PCI DSS –
as many businesses utilize online payments, I wanted to take a look at the details of PCI DSS and understand it a little more – I thought it would be a fairly dry topic, but the online course I did was actually quite enjoyable and I am ready to sit the PCI DSS ISA or QSA exam which I may do at some point.
PCI DSS (Payment Card Industry Data Security Standard) is a set of regulations around information security that applies to any organization involved in credit(or debit) card purchases, whether it be the merchant (eg. store) or the acquirer (merchant bank), payment brand (visa, Mastercard etc), or the issuer(bank or institution that issued the card). This can be online or in-store.
PCI DSS is a worldwide standard, designed to reduce card fraud and ensure businesses handle payments and payment information securely.
The PCI DSS online training I did covered PCI DSS 4.0 and fortunately all the official documents are available for free from the PCI Security Standards Council website.
https://www.pcisecuritystandards.org/document_library/
One thing I thought about while doing my PCI DSS studies is that if a company has the infrastructure and processes (auditing, encryption, firewalls etc) in place to be PCI DSS compliant, it should be relatively straightforward to become GDPR compliant as well, shouldn’t it? The answer is yes, and now for a little side quest into GDPR….
GDPR –
I’m sure many of us have had to do GDPR training at some point and if you are like me, we all rush through it to get HR and our manager off our back, but I thought I would take a deep dive into GDPR to understand some of the details. I am aware of the basics, but wanted to actually get a hold of a copy of the GDPR itself and go through it.
The General Data Protection Regulation (from 2018) governs how personal data or PII (personal identifiable data) of any EU citizen may be transferred and processed. So if you are a company that processes or stores any EU citizens’ data, GDPR affects you.
This means all processing, securing (encryption, technical controls and security policies) of personal data must comply with the GDPR.
This is painful enough but the GDPR also requires that data breaches are reported within 72 hours of discovery so companies need to have solid reporting processes in place as well.
Becoming GDPR compliant is time consuming and expensive, and companies are looking at around 20K USD to 1Mil USD to get there.
This is much less than the fines for non-compliance though, which are categorized into two tiers:
Lighter offenses: €10 million or 2 percent of the company’s annual revenue* , whichever is greater
Severe infringements: €20 million or 4 percent of the company’s annual revenue*, whichever is greater
*calculated from the previous financial year
Unless you are Amazon, this can really hurt a business, and potentially bankrupt them. I mention Amazon as they received a massive €746 million fine in 2021, and just got another one in 2024 for €32 million.
ISO 27701:2019 is an extension of ISO 27001 and following the guidelines and checklist outlined seems to be simplest way to ensure a company is GDPR compliant.
Unfortunately, getting a copy of the ISO standards costs 194 and 129 Swiss Francs respectively, so I haven’t seen what they actually look like and I’m not sure if the free documents I was able to find online align with these official copies.
forkthis... 