A view on the upcoming EU GDPR and PCI DSS at the point of sale

Home  /  PCI DSS  /  A view on the upcoming EU GDPR and PCI DSS at the point of sale

On April 25, 2017, Posted by , In PCI DSS, By ,,, , With No Comments

25th May 2018 – The day privacy changes for everyone

The EU GDPR (General Data Protection Regulation)” which will take effect in all EU membership states in May 2018 is a regulation for protection of EU citizens personal identifiable information and the individuals “Right to be forgotten” where individuals have the right to demand any data held about them to be erased. The GDPR applies to all organisations that are trading within the EU so this applies not only to EU organisations but also to any worldwide organisations doing business within the EU.

PCI DSS is about protecting cardholder data and since cardholder data is personal identifiable information there is a clear overlap towards GDPR for retailers and the consequences for failing compliance will after May 2018 become even more fierce.

The good news however is, that if you are compliant to PCI DSS you have come a long way towards meeting the new GDPR. As stated by Jeremy King, International Director of PCI SSC on the question “how do I achieve GDPR compliance?” his reply is “Start with PCI DSS compliance” The EU GDPR states what must be achieved whereas PCI DSS gives you the tools on how a big part of these requirements are achieved -especially Article 5 of the GDPR, which states, “Personal data must be processed in a manner that ensures appropriate security of the personal data.”

Most retailers are today aware of the consequences behind a non-compliance towards PCI DSS after a breach in their card data environment be it physically at the POS or via malware through the internet. Failure to meet PCI can give fines up to €395,000 but the EU GDPR goes even further with penalties up to 4% of annual global turnover or €20 million, whichever is greater for large serious breaches or up to 2% or €10 million of global annual turnover whichever is greater. The important factor here is that penalties for not meeting GDPR is on top of any PCI DSS non-compliance fines from the card issuers.

While compliance to PCI DSS Requirement 9.9 at the point of sale means that you already have procedures in place for identifications of your payment terminal estate and inspection of the same, it is strongly advisable to follow PCI SSC as well as any terminals vendors P2PE recommendations on how to further secure your terminals at the point of sale.

The P2PE manual include guidance on how a merchant should physically secure deployed devices to prevent unauthorized removal or substitution and include examples on how devices can be physically secured. A recommendation that follow PCI SSC document “Skimming Prevention – Best practises for Merchants” that reads “Mount and secure the terminal and cables with locking stands, cable trays, and other securing mechanisms”.

For further information:

Both documents “Skimming Prevention – A best practice for merchants” and the terminal vendors obligatory P2PE manual can be found at the PCI SSC homepage:


Leave a Reply

Your email address will not be published. Required fields are marked *