Requirement 3.1 of the Payment Card Industry Data Security Standard (DSS) requires organizations to retain and follow data retention and disposal procedures. The purpose of the data storage and destruction procedure is to ensure that records no longer needed are deleted promptly and adequately.
The PCI only allows the following credit card information storage if there is a recorded and authorized business need. All data must be secured in accordance with the PCI DSS in all sections. Storage of the following cardholder data protected as required by PCI DSS is permitted under this provision:
- When sensitive or credit card data is no longer required for legal, contractual, or business purposes, it must be destroyed.
- Paper containing cardholder data awaiting destruction should be stored in a secure container secured with a lock to prevent access to its contents.
- A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements should be in place.
- Each domain that receives credit cards as payment should review these procedures periodically (annually) to determine if any conditions require changes in their cardholder data retention or disposal method.
What are the PCI DSS Data Storage Requirements?
Card data processed by organizations is not possible and necessary to be stored indefinitely or indefinitely. Card data should be kept for a period suitable for processing and then destroyed. However, these periods vary according to the sectors in which the enterprises operate and their affiliated laws. After these periods have expired, the data must be destroyed in the first periodic destruction period.
PCI DSS Requirement 3.1 requires organizations to securely delete data that does not need to be stored for business or legal requirements. Thus, cardholder data cannot be recreated by malicious people.
PCI DSS Requirement 3.1 states that organizations should keep cardholder data storage to a minimum by following data retention and disposal policies, procedures, and processes. The basic approach of PCI Requirement 3.1 is to get rid of the data if you don’t need it.
If specified in your contracts, it is acceptable to store data required for commercial or legal reasons. However, if you are storing unnecessary cardholder data, this becomes a liability for your organization.
The PCI DSS states that to define appropriate retention requirements, an organization must first understand the legal or regulatory obligations applicable to its business needs and industries or the type of data being held.
During a PCI assessment, the evaluator should review your data retention and disposal policies that summarize what data should be stored, where that data is located, why and how long you retained it.
Then the evaluators will examine the data you have under your supervision. Reviewing the inventory is an essential part of the evaluation process. Whether it is physical print media or electronic, the assessor needs to see where the data is located.
The assessors then equate the data’s lifetime to the organization’s data protection and disposal policies after taking a sample of it.
PCI DSS stipulates that cardholder data storage should be kept to a minimum. If you don’t need it, you have to get rid of unnecessary data. Unless cardholder data needs to be stored for commercial or legal reasons, it must be securely deleted. When data exceeds the retention period, it becomes a liability for your business.
How you safely delete data should be recorded in your organization’s data protection and disposal policies, protocols, and standards. Assessors expect that data can never be recreated if it is securely deleted.
The print media must be fragmented and overwritten with the electronic data on the hard disk. The process of securely deleting information should be done either manually or through an automated process and should be done at least every three months.
What are the PCI DSS Data Destruction Requirements?
PCI standards were created to provide secure environments for transmitting and storing cardholder data. Looking at PCI compliance from a data destruction perspective, when data storage media is no longer needed for commercial or legal reasons, organizations must render cardholder data electronically unrecoverable in such a way that it cannot be reconfigured.
PCI recommends destruction using media-friendly methods such as secure erase or physical destruction of the media and through a secure erase program by industry-accepted standards.
The Payment Card Industry does not endorse any process or company. Instead, your company should prove in an audit that your processes and suppliers meet the requirements.
So what are the industry-accepted standards for secure data deletion? An example is the NIST 800-88 standard developed by the National Institute of Standards and Technology under the US Department of National Security sponsorship.
NIST 800-88 requires a secure data cleansing process using professional, certified data deletion software. However, it is essential to note that the US government does not endorse cleaning software or companies to the NIST 800-88 standard.
If you use software tools to delete data on hard drives yourself, you should determine how it is verified and whether it is certified in the countries that do it. To ensure your data cleansing provider uses secure processes and tools and can meet the NIST 800-88 standard with auditable records, you can query for certificates from a leading third-party organization, such as the National Information Destruction Association (NAID).
