Content
The PCI DSS and GDPR: How to Make Your Business Compliant
Time to read: 20 minutes
In recent years, personal data have become an effective economic asset, and their competent use rewards companies with commercial advantages and profit. However, non-compliance with the laws of storage, processing, and transfer of personal data can result in huge losses for your company, even bankruptcy.
Lets talk about itHave a project in mind?
Companies dealing with personal data should provide evidence of compliance with PCI DSS and GDPR requirements to avoid such situations. These rules have fundamentally changed previous privacy protection standards, resulting in many questions from businesses: What should I do? Whom should I contact? How dangerous is non-compliance? The Dinarys team has analyzed the most controversial and popular questions, and this article will help you understand PCI DSS and GDPR standards and apply them to your digital business ecosystem.
The PCI DSS vs the GDPR: The Main Differences
Both the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) are intended to enhance users’ security by protecting their data. However, since the PCI DSS covers payment cards data security and the GDPR covers the use and storage of general personal information, they overlap, sometimes leading to confusion.
It is important that you understand in greater detail how the PCI and GDPR differ from each other. This can help you determine your compliance with both sets of rules. What, therefore, sets them apart?
Covered data
The GDPR covers a much broader scope of visitor data, while PCI compliance embraces more specific issues. The GDPR targets all personally-identifying data collected from anyone related to the European Union, while the PCI is regulated in the United States and is imposed only on one type of data - payment one (as opposed to a wide variety of personal data protected by the GDPR). The picture below shows the difference in the amount of data covered.
Privacy concerns vs security issues
The PCI DSS places great emphasis on the security and data protection of payment cardholders and covers everything in this area: identity theft, loss of data, and breaches. Thus, the primary purpose of this standard is to protect users’ payment information. All other personal information about users is outside the scope of the PCI DSS.
Conversely, the GDPR pays attention to users’ personal data privacy and protection, not only their payment information. It assumes that users will be able to control their data, have access to them, can clarify information about their data, restrict it, and have the option to revoke consent to or delete their data.
Processes covered
The PCI is more targeted as it covers less data and requires fewer processes. Only the use of data comprising part of the bank payment process is affected. The PCI includes collecting cardholder data, processing payments, and transferring that data within the United States. However, if the cardholder is from the EU, GDPR requirements must also be followed for all card processes.
As mentioned earlier, the GDPR covers a much more comprehensive range of data: any information about a person through which they can be identified: gender, age, place of residence, mental, cultural, economic, social identity. This means that any EU citizen whose personal data have been used must comply with the requirements of the GDPR and be protected.
However, despite the differences in the scale and amount of data collected and the types of protection, the GDPR and PCI complement each other and often work together and overlap. In any case, compliance with these requirements is essential when creating any e-commerce project.
Introduction to the PCI DSS
E-commerce is based on buyers who want to purchase a product and pay for it online. Here, store developers have to manage data relating to buyers’ personal cards, which they enter upon purchase. It is unlikely that any store customer would like this information to become public. As such, you have to resort to thoughtful and repeatedly tested solutions.
The PCI DSS is a security standard for payment card data. In other words, it is a document comprising a list of criteria that online companies must follow if they manage information such as card numbers, expiration dates, and CVV codes.
The five largest systems (Visa, MasterCard, American Express, JCB, and Discover) decided to form the PCI SSC, followed by companies wishing to receive the “PCI-DSS Certified” label. Furthermore, certification must be renewed annually.
PCI DSS certification is not a formality. To comply with the PCI DSS standard, an organization must take a comprehensive approach toward ensuring the security of payment card data.
PCI DSS targets the following aspects:
- Protecting cardholders’ data
- Building and maintaining a secure network
- Implementing strict access control measures
- Vulnerability management
- Regular monitoring and testing of the network
- Development of information security policy
Why is this standard needed?
Internet payments using bank cards provide for the possible transfer, storage, and processing of payment card data, which increase the risks of cybercrime. The PCI DSS protects your personal information and seeks to prevent payment fraud.
To whom does the PCI apply?
The PCI DSS applies to any company, regardless of the size or number of transactions, that accepts, transmits, or stores the card data of its users. Thus, if your organization stores, processes, or transfers at least one payment card number during the year, then you, as a company, must comply with the PCI DSS requirements.
PCI compliance levels
Depending on the number of transactions occurring over 12 months, each company will be assigned to one of four levels of PCI compliance.
