Deleting can increase your vulnerability when not deleted. When your computer deletes the hidden details, you think they are completely deleted, but the data is still there! If an attacker manages to access your network, they can still access this deleted information.
The Payment Card Industry data security standard states that if sensitive authentication data is not removed securely, it can remain confidential across vendor networks and be used by malicious actors who fraudulently access this information.
What Is Sensitive Authentication Data?
One of the basic concepts related to protecting information in any system is to prohibit or restrict physical access to the storage medium as much as possible. Physical access to equipment that stores cardholder data, such as personal account numbers, offers hackers a simple way to bypass all security measures at the end of your network.
Physical access is essential of the type of sensitive authentication data (SAD), which is protection-related information (CVV2 and CVC2 data) containing codes and values for authentication of cards. Sensitive Authentication Data provides complete magnetic stripe data such as your identification number, typically used to verify your access or confirm payment card purchases.
The fundamental requirement for implementing PCI DSS requirement 3 is that sensitive authentication data should not be stored after authorization. To ensure adequate SAD protections, organizations should review and verify system settings and all relevant system component configurations:
- Ensure that all the contents of any magnetic stripe traces on the back of the card or similar data on a chip are not stored after authorization.
- Make sure that the 3-digit or 4-digit card authentication code is not stored after authorization. (CVV2, CVC2, CID, CAV2)
- Make sure that post-authorization PINs and encrypted PIN blocks are not stored.
What Kinds of Card Verification Code Data Are There?
Card Code Verification (CCV) provides additional protection against fraudulent credit card purchases. Card Code is a security code written in reverse italics on a credit card’s signature panel or the front of the card after the card’s full number.
In the early 2000s, card security codes were introduced to respond to the rise of online shopping directly. The first company to introduce the card security code was MasterCard in 1997, followed by American Express in 1999 and Visa in 2001. Today, card security codes on payment cards are a common practice for all major card issuers.
Card security codes differ by the network, and each network has its name for the security function:
- Visa: Card Verification Value 2 (CVV2)
- MasterCard: Card Verification Code 2 (CVC2)
- Discover: Card Member ID (CMID)
- American Express: Card Identification Number (CID)
Security numbers (CVC2 / CVV2) are written only on the card. Coding or printing has not been done on the card. MasterCard places the 3-digit security card code in the signature strip on the Visa and Discover card’s back. American Express writes the four-digit card security code on the embossed account number on the front of the card.
A skilled hacker can access your card data, but in principle, a credit card number without a corresponding CVV number will not work if the retailer takes appropriate security measures.
Storage of CVCs is not permitted if a particular purchase or transaction made is authorized. Some service providers provide services where the company stores cardholder information to facilitate possible future transactions. It should be noted that the storage of the card authentication code is prohibited according to PCI DSS Requirement 3.2.
Why Can’t Merchants Store CVV Codes?
A Card Verification Value Code, CVV (CVV2 for Visa, CVC2 for MasterCard, and CID for AMEX) is the three or four-digit numbers on the front or back of a credit debit card. Merchants can request CVV codes from cardholders as another way to identify fraudulent activity.
The idea is that anyone using a stolen credit card is less likely to have the code to complete the transaction. You can change most payment systems’ settings to automatically reject transactions where the CVV code does not match the card number.
The effectiveness of the CVV code is limited by its ability to keep it out of criminals’ hands. Therefore, the PCI Standards prohibit storing the Card Verification Value Code. The CVV code can be used in the first transaction for retailers who charge customers periodically but cannot be saved for future transactions.
Using the CVV code will not change the rate you are paid or transaction rates. It helps reduce fraudulent transactions by only authenticating your customers. You don’t need the CVV code to process chargeback claims. If you are currently keeping CVV numbers, it might be a wise idea to reevaluate your procedures and delete them from your system as soon as possible.
When is Sensitive Authentication Data on Windows or Mac system wholly erased?
Depending on your operating system, when you remove or delete something on your system, you drag it to the Trash on Mac or the Recycle Bin on Windows. Unfortunately, these operations do not mean the complete deletion of data.
Think of the trash or recycling bin on your computer as similar to the trash next to your desk. If necessary, you can return these documents quickly. All you have to do is take them back from the trash can.
The above process also applies to your recycle bin or virtual bin on your computer. There are suitable methods for essentially deleting deleted data from garbage.
Even if your trash can is emptied back into the trash by the cleaning staff, you can go to the garbage to find that document again. While it’s a little harder and more fragrant to undo, the main thing is that the critical data is still there.
When you empty the Recycle Bin or Trash, you will not completely delete your computer files. This operation marks the overwrite file accordingly. These files are almost impossible to restore for the average user as the operating system deletes the file references.
Your machine will no longer find the file for you, but the file still exists and resides on your drive. Data is always available for advanced technical skills such as hackers and those who see unallocated disk space.
The only real way to permanently remove files from your computer is to:
- Mac – select “Secure Empty Trash.”
