PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable
How to Destroy Electronic Media
As part of your data disposal policies, PCI Requirement 9.8.2 requires, “Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” There are many methods for destroying electronic media, including:
- Secure Wiping – Use a secure, industry-accepted form of wiping to render data on a hard drive unreadable.
- Degaussing – Used to destroy data by demagnetizing a magnetic field on a tape.
- Physical Destruction – Any method that physically, permanently destroys media, such as a hard drive shredder.
Taking steps to render cardholder data on electronic media unrecoverable helps your organization reduce the risk that a malicious individual finds or reproduces your electronic media. An assessor should review your policies and procedures relevant to PCI Requirement 9.8.2 to verify your compliance.
As part of your data destruction processes, where you encounter electronic media that might contain cardholder information, PCI Requirement 9.8.2 calls out the need to render that media unreadable. Like we’ve talked about in prior videos, whether it be a DoD wiping tool, a physical shredding tool that you run against a device to render it unreadable, or whether you’ve rendered it unreadable from an electronic or magnetic perspective, it’s really up to you how you meet this requirement. Your assessor should ask for you to demonstrate how you meet this requirement so that they can ascertain whether or not you’re doing the things that need to be done.