PCI DSS Data Retention
When processing your customers’ payment information, it’s extremely important to handle all vulnerable data with care and caution to avoid risking any breaches.
PCI DSS Data Retention & Disposal Policies
Not only is this important for you to retain customer trust and loyalty – but following the correct PCI DSS data retention requirements is mandatory for compliance.
Requirement 3.1 of the PCI DSS policy states that companies need to follow strict data retention and disposal procedures so that any data that is no longer needed for legal, contractual, or business purposes is removed safely and efficiently. Any data that must be stored must be tightly secured if there is an authorised business need that has been recorded for future reference.
All organisations that take credit card payments will need to review their data retention and disposal requirements once a year to assess whether the way this information is stored or removed is still completely secure and effective.
Which data is protected under the PCI DSS data retention policy?
PCI DSS data retention requirements protect a customer’s credit card information from the risk of a data breach after a transaction. This information includes the card’s sensitive authentication and the cardholder data.
Sensitive authentication data should not be stored by the business under any circumstances according to PCI DSS data retention requirements. This private data includes PIN numbers and the CVV2, CVC2, CAV2, and CID codes – essentially, any Track 1 or 2 information stored within the magnetic stripe or the chip on a physical card.
Any of this pre-authorisation data will be retained only briefly by the business and cannot be kept after the completion of a transaction.
Which data can be stored under PCI DSS data retention requirements?
The PCI DSS data retention requirements allow certain elements of cardholder data to be retained if it is required by the business. This includes the primary account number (PAN), the cardholder’s name, the service code, and the expiration date.
This data should only be stored whilst waiting for the payment to be authorised. However, if the cardholder’s name, service code, and expiration date are not stored alongside the PAN, the information can be retained for up to two years.
Organisations storing data should also keep system and audit logs showing access that needs to be retained for at least a year. These logs should also be available online for 90 days.
What are the PCI DSS encryption requirements for stored data?
One of the core requirements when retaining stored data is ensuring that the PAN information kept is unreadable. This needs to be the case in all media, including portable digital media, logs, and backup media.
There are a few different software solutions that make this possible. These include strong cryptography and one-way hash functions based on this. These one-way hash functions display only index data pointing to database records that contain the sensitive data.
You could also opt for truncation, which is the process of removing a data segment – most commonly, this is done to display just the last four digits.
Additionally, you could employ index tokens and securely stored pads. This is an encrypted algorithm that combines the vulnerable text data with a random key that works only once.
When should this data be deleted?
There are several reasons that cardholder data will need to be destroyed under PCI DSS data retention requirements.
If the relevant legislation that allows the information to be stored is amended or removed, the data should also be destroyed. Similarly, the data should be disposed of if the purpose of the storage is no longer applicable or cannot be found.
Cardholder data should also be deleted when the maximum period for data storage – two years – ends. This period cannot be extended under any circumstances.
How does disposal work under PCI DSS data retention requirements?
The PCI DSS data retention policy states that all sensitive and credit card data must be destroyed when it is no longer officially required by the business. There are several different disposal techniques that depend on how the data was collected.
One such process is de-magnetisation, which uses a device with an extremely high magnetic field to distort the media data through exposure. Similarly, magnetic and optical media can be disposed of by overwriting the encryption. This involves using software to write over the data using just 0 and 1 characters at least seven times, which will remove the ability to access and recover the old information.
For many systems and forms of media, there is a ‘delete data’ option but this will not destroy the data. To guarantee this data is destroyed forever, physical destruction is required – this could be through melting, burning, crushing, or any other physical method. This is necessary for CDS, DVDs, mobile phone SIM cards, and fixed memory areas. This also applies to peripherals containing data recording media, switches, routers, and similar network devices.
Additionally, flash-based hard drives including SATA and SCSI should be destroyed through the block-erase command. If this isn’t supported on the hard drive, then these should also be physically destroyed using the same techniques.
Whilst awaiting disposal, paper copies containing cardholder information would need to be stored in a secured, locked container to prevent anyone from accessing them. These paper copies must then be either cross-cut shredded, pulped, or incinerated, depending on the organisation’s preferred method.
The organisation should also implement an annual review process to ensure that the process of identifying and deleting vulnerable cardholder data is still working to industry standards and following all PCI DSS data retention requirements.
Keep on top of your PCI DSS data retention policy with Hicomply
Keeping on top of all the information and documentation you need to remain PCI DSS compliant, including PCI DSS data retention requirements, can be extremely difficult if you try to do it manually. Given that there’s a lot to consider when holding customers’ cardholder data, any mistakes could be detrimental to your business.
Thanks to Hicomply’s full-service ISMS platform, this all-important information can be accessed in just one place. This reduces the stress involved during this process, giving your business one less thing to worry about when it comes to your security compliance. Get in touch today for more details.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.