(9.7) Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including that distributed to individuals. (9.9) Procedures must include periodic media inventories in order to validate the effectiveness of these controls.

(3.1) Procedures for data retention and disposal must be maintained by each department and must include the following:

• legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data
• provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data
• coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to
• a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, an audit process, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements
• (9.10) destruction of media when it is no longer needed for business or legal reasons as follows:
• cross-cut shred,  incinerate, or pulp hardcopy materials
• purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed

[If records management is a centralized function, you may choose to offload the above section to a data retention standard and/or procedure, and then reference that procedure in the policy.]

(3.3) Credit card numbers must be masked when displaying cardholder data.  Those with a need to see full credit card numbers must request an exception to this policy using the exception process.

(4.2.b) Unencrypted Primary Account Numbers may not be sent via email

Posted in Policy |