Partnering with the data cleansing vendor that has received AAA certification from NAID is an essential step towards ensuring your company complies with the data destruction requirements of the PCI DSS.
Generally, the reasons for the destruction of data are as follows:
- The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
- The disappearance of the purpose requiring processing or storage,
- The data should be deleted when the maximum period for data storage has passed. There are no conditions to justify storing the data for a more extended period.
Deleting data is the process of making the data inaccessible and unavailable for the relevant users. Organizations must take all necessary technical and administrative measures to ensure that deleted cardholder data are inaccessible and unavailable for appropriate users.
The process to be followed in the process of deleting data is as follows:
- Determining the cardholder data that will constitute the subject of deletion.
- Using an access authorization and control matrix or a similar system, identify the relevant users for each data set.
- Determining the authorizations and methods of the relevant users, such as access, retrieval, and reuse.
- Closing and eliminating the access, retrieval, and reuse authorizations and methods of the relevant users within cardholder data scope.
What are the Methods of Destroying Data?
The destruction of cardholder data is the process of making cardholder data inaccessible, unrecoverable and reusable in any way. Organizations are obliged to take all necessary technical and administrative measures regarding the destruction of cardholder data.
Since cardholder data can be stored in various recording media, they must be destroyed by methods appropriate to the recording media. On the systems in question, one or more of the following methods may be used to delete cardholder data. Examples are given below:
- De-magnetization: It is the process of unreadable distortion of the magnetic media data by passing it through a particular device and exposing it to a very high magnetic field.
- Physical Destruction: Physical destruction of optical media and magnetic media such as melting, burning, or pulverizing. It is ensured that the data is inaccessible by processes such as melting, burning, crushing, or passing the optical or magnetic media through a metal grinder. If overwriting or de-magnetizing is not successful for solid-state disks, this media must also be physically destroyed.
- Overwriting: It is the method of writing random data consisting of 0 and 1 at least seven times on magnetic media and rewritable optical media to avoid the recovery of old data. This process is done using special software.
The following are the various destruction methods that can be used depending on the form of media:
- Switches, routers, and other network devices: Inside these machines, the storage media is fixed. Products often have a delete command but no destruction feature. It must be destroyed using one or more of the suitable methods mentioned above.
- Flash-based environments: Those that have the interface of flash-based hard drives such as SATA or SCSI should be destroyed by using the block erase command if supported, using the manufacturer’s recommended destruction method if not supported, or using one or more of the appropriate techniques mentioned above.
- Magnetic tape: These are the environments that store the data with micro magnet pieces on the flexible tape. It must be destroyed by exposing and de-magnetizing to solid magnetic media or by physical destruction methods such as burning or melting.
- Units such as magnetic discs: These are media that store data with micro magnet parts on flexible (plate) or fixed media. It must be destroyed by exposing and de-magnetizing to solid magnetic media or by physical destruction methods such as burning or melting.
- Mobile phones (Sim card and fixed memory areas): Portable smartphones have a delete command in fixed memory areas, but most do not have a destroy command. It must be destroyed using one or more of the suitable methods mentioned above.
- Optical discs: These are data storage media such as CDs and DVDs. Physical destruction techniques such as incineration, fragmentation, and melting must be used to destroy it.
- Peripherals such as printers with removable data recording media, fingerprint door access system: All data recording media must be verified to be removed and destroyed by using one or more of the above-mentioned appropriate methods according to their characteristics.
- Peripherals such as printer, fingerprint door access system with fixed data recording media: Most of the systems in question have a delete command, but there is no destroying command. It must be destroyed using one or more of the suitable methods mentioned above.
Since cardholder data in paper media is permanently and physically written on the media, the main media must be destroyed. While performing this process, it is necessary to divide the media into small pieces that are incomprehensible with paper shredding or shearing machines, horizontally and vertically, if possible, not to be put back together.
Cardholder data transferred from the original paper format to the electronic environment by scanning should be destroyed by using one or more of the above-mentioned appropriate methods, depending on the electronic environment in which they are located.