PCI Requirement 3.1 requires organizations to securely delete data that is not required to be retained for business or legal requirements. Why is complying with PCI Requirement 3.1 important? So that cardholder data cannot be recreated by malicious individuals.
PCI Requirement 3.1 states that organizations should, âKeep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processesâŠâ PCI Requirement 3.1 aligns with the methodology of many other PCI requirements: If you donât need it, get rid of it. It is acceptable to retain data thatâs required by contract, for business reasons, or for legal reasons. However, if youâre retaining cardholder data that is not required, it becomes a liability for your organization. The PCI DSS states, âIn order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained.â
During a PCI assessment, assessors need to examine your data retention and disposal policies, which should outline what data needs to be retained, where that data resides, why youâre keeping it, and the length of time that youâre keeping it. Then, assessors will survey the data you have within your custody. Taking inventory is an important part of the assessment process; whether itâs physical print media or electronic, assessors need to see where the data is located. Then, after taking a sample of the data, assessors will compare the life of that data against your organizationâs data retention and disposal policies.
PCI DSS Data Retention Requirements
When the PCI DSS describes data retention requirements, it stipulates that cardholder data storage should be kept to a minimum. If you donât need it, get rid of it. Unless cardholder data needs to be retained for business or legal reasons, it needs to be securely deleted. When it gets past this point, it becomes a liability to your business.
Your organizationâs data retention and disposal policies, procedures, and standards should document how you securely delete information. Assessors expect that if data has been securely deleted, it can never be recreated. Print media should be shredded and electronic data should be overwritten on a hard drive. The process of securely deleting information should be done either manually or by an automatic process and should be done at least quarterly.
“Continuing on with the mantra of, âIf you donât need it, you should get rid of it,â we have to look at the assets or the information that you have within your custody. If youâre storing credit card data, storing medical data, or storing client data because itâs required by contract, for business reasons, for legal reasons – whatever the reason is, itâs alright, thereâs nothing wrong with that – however, if youâre maintaining this information and itâs not required that you do so, it becomes a liability to your organization. PCI Requirement 3.1 states that if you donât need the data, you need to get rid of it. Thereâs a couple of requirements around what that looks like. You either have to have a manual process where youâre manually going through and looking at your physical inventory. You might have printed media, perhaps, residing in an offsite storage facility. You might have electronic data residing in a database or in flat files somewhere. When we start with the assessment of Requirement 3.1, weâre going to ask for your Data Retention and Disposal Policies. These Data Retention Policies should state the type of data that youâre keeping, why youâre keeping it, and the length of time that youâre keeping this data. The assessor will perform an inventory of where this data is located. Whether it be electronic or whether it be physical print media, weâre going to be performing an inventory of where that media is at. Weâre going to be sampling that data, then comparing the life of that data against your Retention Policies and Procedures. Once again, if you need the data, thereâs no problem with keeping it. However, if you donât need it, it should be disposed of. Weâre then going to look at your Data Disposal Policies, Procedures, Standards, and documentation and look at how youâre securely removing that information. This process of removing that information should be done at least quarterly. It needs to be either a manual or automatic process, but the process needs to be run quarterly. Weâre going to look to see that you securely delete that data, understanding that âdeleteâ is different than the âsecure deleteâ function. When the term âsecure deleteâ is used, weâre looking to ensure that the data can never ever be recreated or re-rendered. If itâs print media, weâre looking to see that itâs been turned into confetti. If itâs electronic media, weâre looking to see that the data has been overwritten on a hard drive. Requirement 3.1 requires that if you do not need the data to support your business or your legal requirements, that data needs to be removed. “