WIXLIB

the PCI DSS policy with CSA control we looked at the keyterms which were extracted from the policies and mapped allthe 12 requirements to CSA controls based on keywordcomparison. In the preprocessing stage, we extractedchapters 3 and 4 of the GDPR regulation which is forConsumers and Providers.During the process, we observed the alignment of someof the rules of PCI DSS and GDPR. Both the data protectionrules mandate that the organization should secure personaldata. If an organization is PCI DSS compliant, then it is ontrack for achieving GDPR compliance as well. There arecommonalities in both the data protection rules. Some ofwhich we were able to relate include: Both Data protection rules focus primarily onbuilding the secure infrastructure environment Both Data protection rules focus on securingpersonal data Both regulate access to personal data Both policies require auditing of security provisions Both impose hefty fines in case of breachA breach in PCI DSS can also be regarded as a breach inGDPR. However, it is not necessary that if an organizationis PCI DSS compliant, then it is also GDPR compliant. PCIDSS deals with a very small set of data- cardholder’s datawhich consists of debit/credit card numbers, PrimaryAccount Numbers (PAN), and Sensitive Authentication Data(SAD) such as CVVs and magnetic stripe data, from all themajor card schemes [1][4].On the other hand, GDPR has a broader scope interms of Big Data analysis usage because it covers any PII.This PII can include any EU customer’s personal details suchas Name, Address, Phone numbers, Medical records location,Race, gender, birth date, Criminal convictions, etc. Figure 2shows the mapping of the scope of GDPR and PCI DSS.After identifying similarities and differences between theregulations, we mapped GDPR rules to the CSA controls.In this stage, we also determined the permissionsand obligations for both data protection rules. The process todetermine that is detailed below.1) Permission & ObligationsModal logic is a broad term used to cover various otherforms of logic such as temporal logic and deontic logic[19].Deontic logic labels statements containing permissions andobligations, and temporal logic defines time-basedrequirements. Deontic logic further consists of four types ofmodalities:1.Permissions / Rights: Permissions are expressions orrules that describe the rights or authorizations for anentity.2. Obligations: Obligations expressions are the compulsoryactions that an entity must accomplish.3. Dispensations: Dispensations that describe optionalexpressions and describe non-mandatory conditions.4. Prohibitions: Prohibitions are the expressions thatspecify the actions which are prohibited.To classify the data protection policies as Permissions andObligations, we extracted certain modal keywords like ‘will’,‘should’, ‘can’, ‘could’, ‘shall’, ‘must’ etc. These modal verbshelped us in determining whether the sentence is classified aspermission or an obligation. These permissions andobligations determine how the polices in GDPR and PCI DSSaffect consumer, provider and end user. To extract the modalverbs, we did a frequency count of these verbs in the GDPRpolicy for controllers & processors and in PCI DSS checklist.Table 1 list the frequent occurrences of verbs in both thedocuments.Figure 2: Mapping the scope of GDPR & PCI DSSModal Verbs OccurrenceModal y7could1should7may36Table 1: Modal Frequency for GDPR& PCI DSS respectivelyIn our paper, we have used permissions & obligations tocategorize sentences into any one of them. Sentences thathave verbs like ‘may’, ‘can’, ‘could’ ‘will’ were categorizedas Permissions and sentences having verbs like ‘shall’, ‘must’‘should’ were categorized as Obligations. Below mentionedare some examples of our context:Permissions (PCI DSS):“Requirement 7: Restrict access to cardholder data bybusiness need to know. To ensure critical data can only beaccessed by authorized personnel, systems and processesmust be in place to limit access based on need to know andaccording to job responsibilities” [4].Obligations (PCI DSS):“Requirement 10.7 Retain audit trail history for at least oneyear; at least three months of history must be immediatelyavailable for analysis” [4].Permissions (GDPR):“A group of undertakings may appoint a single dataprotection officer provided that a data protection officer iseasily accessible from each establishment” [17].Obligations (GDPR):“The controller shall implement appropriate technical andorganizational measures for ensuring that, by default, onlypersonal data which are necessary for each specific purposeof the processing are processed” [17].

