SkarpSkarp
Get the App

Chapter 6 of 8

PCI DSS, Privacy, and Cybersecurity Law: How They Interact

Examines how PCI DSS intersects with privacy and cybersecurity laws (such as GDPR-style regimes and state privacy/cybersecurity laws in the U.S.) and what this means for ICT company compliance programs and contracts.

15 min readen

1. Big Picture: PCI DSS vs. Privacy & Cybersecurity Laws

PCI DSS is a contractual/industry standard for protecting payment card data (cardholder data and sensitive authentication data). It is maintained by the PCI Security Standards Council (PCI SSC), not by governments.

Privacy and cybersecurity laws are statutory or regulatory obligations created by governments. In 2026, key regimes include:

  • EU/EEA & UK: GDPR-style data protection laws (EU GDPR, UK GDPR, ePrivacy rules, NIS2 for critical sectors, etc.)
  • U.S.: State privacy laws (e.g., California’s CCPA/CPRA, Virginia VCDPA, Colorado, Connecticut, Utah, etc.), sectoral laws (GLBA for financial institutions, HIPAA for health), and state data security laws (e.g., New York SHIELD Act, Massachusetts 201 CMR 17.00).
  • Other jurisdictions: Brazil LGPD, Canada PIPEDA and provincial laws, South Africa POPIA, etc.

Core idea of this module:

> PCI DSS can support legal compliance (especially for security), but it does not replace privacy and cybersecurity law obligations.

You will learn to:

  1. See where PCI DSS and law overlap (e.g., encryption, access control).
  2. Spot gaps where PCI DSS is not enough (e.g., data subject rights, lawful basis, DPIAs).
  3. Align PCI DSS programs with a broader privacy and cybersecurity governance framework and contracts.

2. PCI DSS Scope vs. Legal Scope

To understand interactions, you need to compare what PCI covers vs. what privacy/cybersecurity law covers.

PCI DSS Scope (v4.0, effective from 2024, with full enforcement after March 2025)

PCI DSS applies to cardholder data environments (CDEs) that store, process, or transmit:

  • Primary Account Number (PAN) and related cardholder data (name, expiry, service code)
  • Sensitive Authentication Data (SAD) (e.g., full track data, PINs, CVV2) – with very strict handling rules

It focuses on:

  • Network security, encryption, access control, logging, vulnerability management
  • Secure software development and configuration
  • Monitoring, incident response, and governance

Privacy & Cybersecurity Law Scope

GDPR-style laws (EU/UK, Brazil, etc.) apply to personal data broadly: any information relating to an identified/identifiable person (name, email, IP address, cookie IDs, etc.).

U.S. state privacy laws typically cover personal information or personal data, often with:

  • Exemptions (e.g., for GLBA-regulated data, some employment data)
  • Special rules for sensitive data (e.g., precise geolocation, biometrics)

Cybersecurity/data security laws (e.g., NY SHIELD Act, Massachusetts data security regulation) require “reasonable security” for certain categories of personal information (often including payment card data when linked to names).

Key contrast

  • PCI DSS: Limited to card data and systems that touch it.
  • Privacy/cybersecurity laws: Cover all personal data and sometimes all information systems.

So, a company might be PCI compliant for its CDE but non-compliant with privacy law for:

  • Marketing databases
  • HR systems
  • Analytics and tracking

This is why PCI DSS is only one piece of a complete compliance program.

3. Example: Same System, Different Legal Lenses

Imagine a SaaS provider that offers an online platform to merchants.

The platform:

  • Stores payment card data for recurring subscriptions.
  • Stores customer profiles (name, address, email, order history).
  • Uses tracking tools for analytics and targeted emails.

From a PCI DSS perspective:

  • Focus is on the cardholder data environment (CDE):
  • Segmenting CDE from the rest of the network.
  • Encrypting PAN at rest and in transit.
  • Strong access controls and MFA for admin access.
  • Regular vulnerability scanning and penetration testing.

