{"id":1209,"date":"2021-03-12T09:31:07","date_gmt":"2021-03-12T09:31:07","guid":{"rendered":"http:\/\/www.pcidssguide.com\/?p=1209"},"modified":"2023-10-09T16:22:14","modified_gmt":"2023-10-09T16:22:14","slug":"what-are-the-pci-dss-data-retention-and-disposal-requirements","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/what-are-the-pci-dss-data-retention-and-disposal-requirements\/","title":{"rendered":"What are the PCI DSS Data Retention and Disposal Requirements?"},"content":{"rendered":"\n\n\n\n\n
Requirement 3.1 of the Payment Card Industry Data Security Standard (DSS) requires organizations to retain and follow data retention and disposal procedures. The purpose of the data storage and destruction procedure is to ensure that records no longer needed are deleted promptly and adequately.<\/p>\n\n\n\n
The PCI only allows the following credit card information storage if there is a recorded and authorized business need. All data must be secured in accordance with the PCI DSS in all sections. Storage of the following cardholder data protected as required by PCI DSS is permitted under this provision:<\/p>\n\n\n\n
Card data processed by organizations is not possible and necessary to be stored indefinitely or indefinitely. Card data should be kept for a period suitable for processing and then destroyed. However, these periods vary according to the sectors in which the enterprises operate and their affiliated laws. After these periods have expired, the data must be destroyed in the first periodic destruction period.<\/p>\n\n\n\n
PCI DSS Requirement 3.1 requires organizations to securely delete data that does not need to be stored for business or legal requirements. Thus, cardholder data cannot be recreated by malicious people.<\/p>\n\n\n\n
PCI DSS Requirement 3.1 states that organizations should keep cardholder data storage to a minimum by following data retention and disposal policies, procedures, and processes. The basic approach of PCI Requirement 3.1 is to get rid of the data if you don’t need it.<\/p>\n\n\n\n
See Also: How to Permanently Delete Sensitive Authentication Data?<\/a><\/strong><\/p>\n\n\n\n If specified in your contracts, it is acceptable to store data required for commercial or legal reasons. However, if you are storing unnecessary cardholder data, this becomes a liability for your organization.<\/p>\n\n\n\n The PCI DSS states that to define appropriate retention requirements, an organization must first understand the legal or regulatory obligations applicable to its business needs and industries or the type of data being held.<\/p>\n\n\n\n During a PCI assessment, the evaluator should review your data retention and disposal policies that summarize what data should be stored, where that data is located, why and how long you retained it.<\/p>\n\n\n\n Then the evaluators will examine the data you have under your supervision. Reviewing the inventory is an essential part of the evaluation process. Whether it is physical print media or electronic, the assessor needs to see where the data is located.<\/p>\n\n\n\n The assessors then equate the data’s lifetime to the organization’s data protection and disposal policies after taking a sample of it.<\/p>\n\n\n\n PCI DSS stipulates that cardholder data storage should be kept to a minimum. If you don’t need it, you have to get rid of unnecessary data. Unless cardholder data needs to be stored for commercial or legal reasons, it must be securely deleted. When data exceeds the retention period, it becomes a liability for your business.<\/p>\n\n\n\n See Also: What are the PCI DSS Log Retention Requirements?<\/a><\/strong><\/p>\n\n\n\n How you safely delete data should be recorded in your organization’s data protection and disposal policies, protocols, and standards. Assessors expect that data can never be recreated if it is securely deleted.<\/p>\n\n\n\n The print media must be fragmented and overwritten with the electronic data on the hard disk. The process of securely deleting information should be done either manually or through an automated process and should be done at least every three months.<\/p>\n\n\n\n PCI standards were created to provide secure environments for transmitting and storing cardholder data. Looking at PCI compliance from a data destruction perspective, when data storage media is no longer needed for commercial or legal reasons, organizations must render cardholder data electronically unrecoverable in such a way that it cannot be reconfigured.<\/p>\n\n\n\nWhat are the PCI DSS Data Destruction Requirements?<\/strong><\/h2>\n\n\n\n