- Windows – Use a third-party deletion program.
Using Secure Empty Trash or third-party deletion programs takes much longer to complete the emptying cycle than simply selecting Empty Trash because the machine overwrites the files you want to delete instead of labeling them as “ready to overwrite.”
What Are Secure Deletion Techniques?
Permanent deletion of data can require many different techniques, depending on how you want it done and how you want to reuse the media where the data is stored. Below you can find a few strategies to remove data safely.
- Override: To ensure that the data is overwritten, the override data runs on the data with a string of 1 or a separate binary string. Any recoverable data in the media may still exist, so this approach may not be the most reliable.
- Degaussing: This method is useful if you have tapes and hard drives. Degaussing uses a powerful magnet to erase magnetic media data. The degaussing approach is beneficial if you want to reuse media.
- Physical destruction: This is one of the most reliable methods of permanent data deletion. It is highly recommended that you physically destroy the media if you do not want to use it again. It would be best if you went to companies that shred larger equipment with industrial size shredders. For secure data erasure, specific media formats must be physically destroyed. Physical destruction of solid-state drives (SSDs) and optical media such as DVDs and CDs are often necessary. Note that some SSDs contain built-in erase commands that “clean up” but aren’t as effective. Built-in delete commands can be used, but this is a risk.
How to Secure Erase for PCI DSS Compliance?
Many businesses claim that they meet the PCI DSS 3.1 requirements as they send PAN (Primary Account Number) data files to their recycle bin. Therefore, card data discovery tools are handy in many situations to determine locations where unencrypted card data can be stored.
Card data discovery tools can look up “deleted” files on the user’s computer and find any data that is often unnoticed. PCI DSS Requirement requires you to securely delete stored cardholder data that exceeds 3.1 onboard storage requirements.
Suppose you have done your best to delete files on your system securely. In that case, it is highly recommended that you run a card data discovery tool to verify that the deleted cardholder data is properly removed and the cardholder storage is not unwanted.
Additional Tips for Deleting Sensitive Data
Failure to properly delete data on devices will result in serious violations. A common mistake many organizations make is to delete data and leave it on a drive. Unfortunately, deleting the media removes a link to the data, and the data is still on the drive. To protect your CDE, you must permanently remove old, confidential data.
One of the main problems with secure data deletion is understanding what data to delete when to delete, and who is responsible for it. If the data is not needed, it may be easier to get rid of them.
Here are a few more tips to ensure data is adequately deleted:
- Review and delete data at least once a year: Depending on how much data you process, you may want to do this more often.
- Assign someone responsible for data destruction: Have someone who knows the data lifecycle, deletion policy, and how it is processed.
- Establish policies for data lifecycle and destruction: Record the procedure for the secure deletion of data, what to do, when, and who is responsible for it.
- Train staff: Make sure employees are aware of data deletion policies.
Determine the Data Lifecycle
The first step to removing or deleting old data is to decide how long the data will be retained and when it will be deleted.
Your company should establish a data lifecycle for all types of data you store. There must be specific parameters to do the following:
- How long does it take to store data for regulatory purposes?
- How long do you need this data?
The cardholder’s name, PAN, expiration date, and service code may be retained as long as necessary for business purposes and as long as PCI DSS requirements secure them.
Remember, part of data protection isn’t just about confidential data. You also have specific data forms, such as diaries, to decide how long to keep in your environment.
If you delete log data too early, you may not have the documentation to go back and investigate for a potential violation. It is good to keep incident records for one year and have reports available for review within one year.
Don’t Forget Your E-mail Data.
It is harder to talk about a secure e-mail deletion process, as every e-mail system is private. But in most, if you send an e-mail to the trash, it probably won’t be deleted.
Some e-mail programs automatically remove trashed e-mails after a certain period. However, some keep e-mails until your space is full. Most e-mail programs have some “delete forever” option that allows you to permanently delete e-mails in the trash folder.
If you are concerned about e-mail recovery, some e-mail systems like Outlook have an option to prevent the recovery of deleted e-mails. Remember, either you still have a copy of the e-mail from the sender or a copy of the e-mail in your sent folder.
Review Data Related to Backups
When considering how to remove files from your network permanently, remember archived records. Archived records include the following examples:
- Time Machine backups
- Cloud backups
- External hard drive backups
- CD or DVD backups
- E-mail backups
- FTP backups
- Server backups
- Mirror backups
- Offsite backups
- Data on mobile devices
Do Not Forget Data on Mobile Devices
One of the biggest problems with stored data is hacking the physical computer. Managing data on mobile devices is a bit more difficult as they can be lost or stolen more easily. If your company stores or transfers many card details on mobile devices, it might be a good idea to use mobile management system software to access data.
For example, remote wipe is a program that allows data to be wiped remotely when a computer is lost/stolen. Some remote wipes bypass or delete data, while others delete keys that render the keys useless. As data management is centralized, you recommend using a remote wipe program for mobile device management.