The GDPR and PCI DSS overlap causes confusion in many businesses accepting card payments. The belief that the two frameworks are equivalent or that satisfying one implies satisfying the other is incorrect and potentially costly. GDPR and PCI DSS arise from different contexts, regulate different aspects, and in the event of a violation activate separate penalty mechanisms that can accumulate. Understanding the concrete differences is essential to building a compliance strategy that leaves no front exposed.
GDPR vs PCI DSS: different objectives, different obligations
GDPR is a European regulation with direct legal force in all Member States. Its objective is to protect the fundamental rights of natural persons in relation to the processing of their personal data. It applies to any organisation processing data of natural persons in the EU, regardless of sector. PCI DSS is instead a technical and contractual standard promoted by the PCI Security Standards Council, founded by the major card networks. Its objective is to protect payment data during transactions and reduce fraud. It applies to any party that stores, transmits or processes payment card data of participating networks.
The concrete obligations are different. GDPR requires a legal basis for each processing, response to data subjects' rights (access, erasure, portability), appointment of a DPO in certain cases, maintenance of the record of processing activities and mandatory notification to the supervisory authority in the event of a breach within 72 hours. PCI DSS requires card data encryption, CDE network segmentation, quarterly vulnerability scanning, annual penetration testing, privileged access management with MFA and continuous audit logs. Some measures are shared (encryption, access control), but most are specific to each standard.
Card data under both frameworks
Payment card data almost always contains personal data: the cardholder's name, account number (PAN), expiry date and sometimes billing address. This means the same data set is simultaneously regulated by GDPR (as personal data) and PCI DSS (as payment data). Processing this data therefore requires compliance with both frameworks: having a GDPR legal basis for storing card data does not exempt from the PCI DSS obligation to encrypt that data and protect it with the technical controls required by the standard.
Tokenization is one of the rare tools that helps on both fronts. Replacing the PAN with an irreversible token reduces the number of personal data records at risk (GDPR benefit) and reduces the CDE perimeter (PCI DSS benefit). It does not eliminate all obligations of both frameworks, but significantly reduces the area of exposure and overall compliance cost. For merchants storing card data for recurring orders, tokenization is often the only practical solution that simultaneously satisfies the requirements of both frameworks.
In the event of a breach: notifications and penalties that accumulate
A breach exposing card data triggers separate notification obligations under the two frameworks. Under GDPR, the data controller must notify the supervisory authority within 72 hours of discovery if the breach presents a risk to the rights and freedoms of data subjects. If the risk is high, they must also notify the data subjects themselves. Under PCI DSS, the merchant must immediately notify the acquirer and follow the incident response procedures of the payment scheme, which typically include a mandatory forensic investigation at the merchant's expense.
Penalties do not exclude each other. The supervisory authority can apply up to 4% of annual global turnover for serious GDPR violations. The acquirer, contractually, can apply PCI DSS penalties ranging from a few thousand euros per month for ongoing non-compliance up to significant one-off penalties in the event of a documented breach. Added to these are the costs of forensic investigation (from €50,000 to €500,000 for a medium-severity breach), reimbursement of fraudulent chargebacks on compromised cards and potential card replacement costs imposed by issuers. Dual regulatory exposure makes a breach an event with costs far exceeding risk assessment estimates if the interaction between the two frameworks is not considered.
Frequently asked questions
Does the GDPR data controller coincide with the PCI merchant?
Not necessarily. A merchant can be a GDPR data controller (decides the purposes of processing customer data) and simultaneously a PCI merchant (accepts card payments). But if the merchant uses a payment service provider, that provider will typically be a GDPR data processor for card data and a PCI DSS service provider. The two chains of responsibility exist in parallel and must be formalised with appropriate agreements (DPA for GDPR, service agreement with PCI attestation for PCI DSS).
Does GDPR pseudonymisation equal PCI tokenization?
They are related but not equivalent concepts. GDPR pseudonymisation (art. 4) is a process that makes personal data non-attributable to a specific data subject without additional information. PCI tokenization replaces the PAN with an irreversible token in the merchant's context. Strong tokenization can satisfy GDPR pseudonymisation criteria, but GDPR pseudonymisation does not automatically imply compliance with PCI DSS technical tokenization requirements. The two standards must be verified separately.
Do I need to appoint a DPO if I accept card payments?
The obligation to appoint a DPO (Data Protection Officer) depends on the type and scale of processing, not specifically on accepting cards. An average e-commerce merchant is not automatically required to appoint a DPO just because they accept cards. The obligation applies to companies processing data at large scale, conducting systematic monitoring of data subjects or processing special categories of data. Consult your legal counsel for a specific assessment.
Dual compliance with a single integration: tokenization reduces GDPR and PCI DSS exposure simultaneously. Discover PCI Proxy EU.