Indonesian organizations operating payment services navigate a regulatory landscape that has grown significantly more complex over the past five years. Bank Indonesia's payment security regulations, OJK's IT security framework for financial institutions, and Indonesia's Personal Data Protection Law (UU PDP) each impose security and data protection obligations that overlap substantially with PCI DSS. Understanding these overlaps — and the gaps — is essential for building a compliance program that satisfies all applicable obligations without duplicating effort.
The Regulatory Landscape
| 2021 | PBI 23/2021 (Bank Indonesia) | Payment system operators subject to comprehensive security, reliability, and governance requirements under BI's authority |
| 2022 | POJK 11/2022 (OJK) | IT security framework for banks and financial service institutions — comprehensive cyber risk management, incident reporting, vendor management |
| 2022 | BSSN Circular (BSSN) | National Cyber and Crypto Agency guidance on information security standards for critical information infrastructure operators |
| 2024 | UU PDP (Law No. 27/2022) | Indonesia's Personal Data Protection Law — effective October 2024; personal data processing obligations, data controller/processor distinction, cross-border data transfer rules |
| 2024 | PCI DSS v4.0 Fully Active | All PCI DSS v4.0 requirements mandatory from March 2024; future-dated requirements mandatory from March 2025 |
PCI DSS vs. PBI 23/2021 — Bank Indonesia Payment Regulation
PBI 23/2021 covers payment system operators (penyelenggara sistem pembayaran), including payment service providers, payment system infrastructure operators, and payment instrument issuers. Key alignment with PCI DSS:
| PBI 23/2021 Obligation | PCI DSS Alignment | Additional BI Requirement |
|---|---|---|
| Security management of payment data | PCI DSS Req 3, 4 (data protection) | Data must be processed using internationally recognized security standards |
| Information security management | PCI DSS Req 12 (policies, risk assessment) | ISMS implementation — BI recognizes ISO 27001 |
| Access control for payment systems | PCI DSS Req 7, 8 | Separation of duties requirements for core payment functions |
| Audit and monitoring of payment systems | PCI DSS Req 10 | BI supervisory access to audit logs on request |
| Security testing | PCI DSS Req 11 (scanning, pen testing) | Annual VAPT (Vulnerability Assessment and Penetration Testing) required |
| Incident reporting to BI | PCI DSS Req 12.10 (incident response) | Major incidents reported to BI within 24 hours — stricter than PCI DSS |
| Business continuity | PCI DSS does not cover BCP directly | Business continuity plan for payment systems required |
| Vendor management | PCI DSS Req 12.8 | Vendor security assessment required; BI approval for critical vendors |
PCI DSS vs. POJK 11/2022 — OJK IT Security
POJK 11/2022 applies to banks and financial service institutions (lembaga jasa keuangan) under OJK supervision. It establishes a comprehensive IT security and cyber risk framework.
| POJK 11/2022 Requirement | PCI DSS Mapping | Notes |
|---|---|---|
| Information security governance — CISO role | PCI DSS Req 12.1 (ISP); Req 12.3 (risk assessment) | OJK requires formal CISO appointment with defined authority |
| Cyber risk management framework | PCI DSS Req 12 (overall security program) | POJK requires quantitative risk scoring; PCI DSS uses qualitative |
| User access management | PCI DSS Req 7, 8 | Both require least privilege, access review, MFA for sensitive systems |
| Cryptography standard | PCI DSS Req 3, 4 | POJK references SNI standards; PCI DSS references NIST — both accept AES-256, TLS 1.2+ |
| Security incident management | PCI DSS Req 12.10 | OJK requires incident reporting to OJK within defined SLAs; must include post-incident analysis |
| Third-party risk management | PCI DSS Req 12.8 | OJK requires third-party risk assessment before engagement and annual review |
| Security testing | PCI DSS Req 11 | POJK requires annual VAPT; aligns with PCI DSS pen testing requirement |
| KEY IDEA | The overlap between POJK 11/2022 and PCI DSS is substantial enough that organizations pursuing both can build a single evidence collection process. The main differences: POJK 11/2022 has stricter reporting timelines (incident reporting to OJK), requires quantitative risk scoring, and imposes governance structure requirements (CISO appointment, committee structure) that go beyond PCI DSS Requirement 12. |
UU PDP (Personal Data Protection Law) and PCI DSS
Indonesia's UU PDP (Law No. 27/2022) establishes a comprehensive personal data protection framework. Cardholder data under PCI DSS constitutes personal data under UU PDP. Key UU PDP obligations that intersect with PCI DSS:
- Data processor obligation: Organizations processing cardholder data as a service (PSPs, payment gateways) are data processors under UU PDP and must process data only per controller instructions
- Data security: UU PDP requires appropriate security measures for personal data — PCI DSS compliance is strong evidence of meeting this obligation for cardholder data
- Data breach notification: UU PDP requires notification to the Personal Data Protection Authority (PDPA) within 14 working days of a breach — PCI DSS card network notification requirements are stricter in timeline but narrower in scope
- Cross-border data transfer: Transferring cardholder data outside Indonesia requires either: transfer to countries with equivalent protection levels, contractual safeguards, or approval from the PDPA
- Data minimization: Only collect cardholder data that is necessary — aligns with PCI DSS prohibition on storing SAD and truncation of PAN for display purposes
| IMPORTANT | UU PDP's cross-border data transfer restrictions have significant implications for Indonesian organizations using international PSPs or cloud services outside Indonesia. Cardholder data processed by Stripe's US infrastructure or routed through non-Indonesian AWS regions may trigger UU PDP cross-border transfer obligations. Review your PSP agreements and data flow architecture against UU PDP requirements — this is now a legal obligation, not just a compliance preference. |
Building a Unified Compliance Program
Organizations subject to multiple frameworks should build a unified compliance program that:
- Maps all regulatory requirements to a single control set — identify the most stringent control that satisfies all applicable frameworks
- Builds shared evidence — a penetration test report satisfies PCI DSS Req 11, PBI 23/2021 VAPT requirement, and POJK 11/2022 security testing
- Establishes single policies that reference all applicable regulatory citations
- Uses a GRC platform that supports multiple framework mapping
- Conducts integrated audits — a single audit covering PCI DSS + POJK 11/2022 simultaneously reduces disruption
| Bitlion's GRC platform natively maps PCI DSS v4.0, POJK 11/2022, PBI 23/2021, ISO 27001:2022, and UU PDP controls to a unified control set. Indonesian payment organizations running PCI DSS compliance through Bitlion automatically generate evidence mapped to all applicable Indonesian regulatory frameworks, reducing the total compliance effort by 50–60% compared to running separate compliance programs for each framework. |