From a privacy law perspective (e.g., GDPR/CCPA-style):

  • Entire platform is in scope because it processes personal data.
  • Additional requirements beyond PCI:
  • Lawful basis for processing (e.g., contract, consent, legitimate interests).
  • Transparency: privacy notice describing purposes, sharing, retention.
  • Data subject rights: access, deletion, correction, portability.
  • Data minimization: only collect what is necessary.
  • Purpose limitation: no using card data for unrelated profiling.
  • Cross-border transfer rules (e.g., SCCs for EU→US transfers).

Takeaway: The same technical controls (encryption, access logs) may help with both PCI and legal compliance, but legal obligations go further into governance, rights, and purpose questions.

4. Overlaps: PCI DSS Controls vs. “Reasonable Security”

Many privacy and cybersecurity laws require organizations to implement appropriate or reasonable security. Courts, regulators, and enforcement agencies often look at industry standards as evidence of what is reasonable.

Common overlapping areas:

  1. Encryption
  • PCI DSS: Requires strong encryption for PAN in transit and, in many contexts, at rest.
  • Laws: Often expect encryption for sensitive personal data, especially for breach safe harbors (e.g., some U.S. breach notification laws treat encrypted data differently).
  1. Access Controls & Authentication
  • PCI DSS: Unique IDs, least privilege, MFA for admins and remote access.
  • Laws: Expect access controls as part of reasonable security (explicitly mentioned in many U.S. state security statutes and in regulatory guidance under GDPR-style laws).
  1. Logging & Monitoring
  • PCI DSS: Detailed logging of user activities, system events, and security events, with log review.
  • Laws: Often require monitoring and detection of incidents as part of an information security program.
  1. Secure Development & Change Management
  • PCI DSS: Secure SDLC, code reviews, vulnerability remediation.
  • Laws: GDPR’s “security of processing” and many regulators’ guidance expect secure development practices.
  1. Incident Response
  • PCI DSS: Requires incident response plan and testing.
  • Laws: Require breach notification and expect organizations to detect, contain, and investigate incidents.

How this helps you in practice:

  • You can present PCI DSS controls as evidence of due care when regulators or courts assess whether your security was reasonable.
  • But you must still check whether additional controls are required by specific laws or regulator guidance (e.g., specific rules for children’s data, biometric data, or critical infrastructure under NIS2).

5. Thought Exercise: Where PCI DSS Falls Short of Privacy Law

Read the scenario and identify at least three privacy/legal requirements that are not fully covered by PCI DSS.

Scenario

You are advising a cloud-based point-of-sale (POS) vendor. They:

  • Are PCI DSS v4.0 compliant for their CDE.
  • Operate globally, including EU, UK, U.S., and Brazil.
  • Store: card data, customer names and emails, loyalty points, and marketing preferences.
  • Share data with:
  • Email marketing provider (for campaigns)
  • Analytics provider (for usage tracking)
  • Customer’s accounting system (for invoices)

Task

  1. List three obligations under GDPR-style or U.S. state privacy laws that PCI DSS does not fully address.
  2. For each, note whether it is mostly about:
  • Governance/Documentation
  • Individual rights
  • Data transfers
  • Something else

Space for your notes (mentally or on paper):

  • Obligation 1: …
  • Obligation 2: …
  • Obligation 3: …

After thinking, compare with this checklist:

  • Lawful basis and transparency (privacy notices)
  • Data subject rights handling (access, deletion, portability)
  • Data protection impact assessments (DPIAs) for high-risk processing
  • Cross-border data transfer mechanisms (e.g., EU→US transfers)
  • Detailed records of processing activities
  • Cookies/online tracking consent (ePrivacy/CPRA rules)

If your list overlaps with these, you are correctly seeing PCI’s limits.

6. Data Minimization, Purpose Limitation, and Retention in a PCI Context

Privacy laws emphasize data minimization, purpose limitation, and storage limitation (retention).

