How to Destroy Electronic Media

As part of your data disposal policies, PCI Requirement 9.8.2 requires, “Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” There are many methods for destroying electronic media, including:

  • Secure Wiping – Use a secure, industry-accepted form of wiping to render data on a hard drive unreadable.
  • Degaussing – Used to destroy data by demagnetizing a magnetic field on a tape.
  • Physical Destruction – Any method that physically, permanently destroys media, such as a hard drive shredder.

Taking steps to render cardholder data on electronic media unrecoverable helps your organization reduce the risk that a malicious individual finds or reproduces your electronic media. An assessor should review your policies and procedures relevant to PCI Requirement 9.8.2 to verify your compliance.

As part of your data destruction processes, where you encounter electronic media that might contain cardholder information, PCI Requirement 9.8.2 calls out the need to render that media unreadable. Like we’ve talked about in prior videos, whether it be a DoD wiping tool, a physical shredding tool that you run against a device to render it unreadable, or whether you’ve rendered it unreadable from an electronic or magnetic perspective, it’s really up to you how you meet this requirement. Your assessor should ask for you to demonstrate how you meet this requirement so that they can ascertain whether or not you’re doing the things that need to be done.

How to Dispose of Sensitive Documents

PCI Requirement 9.8.1 requires you take two steps to securely dispose of sensitive documents:

  1. Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
  2. Secure storage containers used for materials that are to be destroyed.

Why do you need to use secure storage containers to secure materials that are going to be destroyed anyways? The use of secure storage containers prevents media from being compromised while it’s being collected. An assessor will need to examine your storage containers during the assessment to verify that they are secure.

PCI Requirement 9.8.1 lists three specific ways to dispose of sensitive documents (shred, incinerate, or pulp) because these are the most secure, permanent ways. The PCI DSS explains, “If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise.” There are more ways to dispose of sensitive documents than to shred, incinerate, or pulp, but whatever method you use, the media cannot be readable or reconstructed after you’re done with the disposal process.

PCI Requirement 9.8.1 requires that your organization would shred, incinerate, or pulp hard-copy materials to render them unreadable. From a hard-drive perspective, sending it off to a shredding company and getting a shred certificate might be appropriate. At the end of the day, when you’re done with this media, whether it be printed or tapes or electronic media, there is a plethora of ways that you could go about destroying the information. This requirement requires that you physically destroy the media so that it can no longer be read after you are done with that process.

From an assessment perspective, we’re going to look at those processes. If you’re shredding material, if you’re degaussing the material, if you’re using a military wiping tool, we’re going to look to see how you’re performing that. We might even ask you to demonstrate that. The testing of this is really not cut and dry. We need to ascertain what you’re doing renders that media unreadable.

Data Disposal Policies

PCI Requirement 9.8 aligns with the methodology of many other PCI requirements: If you don’t need it, get rid of it. Remember PCI Requirement 3.1? It requires that organizations keep cardholder data storage to a minimum by implementing data retention and data disposal policies and procedures. PCI Requirement 9.8 is similar. It requires that organizations destroy media when it is no longer needed for business or legal reasons, and outlines a few ways to do so, including:

  • Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
  • Use secure storage containers for materials that are to be destroyed.
  • Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

If steps are not taken to destroy media when it is no longer needed, the level of risk increases. Data disposal policies help prevent malicious individuals from finding information that they could use to launch an attack. Think about what’s in your organization’s trash. Does anything in it contain cardholder data?

You are required to destroy any physical media that might contain cardholder information when it is no longer needed for legal or business purposes. This is kind of a hook into PCI Requirement 3.1, where it’s required that you have data disposal and data retention policies. The assessor is going to be looking at those data disposal and data retention policies and then looking at your physical print media to make sure that you’re in adherence with your own policies and procedures.

Importance of Inventory Logs

As a part of maintaining strict control over the storage and accessibility of media, PCI Requirement 9.7.1 states, “Properly maintain inventory logs of all media and conduct media inventories at least annually.” Inventory may seem like an overwhelming, massive task to complete every year, but it’s completely necessary. The PCI DSS explains, “If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.”

The testing procedure for PCI Requirement 9.7.1 outlines that media inventory logs must be reviewed by an assessor to verify that inventory logs have been maintained and media inventories were performed at least annually. If the inventory logs indicate that media wasn’t where it was expected to be, an assessor will want to see what you did to account for that specific media.

As part of maintaining strict control over the access to the media that you might have off-site, we need to make sure that wherever that media is stored undergoes inventory at least annually. I know it’s a cumbersome chore to do, but it’s absolutely necessary that it be done. Not too long ago, there was a story that broke about a very large retail merchant whose tapes were sent to a third party in an unauthorized way. That company had to declare a breach, it affected their stock shares for a period of time, and they’ve since recovered. But as part of that, you need to understand where your media is at. In order to do that at least annually, you’re going to be performing an inventory of any media that’s stored off-site.

As part of the assessment, we’re going to be asking for an artifact, whether that be an email or handwritten note, that you have collected and retained that denotes that you’ve visited wherever your media is stored off-site and all of the media was there. If it wasn’t where it was expected to be, we want to see what you did to account for that media.

Storage and Accessibility of Media

What if your organization lost cardholder data, but didn’t even know it? Without inventory methods for media and data storage requirements, stolen or missing media could go unnoticed for a long time or maybe not noticed at all. This is why PCI Requirement 9.7 requires, “Maintain strict control over the storage and accessibility of media.” If you do not feel confident about knowing where your data is stored and who has accessed it, how do you plan to protect it?

One of the most common inventory methods to control the storage and accessibility of media is logs. Data storage requirements help control who has access to your media and cardholder data. Documenting the inventory of your media at least annually helps your organization comply with PCI Requirement 9.7, and it helps an assessor verify that your logs match up with your data storage requirements, policies, and procedures.

You need to maintain strict control over the individuals or organizations that might have access to any of this physical media that might contain sensitive information. PCI Requirement 9.7 has numerous controls that speak to that; go ahead and watch the next set of videos that walk through the sub-requirement of PCI Requirement 9.7 and the merits around what you need to do in order to maintain compliance with those requirements.