What is GDPR or PCI and How Does it Affect the Security of My Business?

DO YOU HAVE EUROPEAN GUESTS? THEN GDPR APPLIES TO YOU!

DO YOU ACCEPT CREDIT CARDS? THEN PCI APPLIES TO YOU!

Ascent Processing. Inc.’s mission is to provide innovative payment processing solutions while focusing on providing the highest level of service, security and savings possible. Due to our ongoing commitment to transparency and protecting your data, we wanted to remind you to update your Privacy Policy if needed, to address the new laws of the European Union (EU) General Data Protection Regulation (GDPR.) The EU has created a single set of rules regarding collection, storage, and usage of personal data from EU citizens. The law is designed to expand and protect the privacy rights of EU citizens and creates new obligations for organizations that handle EU personal data. 

Currently, there is no formal certification process for GDPR for US-based merchants within the card brand regulations. Confusing, right?
To know better how to comply with GDPR, we suggest looking at PCI Requirements. 

In the card payments world, the card brands created the Payment Card Industry Data Security Standard (“PCI DSS”) to address security for credit card data. The GDPR can be considered an extension of PCI DSS requirements (which address cardholder data) to regulate ALL personal data for EU Citizens. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

PCI DSS is required for all businesses that touch cardholder data. And it can provide a framework for businesses that need to get ready to comply with the GDPR. Here’s how:

Replacing the words “cardholder data” with “PERSONAL data” within the 12 main requirements for PCI DSS can provide you logical structure to approach GDPR compliance.

12 Main PCI DSS Requirements:

• Install and maintain a firewall configuration to protect cardholder/PERSONAL data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder/PERSONAL data
• Encrypt transmission of cardholder/PERSONAL data across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder/PERSONAL data by business need to know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder/PERSONAL data
• Track and monitor all access to network resources and cardholder/PERSONAL data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Reference: Elavon Financial Services DAC, A Merchants Guide to the Payment Card Industry Data Security Standard (PCI DSS) https://www.elavon.co.uk/content/dam/elavon/en_GB/documents/Merchants-guide-to-PCI-DSS-FINALoct2017.pdf

In addition to these requirements, one of the items the GDPR introduces is the right for individual EU Citizens to have personal data “erased.” This right to erasure is also known as the “right to be forgotten”. California just adopted a similar law for privacy protection. GDPR also requires companies to designate who their Data Controller is, if not the company, and to provide a contact. The regulation also requires you to disclose a reasonable retention period for keeping the citizen’s information. These items will need to be added to your Privacy Policy. More information can be found here: https://www.eugdpr.org/key-changes.html

Ascent strongly recommends that you get and stay PCI certified as a fundamental step in protecting your business. If you are not currently certified for PCI compliance, you are probably not ready for GDPR. Contact us – we can help! 

If you have any questions regarding your Privacy Policy or how GDPR affects you, please reach out to support@ascentpaymentsolutions.com.