“I don’t store card info. I don’t need PCI” – Why you should secure your data to PCI standards in light of the GDPR
The EU General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018 and is the most significant change in data privacy regulation in 20 years. Companies failing to comply with requirements set out in the new GDPR for protecting their customers' personal information may face serious consequences, including fines of up to £20m or 4% of turnover (whichever is greater). Therefore, it is critical that organisations have compliance measures in place for the handling and protection of personal data to safeguard against breaches.
Luckily, for those already compliant with the Payment Card Industry Data Security Standard (PCI DSS), they have an advantage when it comes to complying with the GDPR. PCI DSS is a worldwide standard designed to reduce card fraud and ensure secure card payments using a set of regulations governing information security. So, while PCI DSS ensures cardholder data security, if deployed across the business these same controls could provide a step towards meeting the sixth principle (integrity & confidentiality) of the GDPR. This principle requires a risk assessment, implementation of appropriate security and the monitoring of these security controls.
The GDPR outlines what data needs to be protected but it does not provide any specific guid-ance on how to protect the data, while PCI DSS clearly defines the methodology for securing cardholder data. Personal data under the GDPR is assessed as "information relating to an identified or identifiable natural person (‘data subject')", so where cardholder data includes information that could be used to identify the individual this is defined as personal data by the GDPR. Therefore, by complying with PCI DSS companies are complying with GDPR and pro-tecting themselves from fines due to data breaches, even if they don’t hold cardholder data.
Also, many of the activities employed to comply with PCI DSS will go towards complying with the GDPR, such as:
- Scoping the data environment to find out where data resides
- The protection of stored data
- Logging and auditing systems to improve security
- Maintaining an information security policy for managing risk.
Extending these activities to cover the additional personal data defined by the GDPR should be an easier task for those already implementing these activities to comply with PCI DSS.
In conclusion, if your organisation already complies with PCI DSS then these activities can be extended to create a framework to use when implementing the measures required to comply with the GDPR. If you don't already comply with PCI DSS then now is the time to invest to en-sure you can build your data security measures to meet the requirements of the GDPR.
Storm Security Centre
Concerned about data security and the GDPR? Our new look Intelligent Hosting Security Centre is now live and ready to start protecting your sites, servers and apps, whether you host with Storm or not.
With new features that continuously evolve to tackle the latest digital threats, we estimate that our Intelligent Hosting Security Centre could save you up to £860/month versus consultant or DIY costs.
Storm's Intelligent Hosting Security Centre delivers:
- Painless hosting security
- Unparalleled uptime management
- Disaster recovery
- GDPR compliance
...for ALL your sites, servers, and hosted apps.
You can click here
or feel free to contact us via the contact form