Category Archives: GDPR

GDPR and PCI DSS: appropriate bedfellows?

At a recent meeting of the UK Merchant PCI Working Group I mentioned that there was some soft case law in the form of ICO enforcement action which helps to answer the question of whether PCI DSS is sufficient to meet GDPR’s requirement for organisations to implement “appropriate technical and organisational measures” in respect of the security of cardholder data.

As PCI DSS and GDPR are probably my two specialist subjects, I’ve written a short paper that looks at the ICO’s historic enforcement action and which hopefully answers the appropriateness question.

Paper (PDF): GDPR and PCI DSS: What’s appropriate?