The guidance section of PCI DSS Requirement 3.1 offers the following advice, “If you don’t need it, don’t store it.” However, for those merchants that do have a legitimate reason to store cardholder data (CHD), the twenty-nine sub-requirements in Requirement 3 are all about protecting that stored data and include detailed and prescriptive conditions for the protection of that information.
Once that data is no longer needed, the PCI DSS includes specific requirements for disposing of cardholder data whether stored on paper or electronic media. Requirement 9.8 states that organizations must destroy stored CHD when it is no longer needed for business or legal reasons. Requirement 3.7 requires that organizations implement policies and procedures around secure deletion of data. Finally, Requirement 3.1d dictates that organizations must also implement a quarterly process for identifying and securely deleting any stored cardholder data that exceeds their defined retention requirements. Below we review what is considered acceptable deletion tactics for stored cardholder data.
Disposal of Paper Documents:
Did you know that some of the most common data breaches involve dumpster diving? Malicious individuals search through trash cans and recycling containers searching for sensitive information from discarded mail, faxes, filing cabinets, etc.
If your merchants are writing down cardholder information when taking payments by phone or receiving paper documents in the mail, ensure that they all have procedures in place that cover what they can collect, what they can retain, and what must be securely disposed. Remember it is acceptable to collect the CVV/CVC but that sensitive authentication data must never be stored after the payment is processed regardless of the success or failure of the transaction. If possible, configure your paper forms so the cardholder information is written on the bottom of the form and can be torn off or removed. This will allow you to easily retain the rest of the form if necessary.
Hard-copy materials should be cross-cut (or better) shredded, incinerated, or pulped so that there is no reasonable way that the materials can be pieced back together. The easiest way to do this is to purchase a cross-cut or micro-cut shredder for all departments that have CHD on paper, so they can immediately shred the document or portion of the form containing the CHD.
If it is a high volume area, manually shredding the information may not be feasible, and utilizing a shredding service with shred bins that hold large amounts of paper may make more sense. All storage containers and shred bins must be secured. Ensure that the lids are padlocked and that an individual could not easily reach in and retrieve documents. The bin should also be kept in a secure location, like an office or closet that is locked at night, so that the bin cannot be easily wheeled out by an unauthorized individual.
If you are using a shredding vendor or service, there are a few things that you should be aware of. When they come to pick up the materials, you should verify they are who they say they are and are a legitimate employee of the shredding company. Prior to engaging with the company, you should have verified their compliance status and documented how they handle the chain of custody of your sensitive materials. You should also make sure that contract language clearly outlines who is responsible in the event cardholder information is breached.
Disposal of Electronic Media:
If you are disposing of an old card reader or any other device on which CHD was once stored, you must verify that the data is unrecoverable after deletion. This does not mean simply deleting information or overwriting it with new data. You must use methods to securely remove all CHD such as secure wiping or degaussing. You can also physically destroy the media by grinding or shredding the equipment.
It is best to use a certified destruction service that has implemented appropriate methods of destruction, has official chain of custody procedures, etc. Depending on what devices you were utilizing, you can also return the equipment to the manufacturer or your acquiring bank.
It is permissible to store cardholder data and even the CVV/CVC, but each must be handled with great care and securely disposed of at the appropriate time. If you have any questions about secure storage or disposal of CHD, please feel free to reach out to your CampusGuard team.
Some additional guidance from our Security Advisor team below:
[Gilmore]: Validation of physical destruction is a necessary part of the chain of custody. Destruction companies that come to pick up bins to dispose of sensitive data could also be contracted to do bulk disposal on-site. This is a viable alternative if purchasing individual shredders isn’t a part of the overall use of departmental and/or institutional resources. Be sure that it is someone’s assigned duty to witness the destruction happen to verify that it is complete. This can also be a very therapeutic and stress reliving task if your recent days had been taxing.
Hard drive destruction can also happen using manual physical methods such a taking a hammer to the device or punching a hole in the hard drive ensuring that it cannot be read and that the device will cease to function at all. This process, though should follow a proper department of defense (DoD) level disk wipe as a layered security approach to the destruction process.
Of course, the first consideration is to ensure that *any* storage is even needed. Making that business decision could remove the need for a retention policy, at least a quarterly search for possible stored data, and a destruction process. It will also remove the requirement for IT support to implement a similar technical destruction process for that particular sensitive data.