Payment Card Industry Data Security Standard (PCI DSS)
Covered Entities: Organizations that Process, Store, or Transfer Consumer Credit Card Information
Governed by the Payment Card Industry Security Standards Council (PCI SSC)
Governed by the Payment Card Industry Security Standards Council (PCI SSC), the Payment Card Industry Data Security Standard (PCI DSS) was formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express in an effort to secure credit and debit card transactions against fraud and theft. PCI DSS compliance requires covered entities to protect customer credit card data including personally identifiable information (PII), credit and debit card numbers and CVV, and other sensitive information used in the processing and transfer of payment cards. As part of PCI DSS, PCI Requirement 3.1 mandates that organizations securely dispose of data that is not otherwise legally required to be maintained by stating that organizations should “Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes…” In other words, if you don’t need it, don’t store it.
The only time it is acceptable to retain data is when it is legally required. Retaining cardholder data that is not legally required is nothing more than a huge liability for any organization. PCI DSS covers organizations that process, store, or transmit payment card data, including any company or store that sells good or services and processes credit cards; service providers who process credit card details and data as part of their service or product, such as payment processors or ATM machine manufacturers; banks who house and process credit and debit card information; and secure printers who print debit and credit cards.
While PCI DSS requires that cardholder data must be destroyed unless legally mandated otherwise, it does not mandate a specific data destruction methodology. That said, the penalties for non-compliance with PCI DSS’s data disposal requirements are severe. As such, covered entities should have a clear policy to dispose of any and all data no longer needed, including both hardcopy information as well as electronic media such as hard drives, removable storage, servers, and any other forms of recordable media.
Best practice for PCI Requirement 3.1 compliance includes following NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of PCI DSS covered data following NIST 800-88 protocols.