At a recent meeting of the UK Merchants' PCI Working Group I mentioned that there was some soft case law in the form of ICO enforcement action which helps to answer the question of whether PCI DSS is sufficient to meet GDPR’s requirement for organisations to implement “appropriate technical