Figure 3: Ontology for GDPR, PCI DSS vs. CSA Control2) Key terms ExtractionAfter identifying permissions and obligations for the dataprotection rules, we wanted to look for key terms both inGDPR and PCI DSS. As mentioned above, in previous workof PCI DSS [1], we extracted key terms that were importantin context when an organization falls under PCI DSScompliance. For GDPR regulation, we applied the similarapproach to extract the relevant key terms from the repositoryof controller & processor. As defined in EUGDPR [7]repository there are several key terms which should be takeninto consideration when an organization is falling underGDPR compliance. We have used Python to develop the codeto extract [11] the key terms from the large corpus of GDPR.In our code, we made a list of stop words which were notneeded and were irrelevant to our context. Also, we did makesure that certain words like will’, ‘should’, ‘can’, ‘could’,‘shall’, ‘must’ were not part of stop words list since thesewords contribute towards defining permission & obligationsexpressions. This approach helped us in segregating anyirrelevant terms. We made use of regular expressions whichhelped us in identifying the key terms which have alreadybeen shared by EU GDPR. Table 2 below shows the list ofPCI DSS and GDPR key terms frequencies [1] [17].B. Ontology DevelopmentWe used Protégé software to build the integrated Big Datacompliance knowledge graph which combines CSA controls,PCI DSS, and GDPR. Figure 3 illustrates the high-levelcombined view of all the classes. Due to page limitations, wehave restricted the description to first level classes. In ourprevious work, we have developed the semantically richontology to capture obligations of only GDPR and theassociated CSA controls [2] and PCI DSS [1]. We hadmanually identified the key terms and extracted theobligations of Consumer, Provider and common obligations.We have now developed tools to automate the process ofextracting the key terms of GDPR, PCI DSS and associatingit with corresponding CSA controls from the legal texts. Themain classes of our knowledge graph are:Table 2: Key terms of PCI DSS & GDPR respectivelyFigure 4: CSA controls subclasses

The Stakeholder class is the main class that representsthe key organizations that are affected by the regulations.This class has four main subclasses. These are the BigData consumers, providers, EU Commission (regulatesvia GDPR) and the PCI DSS Council (regulates PCIDSS). Stake Holders class includes hasObliged propertyassociated with all the Obligation classes, andhasCSAcontrol property has the domain as theObligation classes and range as CSA control classes.The Consumer class represents the data users andincludes properties of end users.Consumer Obligations: The consumers haveobligations that they have to adhere to for GDPR. Themain subclasses of the consumer obligations ation of data breach, data protection,representative and other joint consumers.CSA Control: This class represents the security controlsrecommended by the Cloud Security Alliance [18]. It has18 subclasses that define the various categories of Cloudsecurity. In [2] we have presented tables that include thespecific consumer, provider and common obligationscommon between GDPR and CSA controls. In thispaper, we have related PCI DSS groups as well to CSAcontrols as shown in Table 3. CSA controls subclassesare in Figure 4.Provider: Provider class represents the data providersand includes properties of providing organization.Provider Obligations: The providers have a separate setof obligations that they have to adhere to for GDPR. Theprovider is also obligated to adhere to the PCI DSSrequirements that are divided into six main classes in ourKnowledge Graph.Common Obligations: Obligations in GDPR that arethe responsibilities of both Consumer and Provider arerepresented in this class. Its main subclasses areresponsibilities, cooperation, breach notification,processing activities, processing security, liability, andscope.The PCI-DSS group class consists of six main classwhich incorporate the 12 PCI-DSS requirements. Theclasses are Control Measures, Data Protection, SecureNetwork, Secure Policy, Monitor and Test Network, andManagement Program. Each class is disjoint from otherclasses which means that an individual (or object) cannotbe an instance of more than one of these six classes. Eachof the main class has sub-classes with their properties.C. ValidationFor the validation process, we referenced data policies ofmajor cloud data providers that have access to theircustomer PII data. These included AWS [12], Facebook[13], Google [14], Microsoft [15] and WhatsApp [16].PCI DSS GroupsBuild and maintain a securenetworkProtect Card Holder DataCSA controlsPY-04, MOS-01, STA-03, TVM-01,IVS-12, IVS-06, MOS-19AIS-03, AIS-04, DSI-02, DSI-03, DSI05, EKM-03, EKM-02, MOS-11, AIS02TVM-01, TVM-02, MOS-01, TVM-03Maintain a VulnerabilityManagement ProgramImplement Strong AccessDCS-02, DCS-07, DCS-08, DCS-09,Control MeasuresEKM-04, IAM-06, IAM-12Regularly Monitor and testCCC-03, CCC-04, CCC-05, IAM-03networksMaintain an InformationDSI-04, DCS-06, IAM-04, MOS-17Security PolicyTable 3: PCI DSS Groups vs. CSA controlsTable 4 lists the organization policies used for validation. Wewanted to verify if key terms and obligations specified inthese data policies can be populated as instances of our datacompliance knowledge graph. After downloading thepublicly available data policies, we applied them to the preprocessing tools that we have created. We used theprivacy/terms of service policies to look for terms similar tothe ones defined by GDPR and PCI DSS. This appliedapproach helped us in extracting the key terms from theirTerms of service/Privacy policy. We did find similar keyterms in the organizational policies along with the number oftimes that term has occurred. The graph in Figure 5 gives usa snapshot of key terms and its count for variousorganizations. With the help of these terms, eachorganization’s policies were populated as instances of ourknowledge graph. The data policies are now available as anRDF graph and are machine processable. It will now bepossible to automate the compliance validation by usingpolicy reasoning engines that can alert any potentialcompliance violation.Figure 5: Validation Results

