PCI DSS in the UK is beginning to win the battle in reducing credit card fraud as demonstrated by the annual reduction in 2017 of debit and credit card fraud from £618m to £566m. Other than frauds including internal actors, nearly all frauds were perpetrated against businesses that were not PCI DSS compliant. According to Verizon’s 2018 Data Breach Investigations Report, 73% of 2017 breaches were perpetrated from outsiders. This leads to the conclusion that PCI DSS as a set of security controls has been very successful in stopping external actors from gaining access to sensitive cardholder data. This short paper proposes that organisations adopt the lessons learned through PCI DSS in addressing the security requirements of privacy data under GDPR.