Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(9.7) Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including that distributed to individuals.  Procedures must include periodic media inventories in order to validate the effectiveness of these controls. (9.9) listings of devices must be maintained along with periodic inspections of devices for signs of tampering.  Training mechanisms must be place to alert staff when device tampering is evident.

(3.1) Procedures for data retention and disposal must be maintained by each department and must include the following:

  • legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data
  • provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data
  • a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, an audit process, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements
  • (9.8) destruction of media when it is no longer needed for business or legal reasons as follows:

◦           cross-cut shred, incinerate, or pulp hardcopy materials

◦           purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed

[If records management is a centralized function, you may choose to offload the above section to a data retention standard and/or procedure, and then reference that procedure in the policy.]

(3.3) Credit card numbers must be masked when displaying cardholder data.  Those with a need to see full credit card numbers must request an exception to this policy using the exception process.

(4.2) Unencrypted Primary Account Numbers may not be sent via email, instant messaging, SMS, chat. Etc.