By Jason Wittick • July 18, 2018

Accelerate GDPR and PIPEDA Compliance via PCI

Accelerate GDPR and PIPEDA Compliance via PCI

Data security challenges and threat vectors vary according to business or industry context, but all data security standards and governing legislation have one thing in common: they are all, fundamentally, mechanisms or strategies for protecting specific data within a particular environment.

Be it payment or cardholder data (CHD), private healthcare information (PHI), or some other form of personally identifiable information (PII), every industry has a unique data security perspective from which focused, specific administrative controls and best practices are designed and continuously refined.

As they develop and evolve, best practices become minimum requirements until a security standard emerges to enforce those requirements and ensure data is consistently, predictably protected. Once they have been adopted and become mandatory, organizations must demonstrate compliance with applicable security standards and legislation through formal assessments at a tangible, intimidating cost.

Some view the cost of compliance as excessive or even prohibitive, but that's a short-sighted and typically fleeting perspective when compared to the alternative. Although an assessment does carry a substantial price tag, non-compliance is a potentially far more costly gamble considering the risk of accumulate, punitive fines that are levied after lack of diligence leads to a system breach or data theft incident. The combined cost of a damaged reputation, mitigation efforts, paying fines or penalties, and then (assuming the organization has not already gone out of business) working through an assessment after the fact would dwarf the original ‘prohibitive’ cost of proactive compliance in the first place.

Payment Card Industry (PCI) security standards govern data protection for payments and payment credentials, while both the General Data Protection Regulation (GDPR), and the Personal Information Portability and Electronic Documents Act (PIPEDA) define liability and specific expectations for protecting data in an organization’s custody, for anyone living in the European Union or Canada, respectively.

Achieving compliance with GDPR, PIPEDA, or PCI is like reaching a destination, but of the three, only PCI includes a roadmap that leads directly to formal compliance through a linear, finite, and predictable process. When organizations are left wondering where to begin their compliance journey, an initial assessment against PCI standards, or at the very least reviewing provisions and guidance within the PCI DSS is a good place to start.

They are similar to PCI in spirit, but neither GDPR nor PIPEDA describe how to actually manifest defined protection requirements or satisfy prescribed security expectations in the real world. PCI is more than a complex list of stringent requirements and expectations. It also defines a formal, objective method through which organizations can demonstrate and ultimately prove how sensitive data for card-based payments and payment credentials are handled securely.

Data is data, whether it’s CHD, PII, or PHI, and even though PCI is focused on payment data and credentials, a substantial portion of PCI requirements are based on proven best practices that would be just as effective for protecting any other data type. While daunting, a PCI assessment truly is an optimal introduction to compliance, and the best, easiest means for establishing sound data-security posture that can be adapted to or even exceed GDPR and / or PIPEDA obligations.

So, how do organizations avoid risking noncompliance while reducing and minimizing the total cost and complexity of a PCI assessment? One popular strategy is to outsource responsibility for a portion of assessment requirements to an already compliant, external scope-reduction product or service. Many such tools are available to choose from, but DataStealth stands alone.

After deployment, a DataStealth-protected network no longer stores, processes, or transmits PCI data, which precludes it from PCI assessment scope. Reduced scope translates into direct, significant cost savings, and if a system protected by DataStealth was ever breached, sensitive data would have already been de-identified, so nothing of value would be available to steal ... and intruders can not steal what is not there.

Achieving formal compliance indicates an organization’s commitment to security and data protection expectations. When PCI requirements have been satisfied (regardless of outsourcing or scope-reduction), applicable data environments are thoroughly hardened, meaning subsequent compliance with GDPR and / or PIPEDA legislation should only require consideration and provisions for data custodianship, ownership, and accessibility.

DataStealth can be configured to protect all forms of information making common data-type, environment, or specific industry context issues and roadblocks essentially irrelevant. DataStealth technologies focus on the data they protect, not the information contained within said data, which makes DataStealth a truly standards agnostic solution.


Tell Me More