The GDPR PCI DSS overlap is one of the most misunderstood aspects of digital payments management in Europe. Many businesses believe that complying with one of the two regulations exhausts their card data obligations. This is incorrect: the two frameworks have different purposes, partially overlap, and in the event of a data breach can generate parallel penalties. Understanding the differences is the first step to building a solid compliance strategy.
GDPR and PCI DSS: two different frameworks, not alternatives
GDPR is a European regulation with the force of law that protects individuals' personal data. PCI DSS is a contractual standard defined by payment networks (Visa, Mastercard, Amex) that protects card data during transactions. GDPR applies to any company processing personal data of individuals in the EU. PCI DSS applies to anyone who stores, transmits or processes payment card data, regardless of location.
The fundamental difference concerns the nature of the obligation: GDPR imposes legal requirements with direct administrative penalties. PCI DSS creates contractual obligations between merchants, acquirers and payment networks. Violating GDPR exposes a company to proceedings from the supervisory authority. Failing to comply with PCI DSS leads to commercial penalties, revocation of the ability to accept cards, and remediation costs imposed by the acquirer. Neither framework replaces the other.
Where they overlap: card data between GDPR and PCI DSS
Card data almost always contains personal data: the cardholder's name, the account number (PAN), and sometimes the billing address. These elements fall within the GDPR's definition of personal data, so the same set of data is subject to both frameworks. GDPR requires a legal basis for processing, data minimisation and data subject rights. PCI DSS requires encryption, access control, network segmentation and continuous monitoring of the CDE (Cardholder Data Environment).
Some technical measures satisfy both frameworks. Tokenization, for example, reduces the number of card data records within the company's perimeter, lowering both PCI risk and GDPR exposure in the event of a breach. Encryption at rest and in transit is required by PCI DSS but is also a recommended GDPR measure to reduce risk to data subjects. Not all measures overlap: data subject rights (access, erasure, portability) have no equivalent in PCI DSS, and conversely PCI DSS network segmentation requirements go beyond what privacy law requires.
Data breach: notifications and cumulative penalties
A breach involving card data triggers parallel obligations under both frameworks. GDPR requires notification to the supervisory authority within 72 hours of discovery, if the breach presents a risk to the rights of natural persons. If the risk is high, affected individuals must also be notified directly. PCI DSS requires immediate notification to the acquirer and card network brands, which initiate their own incident response procedures with mandatory forensic investigation at the merchant's expense.
Penalties do not cancel each other out. The supervisory authority can impose penalties of up to 4% of global annual turnover for serious GDPR violations. In parallel, the acquirer can impose contractual penalties for PCI DSS non-compliance ranging from €5,000 to €100,000 per month, in addition to remediation programme costs and potential losses from fraudulent chargebacks. A single incident can therefore generate a double financial exposure that companies often underestimate when assessing risk.
Frequently asked questions
Does GDPR cover card data instead of PCI DSS?
No. GDPR protects personal data in general, including data contained in card data. PCI DSS specifically addresses the security of payment data during transaction processing. The two frameworks apply cumulatively: satisfying GDPR does not exempt from PCI DSS and vice versa. A merchant accepting cards must comply with both.
If I am GDPR compliant, am I also PCI DSS compliant?
Not necessarily. The two frameworks share some technical measures (encryption, access control, data minimisation), but have specific requirements that do not overlap. PCI DSS requires, for example, quarterly vulnerability scanning, CDE network segmentation and annual penetration testing. None of these obligations is explicitly required by GDPR.
Do GDPR and PCI DSS penalties add up?
In the event of a data breach involving card data, yes. GDPR penalties are applied by the supervisory authority and are administrative in nature. PCI DSS penalties are applied by the acquirer contractually. There is no compensation mechanism: a company can receive penalties from both fronts for the same incident, in addition to forensic investigation costs, notification to affected individuals, and potential compensation claims.
Managing GDPR and PCI DSS with a single tokenization infrastructure reduces the exposure perimeter on both fronts. Discover PCI Proxy EU.