The table below shows the merchant levels of sellers described by the Visa system:
Merchant level | Description |
1 | Any merchant processing over 6 million Visa transactions per year. At its sole discretion, any merchant that Visa determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
2 | Any merchant processing 1 million to 6 million Visa transactions per year. |
3 | Merchants processing 20,000 to 1 million Visa e-commerce transactions per year. |
4 | Merchants processing fewer than 20,000 Visa e-commerce transactions per year. |
PCI DSS compliance requirements
To guarantee the safety of customer funds, companies such as Visa and MasterCard require merchants and various service providers that accept payments from customers through these payment systems to comply with the PCI standard.
The PCI SCC has provided a list of requirements that each company must meet in order to enhance cardholder data security. There are 12 specific requirements in total, but for convenience, we have divided them into six goals. Let us look at them briefly in the table below:
Goal | PCI DSS Requirements |
Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
Protect Cardholder Data |
3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
Support a Vulnerability Management Program |
5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. |
Carry Out Strong Access Control Measures |
7. Restrict access to cardholder data by business on need-to-know basis. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. |
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors. |
There are also roughly 251 sub-requirements for PCI compliance, which also need to be considered when working with the card data of your visitors.
Penalties for PCI non-compliance
PCI DSS compliance is a standard; that is, it is not required by federal law in the U.S. However, some current and future state laws are effectively forcing components of the PCI DSS into law. For non-compliance, sellers may be subject to fines and incur costly forensic audits.
Payment brands can fine an acquiring bank between $5,000 and $100,000 per month for PCI non-compliance. In turn, the acquiring bank will charge the penalty directly to the seller. As a result, the bank will likely either end the relationship or increase the transaction fees.
Penalties for non-compliance with the PCI DSS depend on two factors:
- The size of the organization. This means that the penalty will depend on how many transactions are processed per year and the company level at which these transactions are processed.
- Terms of non-compliance with fines. This means that fines will be imposed on the organization until it fully complies with the standard.
An example of the large American supermarket chain that was negligent about its security and customers’ safety is Target. The data of 40 million payment cardholders were leaked by hackers. This led to the loss of $250 million by the payment cardholders.
This story is not meant to scare but to demonstrate the potential vulnerabilities of even huge businesses.
Having a PCI DSS certificate minimizes the likelihood that intruders will be able to penetrate your network.
You’ll probably like: How to Integrate a Payment Gateway in Your E-commerce Website
Lets talk about itHave a project in mind?
GDPR Overview
The GDPR is the strictest law on Internet users’ safety and privacy. This law was developed and adopted in the European Union and imposed obligations on companies that collect personal data about users associated with the EU, regardless of location. Companies that do not comply with the security and privacy standards face severe fines, which can reach tens of millions of euros.
Brief and important information about the GDPR can be gleaned from this video:
The GDPR is only valid where personal data are applied. So let us see what exactly is meant by personal data according to the regulation’s definitions.
According to the GDPR, personal data comprise any information that relates to an identified or identifiable natural person (“data subject,” i.e., a person).
- An identified individual is a personal identifier whose personal data (name, phone number, login, IP address, etc.) are among the data.
- An identifiable natural person is someone who can be identified (distinguished from other people).
Following the GDPR, organizations must guarantee the legality of the collected personal data and undertake to notify who organizes and manages these data to protect users from data misuse.
Article 7 of the GDPR states that any website must request permission to process data prior to collection, and the subject must be informed (usually, this is done in the form of checkboxes during registration).
Who is in the GDPR area?
The GDPR applies to any company or organization that processes or uses personal data as part of its business. Therefore, the regulation applies to all companies, without exception, that offers products/services to people in the EU, regardless of the company’s location.
How to understand if your company offers services to EU clients and whether you should comply with the GDPR. Here are the general metrics:
- You ship goods to the EU.
- Your website/app accepts payments from EU customers.
- EU users can register their accounts on your resource.
Provided that your company does not target its services at individuals in the EU, it is not subject to the rules of the GDPR.
7 Key principles of the GDPR
The GDPR is underpinned by data protection principles that drive compliance. These principles outline the obligations that organizations must adhere to when they collect, process, and store an individual’s personal data. The GDPR sets out seven key principles:
|
Processing must be lawful, fair, and transparent to the data subject. |
|
You must process data for the legitimate purposes specified explicitly to the data subject when you collect it. |
|
You should collect and process only as much data as necessary for the purposes specified. |
|
You must keep personal data accurate and up to date. |
|
You may only store personally identifying data for as long as necessary for the specified purpose. |
|
Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption). |
|
The data controller is responsible for demonstrating compliance with all GDPR principles. |
Rights of individuals under the GDPR
To be compliant, you must understand people’s right to privacy. With the advent of new technologies, people can lose the right to privacy as their personal data can be declassified. The GDPR, as a law, defines a list of rights that users, as data subjects, can use. There are eight of these rights in total.
Right to access (Article 15 GDPR)
Every data subject has the right to access their data. This applies to the information that the subject transmitted about themselves and the information that the company (the data controller) collected about them. This right enables the subject to find out the following:
- The purpose of personal data processing.
- To whom the data will be disclosed (in which countries).
- Data storage time.
- Where the data came from (data sources).
- Whether they have the right to delete, clarify, or “freeze” the data (restriction of processing) as well as to lodge a complaint with a supervisory authority.
How to exercise the GDPR right to access? You, as a company, must provide access to personal data in any form that your user may request—electronically or on paper. Another option is to give the user access to their data in their account to see all the personal data available to your company.
Right to rectification (Art. 16 GDPR)
If the data subject notices that their data were inaccurate and that the company is still using these inaccurate data, they may request that personal information be corrected. This applies to those cases in which the data subject, for example, changed their surname, place of residence, or passport, or if their data were indicated incorrectly.
Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)
The right to erasure is a fundamental right concerning GDPR compliance. According to the requirements of the GDPR, the controller company is obligated to delete personal data at the request of the subject (email, name, surname, date of birth, phone number, passport data, or ID card data, all those data that can be used to identify an individual). For example, related data (e.g., checks) can either be deleted along with personal data or anonymized for statistics and analytics. In other words, this is the right to be forgotten. The GDPR provides for the following circumstances under which the right to erasure can be exercised:
- Personal data are no longer needed for original purposes.
- If the user withdraws their consent to the processing (when the legal basis is consent).
- If personal data are processed unlawfully.
- When processing personal data with the consent of the child. (The indispensable point is that, according to Article 8 of the GDPR, a child’s consent to the processing of personal data can only be legal in two cases: 1) they are 16 years old or 2) they have parental consent/permission.)
Right to restriction of processing (Art. 18 GDPR)
The restriction process is usually done to avoid collecting data for later analysis. However, under certain conditions, the subject may request from the controller the restriction of data processing:
- If there is any doubt about the reliability and accuracy of the data.
- If the processing of personal data is unlawful, however, the subject is against deleting the data and asks to freeze their use.
- In case the subject needs data for filing claims or defense and the controller no longer needs the data for processing.
In other words, with limited processing, the data are stored but not used in any way.
Right to data portability (Art. 20 GDPR)
The user should be able to get all the data that the company has collected. These are frequently the same data that you delete using the “delete personal data” function. Still, you can also include additional data (e.g., orders that the user has made may not be deleted but must be included in the upload). You can upload data in different formats. PDF, XLS, and CSV are usually the most common. There is no required format, and there is no mandatory template for unloading. Each company determines its own.
Below is an example from the iTalki service (export of personal data + personal data deletion with subsequent account deactivation):
Right to object (Art. 21 GDPR)
At any time, the data subject may object to gathering personal information if it seems to them that it’s being used for direct marketing purposes or doesn’t comply with their rights, interests, and freedoms. The controller must consider the objection, analyze the situation, and decide whether the user’s interests should come first.
Right not to be subject to automated decision-making (Art. 22 GDPR)
A subject who has exercised this right may object to personal data if used automatically without the subject’s consent. Reference to all cases, except automatic use, is necessary to conclude a contract between the subject and the controller. The decision is based on the subject’s explicit consent.
Right to compensation (Art. 82 GDPR)
If the controller company has violated the use of personal data, the subject could recover compensation for damages caused by the processing of personal information. Thus, the company will be fined and will have to pay the fine directly to the subject.
Penalties for GDPR non-compliance
As set out here, the GDPR is a tough regulatory legal act that involves direct action, the violation of which leads to severe sanctions. Therefore, to guarantee the protection of personal data, the EU has established rather severe fines.
Violations of the regulation are subject to fines from €10,000,000 or up to €20,000,000: the amount depends on the GDPR article. If the company’s turnover is more than 500 million euros, then the maximum penalty is calculated as a percentage of the global turnover for the preceding year: from 2% to 4%. Art 83 GDPR establishes the sanctions.
It is also crucial that supervisory authorities have the right to impose administrative fines on both controllers and data processors. Fines can go instead of or in conjunction with other measures prescribed by the supervisory authorities.
Top 5 largest GDPR fines
- Google Inc.
In January 2019, Google was fined €50 million for not complying with the GDPR’s privacy policy. The policy was written on many pages using complex language, due to which users did not understand how their personal data were being processed. In addition, consent to the processing of personal data did not comply with the regulations as all the boxes had already been ticked in advance for users.
- H&M
The Hamburg Supervisory Authority fined H&M €35.3 million. This decision was made after the Swedish mass-market brand monitored several hundred of its employees. This processing included data about the personal lives of employees, which subsequently became available throughout the company.
- TIM
TIM, an Italian telecommunications company, was fined €27.8 million by the Italian supervisory authority. The company committed several violations, including lack of consent to marketing activities, contacting data subjects who had asked not to be associated with marketing offers, invalid consent collected via TIM apps, lack of adequate security measures to protect personal data, and lack of clear data retention periods.
- British Airways
In July 2018, British Airways received a €22 million fine for lack of adequate technical information security measures under Art. 32 of the GDPR.
- Marriott International, Inc.
Hotel chain Marriott International, Inc. was fined €20.5 million. In 2016, Marriott acquired another group of companies, which were also associated with the hotel business. Later, it turned out that, since 2014, this group of companies had a severe vulnerability in its information security system. Marriott only found out about this in 2018 after a leak affected 339 million users. The breach included banking information and other personal data.
These five cases only confirm the importance of adhering to the regulation. Implementing the GDPR is usually more profitable than acting on the “what if it gets through” principle. Supervisors usually find violations through disgruntled clients, media, bloggers, disgruntled former employees, etc. In addition, privacy has become a marketing differentiator for new brands and attracts customers. Finally, putting things in order in the system and setting processes are tasks that will sooner or later face any business striving for success.
Lets talk about itHave a project in mind?
How Dinarys Makes Your Business Compliant
Information is one of the most valuable resources in the world. As a result, data protection has become crucial for businesses that deal with personal information. Implementing the PCI DSS and GDPR is a prerequisite for optimizing personal information on any website. Dinarys are experts in e-commerce development, and we know better than anyone else how important it is for our clients to comply with these standards in their work.
Customer confidence is our top priority. We use CMS systems, such as Magento and Shopware, and third-party extensions that comply with all PCI + GDPR requirements. Furthermore, we adhere to all the rules of system compliance with the official GDPR checklist when it comes to custom development. This allows our clients to gain more control over the data they collect and get the tools necessary to protect the information of website visitors.
Read also: Magento Payment Gateway Integration: Best Practices.
How does Magento help merchants to be compliant?
The Magento platform helps merchants meet PCI and GDPR standards in the following ways:
- Magento Commerce (Cloud) is PCI certified as a Level 1 solution provider. This means that merchants using Magento Commerce (Cloud) can use Magento’s PCI Attestation of Compliance to support their PCI certification process.
- Magento allows merchants to securely transfer their users’ credit card information using the API Direct Post method by sending information directly to the payment gateway, which prevents Magento from dealing with data. It simply doesn’t go to the server. This makes it much easier to comply with the PCI standard. In addition, keeping sensitive data outside the Magento application server enables updates to the core Magento e-commerce application without having to go through a PCI compliance re-assessment of the entire Magento e-commerce platform.
- Store owners can ensure compliance and data security, and privacy by installing a GDPR extension. Without any manual code changes, both the administrator and customer can make appropriate changes to personal information, personal rights, and cookie policy. All you have to do is install the module and provide your customers with the best experience and guarantee high security while they shop at your store.
Want Your Business to Be Compliant?
Read more in our blog HIPAA Compliance Guide: How to Follow Its Regulations.
We hope that you have found this article helpful and that you now understand the basic rules of the PCI DSS and GDPR and how to work with them. However, if you still find it challenging to cope independently, you can always turn to our Dinarys experts for help. This will be an investment in your company’s future and will give you a competitive advantage in the market. Being PCI DSS + GDPR compliant will earn your trust and respect from customers and partners, undoubtedly valuable resources for any business. Get in touch with us, and we will be delighted to help you implement your business plan!
FAQ
Developed and managed by the PCI Security Council, the PCI compliance process involves a set of technical and operational standards for businesses to follow to secure and protect credit card data.
PCI DSS compliance is a standard and, therefore, is not required by federal law in the U.S. However, some current and future state laws effectively force components of the PCI DSS into law.
If you are a merchant planning to transmit, store, or process credit card data, you must be PCI compliant.
The GDPR is the strictest law on Internet users’ safety and privacy. This law was developed and adopted in the EU and imposed obligations on companies that c ollect personal data on users associated with the EU, regardless of location.
Any company that processes, stores, or uses the European citizens’ data must comply with the GDPR standards.
Let professionals meet your challenge
Our certified specialists will find the most optimal solution for your business.