Retail PCI DSS and GDPR FAQ: Navigating Overlapping Compliance Obligations
UK retailers face overlapping compliance obligations under PCI DSS (for card payment security) and UK GDPR (for customer personal data protection). These standards share some requirements but also have distinct obligations that must each be addressed. This FAQ clarifies the most common questions about managing both.
UK retailers that combine their PCI DSS and GDPR compliance programmes reduce compliance overhead by an average of 35% compared to managing them separately.
PCI DSS and GDPR for Retailers: Frequently Asked Questions
Frequently Asked Questions
Does PCI DSS compliance mean we are also GDPR compliant?
No. PCI DSS and GDPR address overlapping but distinct requirements. PCI DSS focuses specifically on the protection of cardholder data (card numbers, CVV codes, expiry dates). GDPR covers all personal data — including cardholder data, but also customer names, email addresses, purchase history, and delivery addresses. A retailer can be fully PCI DSS compliant but still have GDPR failures — for example, if they lack a lawful basis for their marketing emails, have not responded to subject access requests, or have inadequate data retention policies. Both programmes must be maintained independently.
How does the 72-hour GDPR breach notification requirement interact with PCI DSS incident response?
They run simultaneously. When a breach occurs, the 72-hour GDPR notification clock to the ICO starts when you become aware of a breach likely to result in risk to individuals — this is independent of any PCI DSS investigation. PCI DSS requires you to notify your acquiring bank immediately upon suspecting a cardholder data compromise, who will then engage a PCI Forensic Investigator (PFI). You may need to notify the ICO based on incomplete information while the PFI investigation is ongoing — the ICO expects prompt notification based on what you know at the time, with updates as the investigation progresses.
Do we need to store card data, and if not, what is the GDPR implication?
You almost certainly do not need to store card data in your own systems. Payment tokenisation allows you to process repeat transactions (subscriptions, saved cards) without storing actual card numbers — the token is stored instead, which has no value to attackers. Not storing card data eliminates it from your PCI DSS scope and removes the most sensitive category of data from your GDPR data inventory. This is both the right security approach and the right compliance approach — minimising data retention is a GDPR requirement, not just a PCI DSS strategy.
Can we share customer purchase history with third-party marketing platforms under GDPR?
Only with a valid lawful basis. The ICO's position is that sharing customer purchase history with third-party data brokers or advertising platforms for targeting purposes requires either explicit consent (specifically for that purpose) or a carefully assessed legitimate interests basis. The ICO has taken enforcement action against retailers for sharing loyalty programme data with third parties without adequate disclosure or consent. Before integrating your retail data with third-party marketing platforms, conduct a DPIA and assess whether your privacy notice adequately discloses this use of customer data.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.