DATA SECURITY STANDARD
HARD DRIVE ERASURE AND DESTRUCTION
Payment Card Industry Data Security Standard
PCI DSS version 3.0 (Nov 2013)
Requirement 9-RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA
is one of the main change made from the version 2.0
PCI DSS REQUIREMENTS
- 9.8 Destroy media when it is no longer needed for business or legal reasons as follows:
- 9.8.1 Shred, incinerate, or pulp hard-copy materials so that card holder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
- 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Guidance
If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise.
Example of methods for security destroying electronic media include SECURED WIPING, DEGAUSSING, or PHYSICAL DESTRUCTION.