How PCI DSS interacts with these principles

  1. Data Minimization
  • PCI DSS encourages reducing the amount of card data stored to reduce scope and risk.
  • Privacy laws extend this to all personal data, not just card data.
  • Practical alignment:
  • Use tokenization to avoid storing PAN when not strictly needed.
  • Avoid collecting unnecessary personal data during checkout (e.g., no date of birth if not needed).
  1. Purpose Limitation
  • PCI DSS focuses on security of card data; it does not regulate why you collect it.
  • GDPR-style laws require that data be collected for specified, explicit, legitimate purposes and not used for incompatible new purposes.
  • Example: Using card transaction data to build detailed behavioral profiles for unrelated advertising may conflict with purpose limitation unless properly justified and disclosed.
  1. Retention / Storage Limitation
  • PCI DSS: Strongly discourages long-term storage of sensitive authentication data and recommends limiting retention of cardholder data.
  • Privacy laws: Require that all personal data be kept no longer than necessary for the purposes.
  • Practical step: Define retention schedules that:
  • Distinguish between card data, transaction records, and marketing data.
  • Consider legal retention needs (e.g., tax, accounting) vs. business convenience.

Key point:

PCI DSS gives you a security-focused reason to minimize card data. Privacy law requires you to systematically minimize, justify, and time-limit all personal data, including, but not limited to, cardholder data.

7. Cross-Border Data Transfers and Global Cloud Infrastructure

Modern ICT companies often use global cloud providers (AWS, Azure, GCP, regional clouds) and distributed service providers.

PCI DSS view

PCI DSS cares about:

  • Whether the service provider is PCI compliant for the services in scope.
  • How data is protected (encryption, access control, segmentation), regardless of geography.

It does not:

  • Decide which countries you may transfer data to.
  • Provide legal mechanisms for international data transfers.

Privacy law view (especially GDPR-style regimes)

Cross-border transfers are tightly regulated:

  • EU/EEA & UK:
  • Transfers of personal data to non-adequate countries (e.g., many EU→US transfers) require tools like Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs).
  • Additional safeguards may be needed (technical, contractual, organizational).
  • Other regions (e.g., Brazil LGPD, South Africa POPIA) also have rules on international transfers and may require adequacy-like decisions or contractual clauses.

Practical implications for PCI-focused environments

When your CDE or logs are hosted globally:

  • Ensure data maps show where cardholder data and related personal data actually reside.
  • For EU/UK data subjects, ensure you have:
  • A transfer mechanism (e.g., SCCs) with your cloud provider and sub-processors.
  • A TIA documenting risk assessment for transfers.
  • Reflect this in contracts:
  • Data Processing Agreements (DPAs) with SCCs attached where needed.
  • Clear roles (controller/processor) and sub-processor approval mechanisms.

Bottom line:

PCI compliance with a global cloud provider does not automatically satisfy cross-border transfer rules. You must layer privacy transfer requirements on top of PCI controls.

8. Aligning PCI DSS with Privacy & Security Governance: Mini-Workshop

Imagine you are designing a compliance program for a mid-sized SaaS company that:

  • Is a PCI DSS Level 2 merchant/service provider.
  • Processes EU, UK, and U.S. customer data.
  • Uses a U.S.-based cloud provider with global data centers.

Task:

  1. Map overlaps – list at least three PCI DSS controls that can support legal compliance (hint: think encryption, MFA, logging, incident response).
  2. Identify gaps – list at least three legal requirements you must add on top of PCI DSS (hint: rights, lawful basis, transfers, DPIAs).
  3. Governance alignment – think about where to document these:
  • Information Security Policy
  • Data Protection/Privacy Policy
  • Records of Processing Activities (ROPA)
  • Incident Response/Breach Notification Playbook

Write a short outline (mentally or on paper):

  • Overlap controls:
  • 1.
  • 2.
  • 3.
  • Extra legal requirements:
  • 1.
  • 2.
  • 3.
  • Documents to update:
  • 1.
  • 2.
  • 3.

If you can clearly separate technical controls (PCI-heavy) from legal/governance requirements, you are thinking like someone who can bridge security and privacy law in real organizations.

