FAQ: The Payment Card Industry Data Destruction Standard
If your business processes customer payments via credit card, then you’ll need to be aware of the Payment Card Industry Data Security Standard (PCI-DSS). This standard is a proprietary information security standard that comes from the major card providers and general schemes.
More than 510 million records with sensitive information have been breached since January 2005, and merchants just like you are processing the card transactions that are most vulnerable. This makes the PCI-DSS an imperative standard that you should use to thwart theft of cardholder data.
Compliance with the PCI-DSS helps to alleviate vulnerabilities and protect cardholder data, set by the PCI Security Standards Council. Here’s what you should know about the PCI-DSS and how to pick a vendor like Securis that can keep your data safe throughout your IT equipment’s entire life cycle.
Overview of PCI Standard Requirements
Any organization that handles payment cards, including debit and credit cards, must meet requirements of the standard either directly or through a compensating control — which can be achieved by using a vendor for some aspects of your service.
The good news is that most card payment processing services available to businesses will comply with PCI DSS. And, it is relatively simple for you to find proof of certification and compliance.
Please note that compensating controls are not always allowed and must be approved on a case-by-case basis by a PCI QSA. Failure to meet the PCI DSS requirements may result in fines or termination of credit card processing privileges.
The standard has 12 different requirements that fall into roughly six broad categories and needs: you must build and maintain a secure network; you must protect cardholder data during usage, storage, and destruction; implement strong control measures; start a vulnerability management program; test your network continually; and implement a broader information security policy.
The PCI Security Standards Council has provided a very thorough documentation of changes and requirements, including their intent, in this PDF document: https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
12 Things You Need for PCI DSS Compliance
The PCI DSS 12 requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Our Role in Your Information Security Policy
The 12th step in your PCI DSS compliance is to develop and maintain a policy that addresses information security for employees and contractors.
This strong security policy is a framework to create the security tone for your company and contractors. All should be aware of the sensitivity of data and their responsibilities for protecting it. The requirement includes all full-time and part-time employees as well as temporary employees and personnel, and contractors and consultants who are “resident” on your site.
Contractors who have access to your data, even if it is not attached to your system backend, are required to understand and comply with broader data protections and remote access restriction.
You’ll need to ensure that your personnel don’t store or copy cardholder data onto their local personal computer or other media — your company should have a policy that clearly prohibits such activities. Securis provides this assurance for all of the data we destroy — a requirement of the standard as well — with a process you can audit or one your staff can personally witness.
This allows your business to stay in compliance and continue the ability to process credit cards, making it easier to do business and to grow your operations.
We also ensure that no cardholder data is accessed for any purpose other than verification of destruction. Plus, we perform thorough background checks of all personnel, ensuring compliance with Section 12.7.
To comply with the vendor statutes in 12.8, Securis will keep a list of all employees who access your data, give you full vetting information, and acknowledge our requirements, roles, and responsibilities for protecting the cardholder data you use.
So, we’ll destroy all of the data on older systems as wells the hardware itself, ensuring that cardholder data never finds its way into nefarious hands. Contact us right now to make sure you can completely destroy your data, preventing risk from lawsuits, fines, and loss of customers.
Our goal is to keep you safe, so you can focus on your goal of growing your business.
Also, you can see the Security Standards Council’s full reference guide for PCI DSS here: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf