Businesses are well aware of the benefits of compliance with data protection standards. Yes, benefits. The corollary is, of course, the risks from non-compliance, not merely financial penalties, but business reputation and customer trust.
Here we consider the requirements of the two most applicable customer protection standards: PCI/DSS and GDPR. We look at how they overlap but also how they differ. We then examine the strategies that businesses are implementing to streamline their processes to ensure compliance with both standards.
PCI/DSS is a global standard, allowing businesses to handle card payments in a secure manner and reduce card fraud. It enforces tight controls on cardholder data, including how it is stored, transmitted and processed. It consists of 12 high-level requirements covering networks, encryption, vulnerability management, access control and information security.
GDPR is a framework for data protection law throughout the EU. It is intended to harmonise the various data privacy laws in EU countries by giving strong customer protection and rights to its citizens. Its regulations apply not only to businesses in the EU, but to any business which handles the data of an EU resident.
The risks of non-compliance
The body overseeing the PCI/DSS standard is the PCI Security Standards Council (PCI SCC). This acts as a forum for maintaining and promoting security standards but has no authority to investigate or penalise non-compliance; which is carried out by the credit card companies themselves.
Non-compliance can result in penalties of between $5,000 and $100,000 per month depending on the applicable level of PCI/DSS, the number of clients and the volume of transactions. The penalties are instigated by the credit card companies and are passed on to the non-compliant merchant by their bank or payment processor.
GDPR compliance is handled by national authorities, for example, The Information Commissioner’s Office (ICO) in the UK and CNIL in France. An organisation that suffers a data breach and is not compliant with GDPR can face a fine of up to 20m Euros or 4% of global turnover. For example, the ICO announced its intention to fine British Airways £183.39 million for its 2018 data breach . However, fines are discretionary and considered on a case-by-case basis.
GDPR has a broad scope, covering any Personally Identifiable Information (PII) related to an EU resident. The information can be in connection with their professional, private or public life covering data such as:
- Name or address details
- Email address or device IP address
- Pictures or social media posts
- Bank or credit card details
PCI/DSS has a far narrower scope, being restricted to card and cardholder information, such as:
- Credit or debit card number
- Sensitive Authentication Data (SAD) e.g. CVV2 or unique digital data
- Primary Account Number (PAA)
Card data is subject to both PCI/DSS and GDPR compliance. The standards are similar in their requirements for handling PII. To comply with PCI/DSS, a business must encrypt the cardholder data and must know where it is processed and stored. GDPR requires the use of log files so that access to PII can be monitored.
In the event of a data breach, GDPR requires the organisation to notify a competent DPA no later than 72 hours after becoming aware of the breach. For a business based in the EU, the DPA will be their national authority e.g. the ICO in the UK.
PCI/DSS meanwhile has no such requirement to notify their payment processor or bank. However, in most cases, a data breach will be notified in the opposite direction. The credit card company will notify the merchant of a fraudulent transaction. Following such notification, the merchant has obligations to report to directly to the credit card company on its resolution of the issue.
Strategies for dual-compliance
Often the primary business objective for compliance with PCI/DSS is to keep sensitive data at arm's length, not touching the network. This requires implementing a solution for handling payments, such as DTMF.
Dual-Tone Multi-Frequency (DTMF) technologies can be used to take card payments over the telephone. Customers can key-in their card and Sensitive Authentication Data (SAD) details on their smartphone or computer, without the data being known to the agent. DTMF thus allows an organisation to use a contact centre to handle payments, without implementing onerous requirements on the contact centre.
There are low-tech alternatives to DTMF, such as Pause and Resume or Clean Room Contact Centre, but these have inherent shortfalls and are unlikely to be a practical solution.
One of the strengths of DTMF is that it fulfils the objective of keeping the PII away from the network; the PII is segregated and sent directly to the payment processor. The technology areas dealing with processing and storing data, therefore, do not fall into the requirement to comply with PCI/DSS.
A by-product of this approach is that the business becomes less attractive to hackers, as the card data is not available to steal.
Ensuring customer protection
A business with a genuine regard for its customers’ data is likely to have systems and processes that comply with both PCI/DSS and GDPR. Those processes will be streamlined to minimise operational issues and, vitally, the business is less likely to fall foul of hackers (especially if PII is segregated).