Tipping foil is used to enhance and secure financial institutions’ cards. The metallic ribbon is fixed on the card’s embossed characters, helping to bring out the embossed characters even more. This results in clearer alphanumeric characters that are easier to read. This ribbon also improves bank card durability, as it’s designed to resist daily wear and tear and to maintain plastic card quality over the years. They are like the “makeup” for the face of the card. Tipping foil is essentially stamped onto the raised lettering during the in-line vertical personalization process. What is important to remember is that the embossed, foiled letters are now reversed on the sheet of foil they were stamped from, much like a typewriter ribbon. The physical impression left behind on the foil is why it is so critical that tipping foil needs to be destroyed prior to throwing away.
However, this method of creating credit/debit cards is currently being phased out. Many years ago, numbers had to be raised and embossed on the front of the card so when it was run through a card reader, an imprinted image of those numbers would appear on a slip of paper for the customers to sign. But traditional magnetic stripes are well on their way out as “microchip” card readers are becoming the new way to pay. Magnetic stripes on cards contain all of the cardholder information needed to make a purchase or duplicate the card. As technology advances, so do the world’s best hackers, and the magnetic stripe is significantly becoming easier for people to steal data from.
The EMV® (Europay, Mastercard, and Visa, after the three credit card networks that originally developed the protocol) credit and debit cards equipped with computer chips are now the global standard used to authenticate transactions. The data stored in a magnetic stripe is stagnant — it is how it is, and always stays the same. On the contrary, the chip in the card generates a unique code for each transaction and is only used once. If a thief were to copy the chip’s information to validate during a transaction, they wouldn’t be able to. No two transaction codes are ever repeated, so each code becomes useless following the completion of the transaction it represents.
The difference between contactless (RFID) transactions and chip transactions is the method by which the data is transferred. Radio frequency-enabled cards require the card to be within a short proximity of the payment terminal, rather than inserting the card into a cheap reader. EMV chip cards and contactless cards are both more secure than the magnetic stripe. Although, cards equipped with chips do not equate to fraudulent immunity by any means. NFC (Near Field Communication) skimming is where EMV-enabled cards can still be subjected to information being stolen. Near field communication skimmers utilize a wireless technology that allows data to transfer from a mobile device to a card reader within a short distance.
Consumers and organizations alike must properly shred their expired or useless cards that contain PII, whether that be in form of an EMV chip or residual printed tipping foil that still withholds information. Luckily, companies like SEM offer a host of devices specifically designed to ensure everyone has the opportunity to securely take control of their personal data and destroy it once and for all.
The Model DS-400 is one of our top multipurpose turnkey disintegrators. This powerhouse high security model was evaluated by the NSA, listed on the NSA/CSS EPL, and specifically designed to destroy metal cards and license plates. This device can also securely destroy classified paper and CDs as well as other unclassified media stored on smaller forms of e-media such as flash and thumb drives, solid state drives (SSDs), and SIM chips.
The Model 0205NANO is just one part of a revolutionary SSD destroyer duo. The NANO is a mobile crushing solution that was solely designed for the destruction of the world’s smallest forms solid state media. From Compact Flash Type 1 drives to SOIC-8 and SD cards to PLCC-32 drives, the 0205NANO crushes the SSD beyond recovery by the specially crafted and designed internal rotors.
The second solution in the 0205 SSD disintegrator duo is the Model 0205MICRO. Like the NANO, the MICRO was specifically designed to destroy a wide variety of other SSD media such as, cell phones, PC boards, IronKeys, small tablets, and more.
The key to understanding how to destroy something properly is by first having an understanding of how said technology works. A number of our disintegrators would also do the job for destroying tipping foil, EMV chips, SSDs, and various media, at a number of different volumes. We also have devices that can easily destroy tough metal credit cards.
Classified or unclassified, there’s a way to destroy it. Leaving data in a stockpiled room “unsure of what to do” with it is not excusable, and yet many still haven’t educated themselves further to see how their negligence is putting their lives and companies at risk. Mitigate those risks today and be smart when handling personally identifiable information (PII) with Security Engineered Machinery. We’re always eager to help answer questions and can assure you we will help you meet your destruction requirements.
In the digital age, enhanced debit and credit card functionality has led to an increase in frauds and scams. Given the sensitivity of the information attached to consumers’ payment cards, the critical need to ensure their security from the time of production through every swipe at a retailer or input on an e-commerce website became apparent.
What is PCI DSS?
Visa introduced the first set of credit card security standards—the Cardholder Information Security Program (CISP)—in October 1999, and gave merchants until May 2001 to comply. Other payment card companies would follow suit. These standards created major difficulties for merchants because compliance regulations were different for all major payment card companies, and total compliance was both expensive and laborious.
