Data Disposal Policies
PCI Requirement 9.8 aligns with the methodology of many other PCI requirements: If you don’t need it, get rid of it. Remember PCI Requirement 3.1? It requires that organizations keep cardholder data storage to a minimum by implementing data retention and data disposal policies and procedures. PCI Requirement 9.8 is similar. It requires that organizations destroy media when it is no longer needed for business or legal reasons, and outlines a few ways to do so, including:
- Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
- Use secure storage containers for materials that are to be destroyed.
- Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
If steps are not taken to destroy media when it is no longer needed, the level of risk increases. Data disposal policies help prevent malicious individuals from finding information that they could use to launch an attack. Think about what’s in your organization’s trash. Does anything in it contain cardholder data?
You are required to destroy any physical media that might contain cardholder information when it is no longer needed for legal or business purposes. This is kind of a hook into PCI Requirement 3.1, where it’s required that you have data disposal and data retention policies. The assessor is going to be looking at those data disposal and data retention policies and then looking at your physical print media to make sure that you’re in adherence with your own policies and procedures.