Does PCI DSS apply the same everywhere?

Different countries have significantly different rules around financial products. So are there any big differences in the PCI DSS standard in different places?

Executive Summary: PCI DSS is the same standard globally, but how you apply it may have some differences from place to place. Read on for the details.

As a standard, PCI DSS applies to payment card processing globally, and there is one text for the standard. So how can there be regional or country-specific differences? Well, the PCI DSS is a big framework, but it has to operate inside even bigger frameworks. These define the regulatory environment in which the financial industry works, and PCI DSS can’t supersede these government requirements.

PCI DSS Recognition

The standard recognizes he reality that PCI DSS is subordinate to the regulatory environment. As of PCI DSS 3.2.1, this is clearly stated in the first full page of text after the table of contents:

PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

PCI DSS version 3.2.1 page 5, emphasis mine

Few regulators have an issue with the payment card industry mandating the use of firewalls in a financial network. Likewise, they’re OK with requiring configuration backups of those devices. But things get more complicated when it comes to HR matters or data retention. Governments care a great deal about people’s rights, and financial record keeping.

PCI DSS requires that you must perform background checks of all employees and others who will have access to card holder data (req. 12.7). However, if this was in conflict with local employment law, then your QSA could not penalize you for following the law.

Data Retention

The PCI DSS makes this deference to outside factors more explicit when it comes to data retention. Here, the requirement is that you must define a data retention policy. The standard does not tell you what that policy must be:

Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements

PCI DSS version 3.2.1 req. 3.1

This is an area where things get very complicated, and you need to consult with lawyers rather than an Internet blog. Nothing written here should be considered legal advice. Why do things get complicated? Because you can have competing legal, regulatory, and business requirements. At that point it’s time to lawyer up, and perform a risk assessment with them. Once you’ve come up with your policy, it’s a good idea to review it with your QSA too as they will be familiar with established norms in your country.

Consider this scenario: you’re operating in Europe, where the GDPR is an important regulatory framework. The GDPR requires that you may only process the data of a data subject (your card holder, for PCI purposes) with their consent. Data subjects may withdraw their consent at any time, so you have to anticipate and plan for this happening. Your government also has regulations requiring financial institutions to maintain an audit trail for X years after a transaction, for AML purposes.

What do you do when a card holder withdraws their consent? Delete their data because you no longer have their consent to process (store) it? Keep it in place because you need to meet the government retention requirement, but disable their account? Or anonymize it to keep the transaction history intact but otherwise keep the data?

Typically in this case you are likely to keep the data and close the account. That’s because the consent previously given was to operate a financial product on the data subject’s behalf, including complying with all applicable requirements. But this is not a foregone conclusion, and requires careful legal review.

And importantly, the PCI DSS says only that you should establish a policy and then implement it.