To combat the rising levels of fraud and create a universal set of security-compliance standards, the five major payment card brands — Visa, MasterCard, American Express, Discover, and JCB — formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004 and released the first set of unified standards to protect vital consumer information: the Payment Card Industry Data Security Standard (PCI DSS). Since its inception, the PCI DSS has undergone nine updates, the latest being version 3.2.1, released in May 2018.
Under the agreement’s terms, all entities that take part in transmitting or storing cardholder information must be PCI DSS-compliant. In addition to merchants and retail outlets, such entities include e-commerce sites, software as a service (SaaS) providers involved in payment gateways, financial institutions, and security printers. These regulations are intended to ensure that organizational policies regarding data retention, data disposal, and data security are effectively implemented and enforced.
It is important to understand that, although PCI DSS is not a law, the penalties for noncompliance can be quite steep. The PCI SSC does not impose penalties directly. Instead, the council reports regulation infractions to the payment card brands. In turn, they penalize the offending merchant’s acquiring financial institution, which then penalizes the offending merchant.
Data Covered Under PCI DSS
There are two types of data that fall under PCI DSS regulations on data storage: cardholder data and sensitive authentication data.
Cardholder data includes primary account numbers (PANs), cardholder name, card service code, and card expiration date. This data can only be stored while a merchant is waiting for a transaction to be authorized. Anytime the PAN is mobile, it must be encrypted; otherwise, it must be truncated to be unreadable (typically, only the first or last four digits will show when the PAN is static). This data may only be retained for five years, and must be examined quarterly during that time frame to ensure correct storage procedures are followed.
Sensitive authentication data is not to be stored by merchants at any time. This includes track 1 & 2 data contained within the magnetic stripe on the back of the card, CVV2, CVC2, CID and CAV2 codes (card verification codes), and PIN numbers. The only exception is information needed to complete a transaction, such as a PIN number or card verification code. In those instances, such information must be completely disposed of upon transaction completion.
Financial Institutions & PCI DSS
To remain PCI DSS-compliant, financial institutions must follow a strict set of norms to ensure Personally Identifiable Information (PII) is not compromised, including the following:
• Regularly facilitating controlled attempted breaches of the network and cardholder data environment (CDE), along with any systems connected to it;
• Performing quarterly checks for both authorized and unauthorized wireless access points; and
• Conducting white- and-black-box penetration testing on network and application layers anytime significant changes have been made (or at least once per year).
If any of the tests identify issues, the institution should immediately fix the issues and retest until all issues are resolved.
In addition to regular and rigorous testing, financial institutions are responsible for PCI DSS-compliance enforcement for their acquired merchants. They determine how merchants must verify compliance, and they are responsible for rectifying situations when acquired merchants are deemed to be in violation. The resulting fines are levied by the payment card companies on the financial institution, which then trickles the fine down to the merchant in a variety of ways, including special fees, increased processing and transaction fees, and monthly fees. If issues are not resolved, the financial institution could terminate its relationship with the offending merchant, and the merchant could forfeit its authorization to accept payment cards altogether.
Since PCI DSS compliance starts at card production and ends at card destruction, financial institutions must also account for the card-creation process, by which they must verify that their security printing process or vendor is also PCI DSS-compliant.
Security Printing & PCI DSS
Regardless of whether the facilities manufacturing payment cards or any part of the payment cards are associated with the financial institutions issuing the cards, they are subject to further PCI DSS regulations for maintaining the security of PII. Since a breach at one of these facilities could have severe consequences, both the electronic functions and physical premises must be secure to comply with the PCI DSS.
PII must always be securely encrypted during storage and transmission. The only exception is during the PII customization phase. During this time, the data is not to be on any public-facing network or connected to the internet in any way. Immediately after the information is entered, the data must be encrypted again, which absolutely must occur before reconnection to a network or the internet.
Any vendor handling PII must restrict access to a list of designated individuals who are authorized to enter sensitive cardholder data or access the ability to encrypt or decrypt PII. The vendor must also have a stipulated policy regarding any removable media containing PII. This media must be clearly labeled, stored in a secure location within the facility, and tracked during all movement. An authorized individual must oversee this function, and that person must not have the ability to decrypt any of the data within. When it is possible to delete the data on removable media, the media must be destroyed.
A Chief Information Security Officer (CISO) must be designated to oversee the vendor’s information technology security as well as to report the status of compliance and potential threats to executive management on a monthly basis. This person must also not complete tasks or responsibilities which they approve.
The CISO is responsible for approving network and firewall configurations, which must be in compliance with the PCI DSS regulations. This includes the documented flow of cardholder information from input to destruction (e.g., the stipulation that the system housing the cardholder information must be separate from any other vendor or internet networks and not housed on the same server rack).
Any remote access is restricted to the administrator of the network or system components. Quarterly external vulnerability scans must be completed by a PCI SSC- approved scanning vendor, and internal and external penetration tests must be performed annually and subsequent to any major infrastructure change. Any keys to the premises and sensitive areas must be well logged and accessible only to the designated key holders.
