Are You Prepared for 2018’s Two Biggest Compliance Regulations?
We all know we need to protect personal customer data — but what exactly constitutes personal data in a retail transaction? And even further, what does it mean to protect it? Two new compliance regulations aim to take a more stringent approach when it comes to safeguarding and storing that customer information. Is your company ready?
General Data Protection Regulation
More commonly called GDPR, this is a protocol adopted by the European Parliament set to go into effect this May that will require businesses to protect the personal information and privacy of EU citizens gained through transactions in EU member states. While it’s an EU-based initiative, the GDPR impacts any company that gathers and stores data about EU citizens, even if that company has no EU presence. What’s most interesting, however, is not just the geographical scope of the data protection standard but how personal data is defined within it.
GDPR requires companies to govern any data that could potentially personally identify consumers. GDPR protects people’s financial information and the cookies that give insight into their web activity. It even protects the IP address that shows where they are and what device they were connected to.
While the rules are a bit vague and the terms defining personal information might not be clear, from a business perspective, this is radical. The GDPR shows that the EU is ahead of the curve in recognizing the value of personal data in today’s digital economy. It doesn’t stop companies from gathering that data or force companies to pay for it. But it does indicate a sense of understanding that in some ways, our digital footprints are just like snowflakes. In the U.S., things like IP addresses and cell phone pings are already used to prosecute criminals. Imagine how that data could be abused by cybercriminals, especially during more targeted attacks.
Whether you’re already working on your GDPR plan or you’re hearing of it for the first time, don’t get so focused on the finish line that you fail to take a long-term view. Beyond the protocols themselves, consider who will be managing the GDPR compliance process, how often your security measures should be reviewed for effectiveness and how to incorporate these same protocols into your data files relating to U.S. customers.
Payment Card Industry Data Security Standard
We’ve been hearing about this one for a while, but the Payment Card Industry Data Security Standard (PCI DSS 3.2) finally took full effect Feb. 1, 2018. PCI DSS sets requirements for organizations to securely accept, store, process and send cardholder information during credit card transactions. It’s what sellers need to do to protect their buyers’ info when making credit card purchases. Every vendor, regardless of size, must be able to prove PCI DSS compliance.
Essentially, the latest PCI protocol seeks to eliminate some of the more antiquated security technology surrounding payment cards and replace them with stronger security alternatives such as multifactor authentication.
Think you already use multifactor authentication? Don’t be so sure. Many confuse multifactor with multistep authentication, but it’s actually quite different. In multistep authentication, users provide the correct security data, with each single piece of data being offered in sequential steps. In multifactor authentication, however, those data points are all collected at once. When a log in fails, the user will not be informed of which piece of data was right or wrong. This makes it more difficult for users to fish for each piece separately and immediately request a new password once they receive access to it. As in the case of GDPR, all pieces of data are equally important — not just the password itself.
Both GDPR and PCI DSS can feel daunting for relevant companies. But both are incredibly important to ensure the digital economy continues to grow securely. That is, at least until blockchain becomes more widespread — then, you may be able to forget that GDPR and PCI DSS ever happened.