Concepts explained

PCI DSS vs GDPR

One is an industry security standard for card data; the other is an EU law for all personal data. They cover different ground — but overlap on payment cards. Here's how they compare, and how to satisfy both at once.

Talk to us PCI DSS compliance
PCI DSS Level 1 100% EU data residency Data minimization AES-256 at rest SAQ D to SAQ A DORA Compliant
Definitions

Two frameworks, two purposes

PCI DSS

An industry security standard from the card brands that sets technical and operational requirements for anyone who stores, processes or transmits cardholder data.

  • Scope: payment card data
  • Enforced by card brands & acquirers
  • Technical security controls

GDPR

An EU law protecting the personal data of individuals. It governs the lawful basis, minimization, security and individual rights for any processing of personal data — including card numbers.

  • Scope: all personal data
  • Enforced by EU regulators
  • Legal rights & obligations
Side by side

PCI DSS vs GDPR

Dimension PCI DSS GDPR
Type Industry standard EU law
Data covered Cardholder data All personal data
Enforced by Card brands & acquirers Data-protection authorities
Focus Technical security Rights, lawfulness, minimization
Penalties Fines, higher fees, loss of acceptance Up to 4% of global turnover
How tokenization helps Cuts scope to SAQ A Minimization & EU residency
One vault, both frameworks

Satisfy both at once

Tokenization is one of the few moves that helps with both. By replacing card data with tokens stored in our European PCI DSS Level 1 vault, you cut your PCI scope to SAQ A and, for GDPR, support data minimization and security by keeping personal card data out of your systems — and in the EU.

How tokenization works European PCI vault
FAQ

PCI DSS vs GDPR, answered

01 What is the difference between PCI DSS and GDPR?

PCI DSS is an industry security standard for protecting payment card data, enforced by the card brands. GDPR is an EU law protecting all personal data of individuals, enforced by regulators. PCI DSS is narrow and technical; GDPR is broad and legal — but they overlap, because a card number is also personal data.

02 Does PCI DSS compliance make me GDPR compliant?

No. PCI DSS covers how you secure card data, which helps with GDPR's security requirement, but GDPR also demands a lawful basis, data minimization, individual rights, breach notification and more across all personal data. They are complementary, not interchangeable.

03 How does tokenization help with both PCI DSS and GDPR?

Tokenization replaces card data with tokens stored in an external PCI DSS Level 1 vault. That cuts your PCI scope to SAQ A and, for GDPR, supports data minimization and security by removing personal card data from your systems — and PCI Proxy keeps it in the EU.

04 Is card data considered personal data under GDPR?

Yes. A payment card number linked to a person is personal data under GDPR, so it falls under both PCI DSS (as cardholder data) and GDPR (as personal data). Minimising where it is stored reduces obligations under both.

Card data that's minimal, secure and European

Tell us about your data flows and we'll show how a European vault helps you meet PCI DSS and GDPR together.

Talk to us Security & compliance