fraud. Any organization that takes credit cards has to mandatorily host data through a PCI compliant hosting provider to accept and process payments. It is one of the most complex security standards across the industry. The PCI DSS is meant to protect the payment system from credit card fraud so it should come as no great surprise that an organization that is compliant is a step closer to achieving GDPR compliance. But PCI DSS and GDPR have its share of similarities and differences that are discussed below.

Law of the Land vs. Industry Standard

While the GDPR adheres to the EU for enforcement, PCI DSS is no more than an industry standard and will not attract penalty in the event of non-compliance. Card brands can place penalties ranging from $5,000 to $500,000 per month on a merchant’s bank if a data breach is reported. So while regulations are pretty onerous on the organization, PCI DSS compliance is based on conducting annual reviews of the card data that is being processed, as a requirement. The aim of this is to ensure that any new technology that is introduced, or new processes that is implemented, are included within your PCI DSS compliance. With regards to the GDPR, having this schedule of reviews may provide a framework that can also be used during implementation, giving the contact center an advantage over organizations starting from scratch.

Data Types

PCI DSS is limited to card data that includes card numbers, CVV, sensitive authentication data (SAD) and primary account numbers (PAN). With technologies that are currently being used for PCI DSS compliance, an organization can reduce their exposure to GDPR compliance. Some technologies mask card details, such as data tokenization, before the data enters a company’s IT infrastructure. In turn, it would not only get the organization around PCI DSS but also GDPR. However, further GDPR compliance is needed as it aims to secure overall personal data of an EU resident, be it bank account number or his social activity information. The GDPR has a much broader scope and covers any personally identifiable information (PII) which means that PCI DSS breach will come under the purview of GDPR but not vice versa.

Breach Notification

A breach is a breach. Any time identifiable data is exposed to anyone without system authorization, it is considered a breach for both PCI and GDPR. However, unlike the GDPR, PCI DSS does not mandate the reporting of a breach.

Log Management

Both PCI DSS and GDPR require a business to maintain logs of personal data for monitoring purposes. This similarity is a big boost for PCI DSS compliant organizations. You can assume that if an organization is PCI DSS compliant, then it may have already invested in systems that log personal data. PCI DSS requirement 10.6.1 requires that logs be kept and reviewed daily to ensure personal data is adequately controlled. The GDPR also requires logs be kept relating to the processing of personal data so that any access can be closely monitored.

Information Commissioner’s Office (ICO)

The ICO in the UK oversees both the PCI DSS and the GDPR. Thus, any breach will be investigated by ICO followed by applicable penalties.


Organizations who are already PCI DSS compliant will find that it’s relatively more straightforward to enact GDPR compliance. So it’ll come as no surprise that the payments industry, from a global perspective, can better adhere to GDPR compliance during the early stage. A PCI DSS compliant organization can rest assured that the demands of PCI DSS regarding the technology, processes, and procedures can be extended into the new arena of GDPR compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.