What is PCI DSS?
To counter the rising cases of payment card fraud and protect the interest of cardholders, the world's top payment card brands comprising Visa, MasterCard, American Express, Discover, and JCB, came together in 2004 to form the Payment Card Industry Security Standards Council (PCI SSC). As a result, they released the first set of unified payment card standards- the PCI DSS or the Payment Card Industry Data Security Standards. It is a set of guidelines for financial institutions and banks to comply with while managing cardholder data.
The standards are designed to provide a framework to all the organizations that process, accept, store, or exchange cardholder data and sensitive authentication data in order to prevent any inadvertent threat to identity or payment card data by maintaining a secure environment for data storage and devising secure data retention and disposal policy. Organizations that need to comply with PCI DSS include all banks, financial institutions, issuers, retailers, service providers, merchants, e-commerce websites, etc.
Data Protected Under PCI DSS
PCI DSS protects two types of payment card data, including the cardholder's data and the sensitive authentication data. Cardholder data comprises of the cardholder's name, primary account number (PAN), card expiry date, and the card service code. Sensitive authentication, on the other hand, includes the card PIN number and the data contained within the magnetic stripe on the back of a payment card, such as the CVV2, CVC2, CAV2, and CID codes. The sensitive authentication data is not to be stored by the merchants at any point in time.
PCI DSS Data Erasure Requirements
PCI DSS compliance requires banks and related entities to protect the data of their customers. This includes protecting the data against accidental or unauthorized access, destruction, alteration, or unauthorized use. Having a solid data destruction solution in place is a great way to ensure compliance with PCI DSS and safeguard cardholder data. The Payment Card Industry Security Standards Council (PCISSC) requires that all debit and credit card information be destroyed once it is no longer required legally or for business purposes. This means that concerned entities must remove all data that is no longer necessary for the purposes for which it was collected. Data-bearing documents and devices that need to be destroyed for compliance may include both hardcopy information as well as electronic media, such as hard drives, flash storage, networks, servers, and other forms of recordable media. Let us look at the detailed requirements of data erasure as prescribed in the PCI DSS guidelines.
1. Protect Stored Cardholder Data
PCI DSS, in its requirement 3.1, prescribe a formal data retention and disposal policy that describes the kind of data that needs to be retained, the storage facility, and how such data is destroyed or completely wiped from electronic devices when they are no longer needed. The standard recommends that the only data that can be stored after card authorizations is the PAN (which should be masked and rendered unreadable), expiration date, cardholder name, and service code. The standards state that "In order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained."
PCI DSS 3.1.a requires organizations to examine their data retention and disposal policies & procedures and ensure that:
- Companies should limit data storage amount and retention time as per the business, legal, and regulatory requirements. Companies shall also specify the retention period for cardholder data for a pr period of time.
- Companies must define secure data deletion processes for data that is no longer required.
- Companies should define a quarterly process to identify and securely delete such data that have exceeded their retention requirements.
2. Restrict Physical Access to Cardholder Data
The Payment Card's Data Security Standard in its requirement 9.8 specifically mandates the destruction of the data-bearing device once it has served its purpose and when it is no longer needed for business or legal reasons. It requires the concerned companies and issuing service providers to render the cardholder data on any electronic media unrecoverable through a secure wiping program in accordance with industry-accepted standards for secure deletion or physical destruction. It alludes to instances of data compromise and subsequent breaches if left vulnerable.
3. Track and Monitor Network Access
PCI DSS requirement 10.7 recommends companies retain audit trail history for a period of one year and three months of logs immediately available (either online, archived or on a backup) for analysis in case of any discrepancy and help investigators to better determine the length of time of a potential breach and systems impacted. Organizations should thus keep track of how long they have stored data and whether or not it has been erased or destroyed. This will help them to ensure compliance with PCI DSS.
Penalties and Risks of PCI DSS Non-Compliance
Companies found in violation of PCI DSS stand the risk of losing their ability to process credit and offer payment card transactions. They also are at risk of penal provisions and strict audits. According to the PCI Compliance Guide, organizations found to be in breach of PCI DSS could be fined $5,000 to $100,000 per month by payment card brands. Furthermore, in such cases, banks increase the transaction fee and even terminate the relationship altogether.
How Can BitRaser Data Erasure Help in PCI DSS Compliance?
Data erasure is an important part of PCI DSS compliance. With data erasure, organizations can ensure that the data is completely destroyed. BitRaser Data Erasure solutions offer complete peace of mind to all entities that require data destruction for PCI DSS compliance. BitRaser software seamlessly wipes data from all drives and devices, including PC, laptops, & servers, beyond recovery. The solution provides the added advantage of automating the erasure process as well as meeting the PCI requirement of scheduling erasure as per the required time and policy. Automated and scheduled erasure with BitRaser File Eraser can help companies regularly delete private cardholder data on an ongoing basis and ensure data minimization requirements of PCI DSS. NIST-tested and compliant BitRaser Drive Eraser helps in meeting the PCI DSS requirement of securely wiping data using the Clear and Purge method prescribed by the National Institute of Standards and Technology (NIST).
Additionally, the secure wiping program also generates 100% tamper-proof reports for every wiping performed. It also offers a secure cloud repository of reports for any time and anywhere access as required by the PCI DSS compliance requirement. These audit trails come in handy during the compliance, audit, verification, and retention process.
By using BitRaser, organizations can ensure that their data is permanently erased and protected against unauthorized access. This will help to ensure that their PCI DSS compliance process is successful. Reach out to us today and learn how we can help you comply with PCI DSS & let you sail through any security audit.