The vendor is also responsible for restricting and securing physical access to the premises. All non-emergency portals must always be locked or electronically controlled, and access must be controlled by a device such as a card reader or biometric scanner. All entrances and exits may allow only one person to enter or exit at a time; in addition, they must be contact-alarm monitored and reinforced to meet local fire and safety regulations. All exterior walls are required to be masonry block or a material of comparable strength, and any windows or doors must be protected against intrusion.
Employee-identification badges/access cards must never contain any logo or company information identifiable by an outside party. Employee access must be restricted to areas necessary for completion of their job functions.
A designated room or building for monitoring a CCTV security system must not be viewable from external locations. Backups of security tapes must be produced daily and kept for a minimum of 90 days. Additionally, if DVR is used, it must be housed in a designated security-equipment room with access restricted to authorized personnel.
A High Security Area (HSA) is any area where payment cards, their components, and/or PII are stored. Production and provisioning tasks are the only activities allowed in an HSA. These areas must also be outfitted with internal motion detectors. Personal items and electronics are absolutely prohibited from these areas. The only personal effects that may be brought inside an HSA are medication and tissues (provided they can be examined through their container).
All processes related to payment card production must be outlined in detail and ensure a traceable trail of possession and production for all cards and card components. Inventory must be thoroughly managed and accounted for, and no unnecessary material may be opened at any time.
All tipping foil reels containing PII must be completely shredded in-house, with dual oversight in an HSA. This should happen at least once per week.
All materials used in the mailing, packaging, and delivery processes must be regulated and inventoried. Wasted mailers must also be logged, as well as mailers completed and transferred to a mailing area. Envelopes containing payment cards should be nondescript and bear no company logos or references. GPS tracking must be in place for the mailers, and vehicle drivers must not have keys that allow access to the mailers being transported. A direct communication channel between the security control room (where movement is also being monitored) and the vehicle must be maintained. Two people must be in the delivery vehicle.
PCI DSS Regulations Regarding Data Destruction
For both paper and electronic data, a comprehensive strategy detailing how to store the media, how long to store it, and how to dispose of it is required for PCI DSS compliance. It is further required that data be destroyed such that it cannot be recreated. The DIN (Deutsches Institut für Normung—German Institute for Standardization) developed internationally recognized standards for data destruction, as outlined in DIN Standard 66399, now globally standardized to ISO/IEC 21964. Security levels of destruction for each form of data are divided into seven categories, with 1 being the least secure and 7 being the most secure.
According to DIN Standard 66399 (ISO/IEC 21964), paper should be disposed of or shredded to a minimum security level of P-4. Particle size should be less than or equal to 160mm2, with a width no greater than 6mm2.
In addition, hard drives should be disposed of at a security level of H-4 or greater. Maximum particle size should be 2000 mm2, rendering it impossible to reassemble the hard drive for data restoration, except by highly specialized machinery. If the hard drive is to be repurposed and retained, complete sanitation of the data to the point of no recovery must be verifiable.
Optical media, such as CDs or DVDs, should be reduced to a maximum particle size of 160mm2 (security level O-4, according to the DIN Standard 66399). Microfilm should be reduced to a level of F-4, or particles no larger than 2.5mm2. Electronic digital media devices, such as USB drives and memory cards, should be destroyed to a minimum level of E-4, which stipulates particles be no larger than 30mm2. Magnetic media, such as cassette tapes, floppy disks, or payment cards, should be destroyed to a minimum security level of T-4, according to DIN Standard 66399—meaning particles must be no larger than 160mm2.
A Quick Word About Metal Payment Cards
Destruction of payment cards is becoming more difficult with the recent release and surge in popularity of metal credit and debit cards. These cards function no differently than their plastic predecessors. They have only increased in number because they score “style points” with consumers. The only real difference is the virtual inability of consumers to shred metal payment cards. Rather than destroy the cards themselves, consumers must now arrange for the issuer to do so. Or use a disintegrator like the SEM Model DS-400 or 1012 Disintegrator.
Being PCI DSS compliant may not be a law, but it certainly is required for all merchants, financial institutions, and security printers. From creation to destruction, it is imperative that PII not be compromised at any point in the process. Be sure that any shredders you use destroy materials to the appropriate level so they cannot be reconstructed. Companies like SEM are very familiar with PCI DSS requirements and have the sophisticated shredding technology required for appropriate data destruction.
When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?
The Risks:
You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:
– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business
In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.
Destruction Guidelines: What Do I Do?
Paper:
A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.
In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.
Credit Cards:
When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.
To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.
When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.
While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.
Trends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.
NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.
Confidentiality and Media Types
Confidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.
Currently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.
Media Sanitization – Methodologies, Responsibilities, and Challenges
Three methodologies of media sanitization are defined by NIST 800-88 as follows:
Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory
Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of
Clear
One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.
Purge
A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.
Destroy
While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.
Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.
Responsibilities and Verification
While NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.
Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.
Conclusion
NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.