At a recent meeting of the UK Merchants' PCI Working Group I mentioned that there was some soft case law in the form of ICO enforcement action which helps to answer the question of whether PCI DSS is sufficient to meet GDPR’s requirement for organisations to implement “appropriate technical and organisational measures” in respect of the security of cardholder data.
As PCI DSS and GDPR are probably my two specialist subjects, I’ve written a short paper that looks at the ICO’s historic enforcement action and which hopefully answers the appropriateness question.
Paper (PDF) GDPR and PCI DSS: What’s appropriate?
The ICO's position
Although the paper looks at historical ICO regulatory action, the ICO has used PCI DSS as an example of industry-specific security requirements in the Security section of the ICO's guide to GDPR. Specifically, the ICO observed:
"If you are processing payment card data, you are obliged to comply with the Payment Card Industry Data Security Standard. The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS requires particularly if the breach related to a lack of a particular control or process mandated by the standard."