Preparing for GDPR? PCI DSS could help
Published: Sep 18, 2017
Author: Ciske van Oosten
It’s been almost impossible to miss coverage of the General Data Protection Regulation (GDPR). Who’d have thought that a data protection law would be a trending topic on Twitter? I’ve seen it described as the “biggest change in data protection regulation in 20 years.” While GDPR is a European Union (EU) law, it could affect your business wherever it’s based. The new rules apply to any organization that does business within the EU. If you do, and you capture personally identifiable information, then you should be making sure that you’re ready when GDPR takes effect in May 2018.
I’m not a lawyer, so I’m not going to try to explain the intricacies of the law or how it applies to your company. My perspective on GDPR is that of somebody who has been working in IT security and compliance for 28 years. Over that time, I’ve seen several new regulations come along, and I’ve learnt a few things about how you can simplify achieving and maintaining compliance.
Why do companies struggle with compliance?
New standards, or even updated versions of existing ones, often cause companies problems. This is something that we’ve seen repeatedly. Since 2010, Verizon has been publishing reports on compliance with the Payment Card Industry Data Security Standard (PCI DSS). In 2016, we saw compliance go up, from 48.4% to 55.4%, but lots of companies were caught out by updated requirements on checking payment devices for tampering. It’s probably not a coincidence that the PCI Security Standards Council tightened the testing procedure for this when they released version 3.2 of the Standard.
In the 2017 Payment Security Report we saw compliance with one particular control (9.9.3: Provide training for personnel to be aware of attempted tampering or replacement of devices) fall to the very bottom of the list—dropping from 90.0% to 76.5%, the biggest year-over-year decline.
So why do companies struggle? In most cases, it is not that they are unfamiliar with the new data protection requirements but rather because they don’t have the right people, tools or processes in place. Lack of clarity in the documentation can also be a factor. Defining security controls that cover the enormous variety of companies and operating environments that exist, without creating something so long and impenetrable that reading it is a challenge in itself. Writing a data protection standard is hard.
So why is PCI DSS relevant to GDPR compliance?
Both PCI DSS and GDPR are focused on improving how companies secure the customer data that they hold, but take quite different approaches.
The GDPR is much wider in scope than PCI DSS, covering far more types of data and also defining the rights of the individual—such as the right to erasure, which gives individuals the right to request deletion of their personal data. But it doesn’t spell out precisely how organizations can achieve these aims.
And that’s where I think that PCI DSS, as a prescriptive standard, can help. While its remit only covers payment card data, the principles on which it is based could apply to other kinds of data. Over its 13 years, the PCI DSS has matured significantly and now gives detailed guidance—not just on what security controls you should have in place, but also how to maintain them. This is a focus in the latest version of the Standard, v3.2.
Where the PCI DSS can help
“Under the GDPR, you have a general obligation to implement technical and organizational measures to show that you have considered and integrated data protection into your processing activities,” according to the Information Commissioner's Office.
Companies with effective PCI DSS compliance programs will already be making sure that fundamental security principles are applied to the protection of their payment card data. These include:
- Only keeping data that is strictly necessary, and not holding it any longer than required.
- Limiting access to a need-to-know basis.
- Testing security systems for vulnerabilities.
- Maintaining and communicating security policies.
The detailed guidance that the PCI Security Council offers to help meet these requirements could help companies working on GDPR compliance with respect to payment data. It could also provide really useful direction for the development of controls and processes for other forms of personally identifiable data (PID). There are dozens of supporting documents to help organizations through the process of closing the gaps in their data security.
Lessons from the 2017 Payment Security Report
Achieving compliance is not sufficient to protect your data. Verizon’s 2017 Payment Security Report found that 44.6% of organizations fell out of compliance between annual validation assessments. It’s shocking that nearly half of stores, bars, restaurants, practices, surgeries and other organizations that handle payments did not maintain compliance —and hence were insecure—but actually, that’s nearly five times better than we found in 2012. What percentage of companies will be able to maintain GDPR compliance year-round in its early years?
If a company is struggling to maintain compliance with PCI DSS, that could be an indicator that it may also have some difficulty with sustaining adherence with GDPR? And, as has been widely reported, the maximum penalties for being found to be in breach of GDPR are up to the greater of €20M and 4% of worldwide turnover1.
In this year’s Payment Security Report, we discuss the importance of understanding the control lifecycle and building sustainable controls. This is essential not just to maintaining security, but also keeping up with the rapidly changing security landscape and tackling increasingly sophisticated cyberattacks.
While the report focuses on payment security, there is much that will be of use to you whether you’re working towards compliance with GDPR, the Health Insurance Portability and Accountability Act (HIPAA) or ISO/IEC 27001; or simply trying to improve your company’s overall level of security.
Read the Verizon 2017 Payment Security Report >
1 Worldwide annual turnover of the business for the preceding financial year
Ciske van Oosten is Senior Manager Global Intelligence division at the Security Assurance Consulting practice of Verizon. He is the lead author of the Verizon Payment Security Report, and a well-known speaker on compliance performance management. Ciske has been with Verizon since 2008.