PCI London 2018 was a truly transformative event for gaining an understanding of how UK- and EU-based organizations are securing their payment card data and personal information. While the focus at the event was certainly on PCI (Payment Card Information) compliance, and how to achieve PCI compliance for your organization, the burgeoning regulation that is front-of-mind for organizations worldwide is the GDPR (Global Data Protection Regulation). How do GDPR and PCI DSS intertwine and affect each other? Will there be a data security standard for GDPR? Why are UK-based organizations slow to adopt cloud-based strategies? Why are POS (point-of-sale) system vendors and contact center solutions slow to evolve their security posture to meet the new regulations? Here are my four takeaways from the conference.
1. The GDPR (Global Data Protection Regulation) is taking over.
Yes really, the keynote topic at the PCI London conference was in fact GDPR. Organizations around the world that do business with EU citizens are hurriedly preparing for the regulation. But there is still a lot of confusion on how best to prepare. While PCI DSS (Payment Card Information Data Security Standard) is focused on securing payment card and cardholder data, the GDPR is focused on securing personal data and helping EU citizens maintain control over how their personal data is processed, shared, and stored. Unfortunately, the GDPR won’t have specific guidance as does the PCI DSS, so the best approach for meeting GDPR obligations is to rely on guidance where it does currently exist. At this time, it’s wise to make sure you are in compliance with the PCI DSS. That’s because a PCI breach will also result in a GDPR breach, because personal data is any data that correlates to an identified or identifiable natural person and payment data is often linked to the cardholder’s personal data. Revealing EU-citizen data during a breach can cost you—a lot.
2. Will GDPR have a “Data Security Standard”?
Many security professionals are expecting (hoping) GDPR to have something similar to the PCI DSS to guide them. Despite what was said in the PCI London keynote, it is very unlikely there will be that level of specifications. The GDPR is intentionally non-specific with regard to technical controls. Drafting the GDPR took years and the feeling is that any specific technical requirements would likely be irrelevant before they could be finalized. It’s possible individual EU countries may pass PCI DSS-like legislation related to GDPR, but there is no will or effort to impose those requirements at the EU level. Consequently, this is a perfect time to consider your other compliance obligations and the data protection requirements, particularly with respect to personal data.
3. UK organizations do not appear to be adopting cloud strategies as quickly as other regions.
I would consider the 10X Rule as a balance to this statement and point out that those who understand the concept and value of cloud platform services really get it and take action. Perhaps a more interesting perspective is that late adopters are pushing innovators to the front, while the majority are still lagging a little. While UK organizations have been slow to adopt cloud platform solutions, the GDPR will pressure these organizations to secure Personal Data, so more and more will look to remove payment and personal data from their environments via cloud data security platforms. There are organizations already pushing personal information out of their systems in response to the impending regulations and deadlines. In particular, savvy organizations want to use a cloud platform with a mature pseudonymization solution to ensure security while still being able to use the data for business processes.
4. Are POS Systems and Contact Centers not evolving from a security standpoint?
There were an inordinate number of POS (Point of Sale) Systems and Contact Center vendors in learning sessions at the conference, striving to understand how to protect their environment in light of GDPR. This showcases to me that it is a problem that, while data protection solutions exist for these use cases, they are not being adopted, or not being marketed to catch the attention of those organizations who are subject to it. Tokenization and cloud data vaulting removes sensitive data from contact centers so that if it is exposed during a breach, only meaningless tokens are revealed. For POS systems, P2P Encryption combined with tokenization and cloud data vaulting remove sensitive data at the entry point and keeps it out of the retail business systems. In essence: No data, no theft.
TokenEx is the industry leader for data protection platforms. Our tokenization, encryption, and cloud data vaulting platform is securing organizations and reducing risk globally. Follow us on Twitter and LinkedIn.