#CSE18: Combining PCI into a GDPR Program

Written by

Speaking at Cloud Security Expo 2018 this week Rehan Zaidi, business information security officer at John Lewis, presented a session on how to draw synergies between existing payment card industry (PCI) standards and the forthcoming GDPR to deliver a more holistic information security privacy framework.

Zaidi said that there are five ‘Ws’ that surround GDPR, which are: what, when, why, where and how – but the most challenging to approach is the last: the how.

“We decided early on that we would try to utilize synergies that we had developed in terms of delivering PCI and cybersecurity polices across John Lewis to put us on a strong footing for GDPR,” he added.

Zaidi said by applying the following synergies to its GDPR preparedness John Lewis was able to achieve several compliance benefits:

  • Payment card data is personal data
  • Combining the prioritized approach for personal data
  • Identifying payment card data in the privacy by design requirement of GDPR
  • Data recovery and gap analysis combining all data needs in a questionnaire, interviews or tools
  • Delivering the requirements through information security frameworks and policies
  • Building on and incorporating training and awareness programs
  • Logging and auditing system alignment
  • Maintaining information security policy

“Security and privacy is everybody’s responsibility within an organization,” Zaidi concluded, “and the aim is to achieve an overarching data security and privacy framework that subsumes your GDPR and PCI DSS programs within it.”

What’s hot on Infosecurity Magazine?