Does GDPR have a silver lining for PCI compliance?
Since the Payment Card Industry Data Security Standard was introduced in 2004, many merchants found compliance to be too arduous or costly and just skipped it, risking fines. But increasingly, other regulations like GDPR are changing the PCI DSS compliance equation.
U.K.-based PCI Pal sees a connection in a recent uptick in demand for its PCI DSS compliance service to Europe’s GDPR rule, which protects consumer data privacy, and the newer California Consumer Privacy Act.
Once a company has endured the hassles of GDPR compliance, it creates an easier path to PCI DSS compliance, said James Barham, CEO and co-founder of PCI Pal, which has seen business triple in the last year.
“The ethos around complying with GDPR cuts across all departments of an organization and changes the very way a company has to think about data,” Barham said.
U.K.-based PCI Pal got its start providing PCI DSS compliance tools for call centers in Europe that wanted a secure method for agents accepting payment card data over the phone. Two years ago, PCI Pal extended those services to U.S. call centers whose agents directly handled payments.
This year, the company introduced PCI Pal Digital, providing a similarly secure method for merchants accepting payment cards through all digital channels, including webchat, social media, email and text.
When a consumer makes a purchase through a PCI Pal client’s digital commerce channel, it generates a payment request. PCI Pal instantly produces a URL that opens a page where consumers may enter payment credentials in a PCI-compliant environment, so the merchant never “sees” the card data.
Adding PCI DSS compliance through PCI Pal still requires an investment, but the upfront work is less for companies that have already undergone broad data-protection projects, Barham said.
“When e-commerce businesses adhere to these other increasingly stringent compliance and data-privacy rules, adding PCI DSS compliance becomes less of a stretch,” Barham said.
Even though PCI solutions don’t address GDPR and other privacy requirements, GDPR and other regulations have some impact on PCI adoption.
“When merchants initially started down the path of PCI compliance, they found how difficult it was to satisfy the requirements and go through the certification processes, but PCI solutions have become easier to deploy, even for merchants doing it on their own,” said David Mattei, a senior analyst with Aite Group.
The epidemic of data breaches in the past several years also focused more e-commerce providers’ attention on PCI DSS compliance, he said.
“As the number of breaches affecting e-commerce retailers has increased, merchants are more concerned about bad publicity they get from these events,” Mattei said.
European merchants were a few years ahead of U.S. merchants in adding PCI DSS tools to protect payment card details obtained by customer service agents at call centers, according to Barham.
“In the U.S., working toward PCI DSS in digital channels is still regarded as a fairly new idea, just as U.S. call centers were about two years behind Europe in adding PCI DSS,” he said.
GDPR’s halo effect may even spread PCI DSS compliance, according to Barham.
In both Europe and the U.S., Barham organizations have reported to him that GDPR readiness also makes it easier to adopt ISO 27001, a separate global information security standard used by some merchants and payment companies. ISO 27001 is designed to protect data from insider attacks and data breaches.
“Just as PCI DSS is easier for organizations that have gone through GDPR, ISO 27001 is relatively easy if you’re PCI DSS-compliant,” Barham said.