Does Your Data Destruction Process Need to Comply with PCI?

ku-xlargeIn 2006, the five largest credit card companies formed the Payment Card Industry (PCI) Security Standards Council as a self-policing data security initiative designed to quell calls for government intervention prompted by the increasing number of large data breaches and identity theft.

To that end, PCI quickly produced its Data Security Standards (PCI-DSS) to protect cardholder information, which is now in its second iteration. Merchants, who accept credit cards from the founding members of PCI, are required to meet the PCI-DSS. Companies that process credit card transactions as intermediaries between the merchants and the credit card companies are also required to meet PCI-DSS. Processors are usually banks or credit card transaction clearinghouses. Although very large merchants and processors are required to undergo an audit to establish PCI-DSS compliance, the overwhelming majority are allowed to self-certify.

Although it is not a government agency or initiative, PCI derives its clout from the founding members’ ability to deny merchants and processors the ability to accept their credit cards. Both merchants and processors may allow access to cardholder information to subcontractors that work on their IT systems, act as billing agents, and do other similar activities. PCI holds merchants and processors responsible for the PCI-DSS compliance of these downstream organizations as well. Again, the program is far more dependent on self-certification in the vast majority of cases.

These subcontractors are not considered merchants or processors. They do not conduct credit card transactions in any way and often, as is the case with data destruction companies, the PCI-DSS requirements have extremely limited application. In fact, PCI-DSS only applies to data destruction companies in two areas:

  • The overall security issues that apply to all vendors, such as access control, including employee screening, training, policies and physical security. All of these areas are addressed and validated by NAID AAA Certification of a vendor.
  • The electronic media destruction specifications state the following:
    • 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (e.g., degaussing).

NAID AAA Certification audits verify compliance with these points, and, in so doing, provide de facto validation that service providers who have achieved NAID Certification are compliant with the standard. NAID Certification of electronic media destruction specifies both the physical and sanitization process, and validates that through audits, including random forensic analysis of wiped drives on an unannounced basis.