Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!
(9.7) Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including that distributed to individuals. (9.9) Procedures must include periodic media inventories in order to validate the effectiveness of these controls.
(3.1) Procedures for data retention and disposal must be maintained by each department and must include the following:
- legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data
- provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data
- coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to
- a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, an audit process, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements
- (9.10) destruction of media when it is no longer needed for business or legal reasons as follows:
- cross-cut shred, incinerate, or pulp hardcopy materials
- purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed
[If records management is a centralized function, you may choose to offload the above section to a data retention standard and/or procedure, and then reference that procedure in the policy.]
(3.3) Credit card numbers must be masked when displaying cardholder data. Those with a need to see full credit card numbers must request an exception to this policy using the exception process.
(4.2.b) Unencrypted Primary Account Numbers may not be sent via email
December 15th, 2009 on 12:54 pm
My company only has truncated cardholder data to begin with. Does this still count as cardholder data that must be destroyed from all our old backups and servers? It’s useless without the full number anyway, so I don’t understand why it would be necessary, but from my interpretation of the requirement, that is what they are asking.
March 16th, 2010 on 6:08 pm
@Chris: Page six of the DSS says “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” Whenever “cardholder data” is mentioned in the standard it is only as defined on that page.
September 16th, 2010 on 11:30 am
One of you bullet points reads: “coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to”. What is the end to this sentence? “Used to” what?
Thanks!
October 3rd, 2010 on 4:06 am
Chris: If your company only deals with truncated cardholder data, then it should be noted that truncated cardholder data is not classified as cardholder data in the first place. This if proven as you say is truncated data.
October 26th, 2010 on 11:30 am
I have more of a question than a comment.
Does our shredding vendor need to be PCI COMPLIANT OR PCI CERTIFIED?
Thanks all.
November 1st, 2010 on 9:46 am
Hello. I manage a records management facility. We store data and back up media for a call center. They are requesting our compliance with PCI DSS, however there are only a few sections that deal with offsite storage. The self assessments don’t seem to be helping because we only store paper or back ups and not any of that information is on a computer or database of any kind.
I guess my question is how does one get “official” compliance for the applicable portions of the document?
Thanks a bunch.