Back

Common Compliance Hurdles Part 3: Data Retention

In continuing with my series addressing common compliance hurdles relating to Payment Card Industry (PCI) requirements, I would like to turn to the topic of data retention.  Surprisingly, I have found that many organizations struggle with data retention – not just managing and archiving credit card data but even defining appropriate data retention policies.  There seems to be a lot of misinformation or at least misunderstanding out there so hopefully this will help clear things up a bit. Requirement 3.1 of the PCI Data Security Standard (DSS) states that cardholder data storage must be minimized and a policy defining the appropriate retention length must be defined.  There may be legal or regulatory requirements relating to data retention that must be adhered to.  However, in most circumstances, documents containing full primary account numbers (PANs) need not be retained past 90 days, which is typically when chargebacks or disputes occur.  If there is no business need to store cardholder data (for instance, so that a third party can supply access to transaction data and provide a mechanism for disputes and chargebacks), merchants should consider purging or redacting PANs stored both electronically and in hardcopy.  Simply put: if you don’t need it, get rid of it.  Also, keep in mind that masked or truncated PANs are not considered cardholder data and, as such, are not subject to the PCI DSS and can be stored indefinitely.  Therefore, redacting all but the first six and last four digits of the PAN is a common method that organizations use to reduce or eliminate cardholder data while still maintaining the ability to reference a particular card or transaction, if necessary. One common misconception deals with retaining financial records for audits.  Many organizations end up keeping paid invoices that include complete credit card numbers for several years.  However, this is not usually necessary.  Financial auditors are interested in seeing records of revenue and expenses, not individual credit card numbers.  In light of this fact, a simple change in business process can often significantly reduce burden associated with attaining and maintaining compliance. When it comes to a remediation strategy, the first step in complying with Requirement 3.1 is to define an appropriate data retention policy that is based on business, legal, and regulatory requirements.  This will, of course, vary from organization to organization.  However, keep in mind that most business models do not require the retention of full PANs for very long after a transaction.  Once an appropriate retention period has been determined, an official policy should be documented.  Be sure to include any specific legal or business reasons for the selected retention period, as well as a formal method for disposing of both electronic and hardcopy cardholder data once that period has been reached.  Finally, implement the policy and purge historical data that exceeds the newly defined maximum retention period.  Remember that, in most cases, redacting PANs by blacking them out with a marker, cutting off the credit card section of a form and shredding it, or truncating data in a database is an effective way to reduce the cardholder data that is retained, reduce the risk of a credit card data breach, and meet the intent of PCI requirements.

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X