PCI Requirement 3.1 – Keep Cardholder Data Storage to a Minimum

by Randy Bartels / July 28th, 2017

PCI Requirement 3.1 requires organizations to securely delete data that is not required to be retained for business or legal requirements. Why is complying with PCI Requirement 3.1 important? So that cardholder data cannot be recreated by malicious individuals.

PCI Requirement 3.1 states that organizations should, “Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes…” PCI Requirement 3.1 aligns with the methodology of many other PCI requirements: If you don’t need it, get rid of it. It is acceptable to retain data that’s required by contract, for business reasons, or for legal reasons. However, if you’re retaining cardholder data that is not required, it becomes a liability for your organization. The PCI DSS states, “In order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained.”

During a PCI assessment, assessors need to examine your data retention and disposal policies, which should outline what data needs to be retained, where that data resides, why you’re keeping it, and the length of time that you’re keeping it. Then, assessors will survey the data you have within your custody. Taking inventory is an important part of the assessment process; whether it’s physical print media or electronic, assessors need to see where the data is located. Then, after taking a sample of the data, assessors will compare the life of that data against your organization’s data retention and disposal policies.

PCI DSS Data Retention Requirements

When the PCI DSS describes data retention requirements, it stipulates that cardholder data storage should be kept to a minimum. If you don’t need it, get rid of it. Unless cardholder data needs to be retained for business or legal reasons, it needs to be securely deleted. When it gets past this point, it becomes a liability to your business.

Your organization’s data retention and disposal policies, procedures, and standards should document how you securely delete information. Assessors expect that if data has been securely deleted, it can never be recreated. Print media should be shredded and electronic data should be overwritten on a hard drive. The process of securely deleting information should be done either manually or by an automatic process and should be done at least quarterly.

“Continuing on with the mantra of, “If you don’t need it, you should get rid of it,” we have to look at the assets or the information that you have within your custody. If you’re storing credit card data, storing medical data, or storing client data because it’s required by contract, for business reasons, for legal reasons – whatever the reason is, it’s alright, there’s nothing wrong with that – however, if you’re maintaining this information and it’s not required that you do so, it becomes a liability to your organization. PCI Requirement 3.1 states that if you don’t need the data, you need to get rid of it. There’s a couple of requirements around what that looks like. You either have to have a manual process where you’re manually going through and looking at your physical inventory. You might have printed media, perhaps, residing in an offsite storage facility. You might have electronic data residing in a database or in flat files somewhere. When we start with the assessment of Requirement 3.1, we’re going to ask for your Data Retention and Disposal Policies. These Data Retention Policies should state the type of data that you’re keeping, why you’re keeping it, and the length of time that you’re keeping this data. The assessor will perform an inventory of where this data is located. Whether it be electronic or whether it be physical print media, we’re going to be performing an inventory of where that media is at. We’re going to be sampling that data, then comparing the life of that data against your Retention Policies and Procedures. Once again, if you need the data, there’s no problem with keeping it. However, if you don’t need it, it should be disposed of. We’re then going to look at your Data Disposal Policies, Procedures, Standards, and documentation and look at how you’re securely removing that information. This process of removing that information should be done at least quarterly. It needs to be either a manual or automatic process, but the process needs to be run quarterly. We’re going to look to see that you securely delete that data, understanding that “delete” is different than the “secure delete” function. When the term “secure delete” is used, we’re looking to ensure that the data can never ever be recreated or re-rendered. If it’s print media, we’re looking to see that it’s been turned into confetti. If it’s electronic media, we’re looking to see that the data has been overwritten on a hard drive. Requirement 3.1 requires that if you do not need the data to support your business or your legal requirements, that data needs to be removed. “