requirements that businesses must follow to process major credit

               cards. Similarly, organizations that want to transfer data to and from
               EU countries must abide by the requirements in the GDPR.

               Obviously, not all organizations have to comply with these standards.
               Organizations that don’t process credit card transactions do not need
               to comply with PCI DSS. Similarly, organizations that do not transfer
               data to and from EU countries do not need to comply with GDPR
               requirements. Organizations need to identify the standards that apply,

               and ensure that the security controls they select comply with these
               standards.

               Even if your organization isn’t legally required to comply with a
               specific standard, using a well-designed community standard can be
               very helpful. As an example, U.S. government organizations are
               required to comply with many of the standards published by NIST SP
               800 documents. These same documents are used by many

               organizations in the private sector to help them develop and
               implement their own security standards.