HARD DRIVE ERASURE AND DESTRUCTION

 

Payment Card Industry Data Security Standard
PCI DSS version 3.0 (Nov 2013)
Requirement 9-RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA
is one of the main change made from the version 2.0

 

PCI DSS REQUIREMENTS

 

• 9.8 Destroy media when it is no longer needed for business or legal reasons as follows:

 

• 9.8.1 Shred, incinerate, or pulp hard-copy materials so that card holder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.

 

• 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

 

Guidance

 

If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise.

 

Example of methods for security destroying  electronic media include SECURED WIPING, DEGAUSSING, or PHYSICAL DESTRUCTION.