9. Quiz: Using PCI DSS as Evidence vs. Over-Relying on It

Answer the question to check your understanding of how PCI DSS interacts with legal obligations.

Which statement best captures the relationship between PCI DSS and privacy/cybersecurity law in 2026?

  1. If a company is PCI DSS compliant, it is automatically compliant with GDPR-style and U.S. state privacy laws for all personal data it processes.
  2. PCI DSS can be strong evidence that a company implemented reasonable security for card data, but it does not by itself satisfy broader privacy and cybersecurity law obligations.
  3. PCI DSS only matters for banks, so merchants and SaaS providers can ignore it if they focus on GDPR compliance.
Show Answer

Answer: B) PCI DSS can be strong evidence that a company implemented reasonable security for card data, but it does not by itself satisfy broader privacy and cybersecurity law obligations.

PCI DSS focuses on **cardholder data security** and is an industry standard, not a law. Regulators and courts may view PCI compliance as **evidence of reasonable security**, especially for card data, but privacy and cybersecurity laws (GDPR-style, U.S. state laws, etc.) impose **additional obligations** about lawful basis, data subject rights, cross-border transfers, and broader personal data beyond card data. Therefore, PCI DSS complements but does not replace legal compliance.

10. Key Term Review

Use these flashcards to reinforce core concepts linking PCI DSS, privacy, and cybersecurity law.

PCI DSS
Payment Card Industry Data Security Standard: an industry standard (not a law) that defines technical and organizational controls for protecting cardholder data and sensitive authentication data.
Reasonable Security
A legal standard used in many privacy and cybersecurity laws to describe the level of security measures organizations must implement. Industry standards like PCI DSS are often used as evidence of what is 'reasonable' in a given context.
Data Minimization
A privacy principle requiring organizations to collect and retain only the personal data that is necessary for specified purposes. In PCI, this often appears as reducing stored card data and using tokenization.
Purpose Limitation
A principle in GDPR-style laws requiring personal data to be collected for specific, explicit, legitimate purposes and not further processed in ways incompatible with those purposes.
Cardholder Data Environment (CDE)
The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, and the systems connected to them, which are in scope for PCI DSS.
Cross-Border Data Transfer
The movement of personal data from one country to another. Under GDPR-style laws, transfers to certain countries (e.g., EU→US) require specific legal mechanisms such as Standard Contractual Clauses and risk assessments.
Evidence of Due Care
Documentation and practices (such as PCI DSS compliance reports, security policies, and audits) that show an organization took reasonable steps to protect data, relevant in regulatory investigations and litigation.

Key Terms

PCI DSS
Payment Card Industry Data Security Standard, an industry standard that defines security requirements for cardholder data and sensitive authentication data.
Data Minimization
A principle that organizations should collect and retain only the personal data necessary for clearly defined purposes.
GDPR-style regimes
Data protection laws modeled on the EU General Data Protection Regulation (GDPR), including the EU GDPR, UK GDPR, Brazil’s LGPD, and similar frameworks in other jurisdictions.
Purpose Limitation
A privacy principle requiring that data be collected for specific, explicit, legitimate purposes and not used in ways incompatible with those purposes.
Reasonable Security
A legal standard requiring organizations to implement security measures appropriate to the sensitivity of data and the risk, often interpreted with reference to industry standards and regulator guidance.
Evidence of Due Care
Proof that an organization took appropriate and reasonable steps to protect data, which can include compliance certifications, policies, logs, and audit reports.
Cross-Border Data Transfer
The transfer of personal data from one country to another, often subject to additional legal requirements under data protection laws.
Storage Limitation (Retention)
A principle requiring personal data to be kept in identifiable form no longer than necessary for the purposes for which it was collected.
Cardholder Data Environment (CDE)
The systems, people, and processes that store, process, or transmit cardholder data or sensitive authentication data, and the systems connected to them, which are in scope for PCI DSS.
Sensitive Authentication Data (SAD)
Highly sensitive payment card data such as full track data, PINs, and CVV2/CVC2 codes, subject to strict PCI DSS handling rules.