Payment Card Industry Data Security Standard (PCI DSS)
Covered Entities: Organizations that Process, Store, or Transfer Consumer Credit Card Information
Governed by the Payment Card Industry Security Standards Council (PCI SSC)
Governed by the Payment Card Industry Security Standards Council (PCI SSC), the Payment Card Industry Data Security Standard (PCI DSS) was formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express in an effort to secure credit and debit card transactions against fraud and theft. PCI DSS compliance requires covered entities to protect customer credit card data including personally identifiable information (PII), credit and debit card numbers and CVV, and other sensitive information used in the processing and transfer of payment cards. As part of PCI DSS, PCI Requirement 3.1 mandates that organizations securely dispose of data that is not otherwise legally required to be maintained by stating that organizations should “Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes…” In other words, if you don’t need it, don’t store it.
The only time it is acceptable to retain data is when it is legally required. Retaining cardholder data that is not legally required is nothing more than a huge liability for any organization. PCI DSS covers organizations that process, store, or transmit payment card data, including any company or store that sells good or services and processes credit cards; service providers who process credit card details and data as part of their service or product, such as payment processors or ATM machine manufacturers; banks who house and process credit and debit card information; and secure printers who print debit and credit cards.
While PCI DSS requires that cardholder data must be destroyed unless legally mandated otherwise, it does not mandate a specific data destruction methodology. That said, the penalties for non-compliance with PCI DSS’s data disposal requirements are severe. As such, covered entities should have a clear policy to dispose of any and all data no longer needed, including both hardcopy information as well as electronic media such as hard drives, removable storage, servers, and any other forms of recordable media.
Best practice for PCI Requirement 3.1 compliance includes following NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of PCI DSS covered data following NIST 800-88 protocols.
Read More
Tipping foil is used to enhance and secure financial institutions’ cards. The metallic ribbon is fixed on the card's embossed characters, helping to bring out … Continue reading How to Destroy Tipping Foil, RFID and EMV Chips, and Magnetic Stripes in Credit Cards
In the digital age, enhanced debit and credit card functionality has led to an increase in frauds and scams. Given the sensitivity of the information … Continue reading PCI DSS: What It Is, and How to Comply
Let's Get Personal. When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and … Continue reading How to Maintain Data Security in the Secure Printing Industry
Trends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers … Continue reading The Importance of the NIST 800-88 Standard for Media Sanitization in Secure Data Destruction
