Learn the important differences between the two security standards.

Jonas De Oliveira
If you are a merchant and already deal with PCI compliance, you’ve probably heard about the recently implemented EU mandate: General Data Protection Regulation (GDPR). You may be wondering: Does the GDPR apply to me if I only take credit cards? If I comply with PCI DSS, does that make me GDPR compliant? Do GDPR and PCI DSS do the same thing?

Remember that the GDPR applies to any organization that processes or holds the personal data of persons residing in the European Union, whether or not the organization itself is located in the EU. It applies to data processors and controllers.

PCI, GDPR, PCI complianceLearn about data processors and controllers in our GDPR blog series: Part 1, Part 2, Part 3.

The PCI Data Security Standard (DSS) applies to organizations that handle credit cards from the major card brands. Both are mandates that contain best practices for securing personal data and protecting the privacy of individuals.

Here are some of the main differences between PCI DSS and GDPR:

1. Scope of relevant data

First, one of the most important aspects to understand about PCI and GDPR is scope. Because GDPR encompasses all personally identifiable data (PII) of persons in the EU, its scope is much, much larger than the PCI DSS. Compared to GDPR, the PCI DSS applies to a very small subset of data: cardholder data. Cardholder data--while still considered PII--is a small portion of all the personal data covered by the GDPR.

So, if all you take is credit cards, but some of those credit cards are of EU citizens, then yes—the GDPR applies to you. With all the types and subsets of EU citizen personal data, it’s likely that your business may store, transmit, or process some GDPR-relevant data.

Follow for more data security articles like this

The graph below illustrates the difference between the PCI DSS scope and the GDPR scope.

2. The processes covered by PCI DSS and GDPR

The PCI DSS is intended to prevent merchant data breaches and protect cardholders, customers, and the payment ecosystem. To do so, it is used to regulate the storage, processing, and transmission of cardholder data.

Compare that to the GDPR, which aims to protect individual data subject rights by regulating the processing of personally identifiable information in a much broader sense, not just the actual charging of a payment card. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,” article 4, paragraph 2.

Where PCI DSS is concerned with a few major data elements, GDPR is concerned with any non-personal use of personal information.


3. Security vs. Privacy

At the heart of GDPR is the duty to protect the privacy of data subjects by preventing misuse, theft, or unlawful disclosure of their sensitive personal data. GDPR puts the individual in charge of their own data and grants them specific, legal rights to protect and control it. GDPR requires that organizations provide persons in the EU the means to exercise those rights.

At the heart of the PCI DSS is a duty to protect cardholder data from hackers and cybercriminals and keep the entire payments ecosystem safe. This data security standard, first put forth by major card brands in 2006, is concerned with the day-to-day practices of data security: firewall management, encryption, anti-virus, and the like.

The following table outlines more of the important differences between GDPR and PCI:


If you have questions about GDPR, PCI compliance, HIPAA, or general data security, please contact us here.

Jonas De Oliveira is a Security Analyst for SecurityMetrics. He holds CISSP, QSA, CPA and CISA certifications. Jonas has over 12 years’ experience in the data security industry. In addition to assessing companies’ level of PCI compliance, Jonas has been integral in assisting clients prepare to demonstrate GDPR compliance. He graduated with a master’s from University of Utah in accounting with an emphasis in information systems.