egal/awsgdpr/AWS GDPR pliance/#?modal active acypolicy[6][7][8][9]Table 4: List of policies for validationsIV.CONCLUSION & FUTURE WORKRegulatory bodies throughout the globe are releasing new dataprotection laws to ensure data security and privacy. These dataprotection regulations are currently available only in textualformat and so require significant human time and effort toensure compliance. We envision that a semantically rich,machine processable knowledge graph (or ontology) thatcaptures the various data compliance regulations, as theyapply to Big Data on the Cloud, will significantly help inautomating an organization’s data compliance process. Wehave developed an integrated semantically rich, machineprocessable knowledge graph (or ontology) to representknowledge embedded in the PCI DSS and GDPR regulations.We have also studied the CSA code of conduct controls andincluded associated GDPR articles with the CSA controls inour Ontology. We used Semantic Web technologies, NaturalLanguage Processing (NLP) and text mining techniques tocreate this graph. In this paper, we describe this knowledgegraph in detail along with the methodology we have used tobuild it. We have validated this Knowledge Graph against thedata policies of five major vendors that deal with Big Data.Our knowledge graph will help Big Data practitioners to geta well-defined integrated view of the data regulations, andthey can reference it as a compliance checklist. As part ofour future work, we plan to build a reasoning component inour system that will automatically detect complianceviolations.V.[1][2][3][4][5]REFERENCESA. Nagar and K. P. Joshi, "A Semantically Rich KnowledgeRepresentation of PCI DSS for Cloud Services", InProceedings, 6th International IBM Cloud AcademyConference ICA CON 2018, Japan, May 2018L. Elluri and K. P. Joshi, "A Knowledge Representation ofCloud Data controls for EU GDPR Compliance",InProceedings, 11th IEEE International Conference on CloudComputing (CLOUD), July 2018.Karuna Pande Joshi et al., "Automating Cloud ServicesLifecycle through Semantic technologies", Article, IEEETransactions on Service Computing, January 2014.Payment Card Industry (PCI) Data Security Standard, Version3.2, https://www.pcisecuritystandards.org/document library,April 2016Musen, M.A. The Protégé project: A look back and a lookforward. AI Matters. Association of Computing 20][21][22]Specific Interest Group in Artificial Intelligence, 1(4), June2015. DOI: 10.1145/2557001.25757003.Karuna P Joshi, Aditi Gupta, Sudip Mittal, Claudia Pearce,Anupam Joshi, and Tim Finin. Semantic Approach toAutomating Management of Big Data Privacy Policies. InProceedings, IEEE BigData, 2016.EU GDPR Portal. (2018). GDPR Glossary of Terms. [online]Available at: ssed 17 Aug. 2018].GDPR and PCI DSS: How They Differ, How They're ntsjournal.com/gdpr-and-pci-dss/Calver, N. (2018). How the PCI DSS can help you meet therequirements of the GDPR. [online] IT Governance Blog.Available at: nes, A. and I.S. Partners, L. (2018). 4 Ways to Use PCI DSSto Achieve GDPR Compliance I.S. Partners. [online] I.S.Partners. Available at: i-dss-to-achieve-gdpr-compliance/PyPI.(2018). rake-nltk [online] Available at:https://pypi.org/project/rake-nltk/ [Accessed 17 Aug. 2018].Anon, (2018). [ebook] Available at:https://d1.awsstatic.com/legal/awsgdpr/AWS GDPR DPA.pdf [Accessed 17 Aug. 2018].Facebook Business. (2018). General Data ProtectionRegulation. [online] Available at:https://www.facebook.com/business/gdpr [Accessed 17 Aug.2018].Privacy.google.com. (2018). Compliance How Googlecomplies with data protection laws. [online] Available e/#?modal active none [Accessed 17 Aug. 2018].Privacy.microsoft.com. (2018). Change history for MicrosoftPrivacy Statement – Microsoft privacy. [online] Available at:https://privacy.microsoft.com/en-us/updates [Accessed 17Aug. 2018].WhatsApp.com. (2018). WhatsApp Legal Info. [online]Available at: https://www.whatsapp.com/legal/#privacypolicy [Accessed 17 Aug. 2018]“General Data Protection Regulation (GDPR) – Final textneatly arranged.” General Data Protection Regulation(GDPR), gdpr-info.eu/.Cloud Security Alliance Releases Code of Conduct for GDPRCompliance. eleases-code-of-conduct-forgdpr-complianceModal Logic: ael R. Overly, Legal compliance challenges of Big Data:Seeing the forest for the data-seeing-theforest-for-the-trees.html, last retrieved 8/19/2018“ Resource description framework (RDF).” [Online].Available: http: //www.w3.org/RDF/I. S. Jacobs and C. P. Bean, “Fine particles, thin films andexchange anisotropy,” in Magnetism, vol. III, G. T. Rado andH. Suhl, Eds. New York: Academic, 1963, pp. 271–350.

A breach in PCI DSS can also be regarded as a breach in GDPR. However, it is not necessary that if an organization is PCI DSS compliant, then it is also GDPR compliant. PCI DSS deals with a very small set of data- cardholder's data which consists of debit/credit card numbers, Primary Account Numbers (PAN), and Sensitive Authentication Data