Although TennisDirector does not physically store credit card information, it does collect credit card information and passes it from the browser to the server and from the server to a gateway after which it gets deleted from the TennisDirector database. During that flow, the information is vulnerable to hacking and the system needs to be protected. It also needs to be protected against hacking in general where spyware could be place on the server with the mission of collecting information entered into the system. PCI DSS certification was a must for TennisDirector.
The General Data Protection Regulation (GDPR) was approved by the European Union in 2016 and went into effect in May 2018. It consists in a series of rules and policies that control and restrict the gathering and handling of EU residents personal information. Although not law in the United States, all companies doing business with UE citizens are bound to the rules and the fines can go to 4% of annual revenue. TennisDirector is now GDPR compliant.