Compliance with the Payment Card Industry Data Security Standard (commonly abbreviated as PCI DSS) is a high priority for any organization that stores, handles, and processes credit, debit, or other payment card information. Created and administered by the major credit card brands, PCI DSS compliance is necessary for any organization—large or small—that wishes to conduct business with those brands. That’s the vast majority of business organizations in the United States.

The Risks of Non-Compliance with PCI DSS

If you are involved with planning risk management or data security policy for your organization, you should be aware there are some serious risks that can come from non-compliance with the PCI standards. The PCI Security Standards Council lists several. When your company is not compliant with PCI DSS, you risk:

• Having to pay off lawsuits, insurance claims, or large fines from payment card companies or the government.
• Losing accounts and damaging your relationships with your customers.
• Harming your company’s reputation and making it difficult to generate new business.
• A decreased share value, if your company is a public company.

PCI DSS and ITAD

The PCI standards were created with the intent of maintaining secure environments for transmitting and storing cardholder data. There are several elements to PCI compliance. From a perspective of IT asset disposition (ITAD), the relevant requirement is that, when data storage media is no longer needed for business or legal reasons, organizations must, “Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” PCI goes on to recommend that this be accomplished through a “secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).”

The Payment Card Industry does not “certify” any process or company. Rather, your company must be able to prove in an audit that your processes and vendors meet the requirements.

What is the latest “industry accepted standard” for secure data erasure? That would be the NIST 800-88 standard, developed by the National Institute of Standards and Technology with sponsorship by the U.S. Department of Homeland Security. NIST 800-88 calls for a secure data sanitization process using professional, certified data erasure software. It’s important to note, however, that the US government doesn’t certify sanitization software or ITAD companies to the NIST 800-88 standard. If you are using software tools to wipe data from hard drives yourself, find out how it’s been validated and if it’s been certified in countries that do so. To ensure your data sanitization provider uses secure processes and tools and can meet the NIST 800-88 standard with auditable records, look for certification from a leading third-party organization, like the National Association for Information Destruction (NAID). Partnering with data sanitization vendor that has received AAA certification from NAID is a significant step toward ensuring your company is in compliance with the data destruction requirements of PCI DSS.

Our guide for risk management planners, “A Guide to Minimizing the Risk of IT Asset Disposition,” includes multiple strategies for minimizing the risk of non-compliance with industry standards like PCI DSS through your company’s IT asset disposition process. Download the guide for free by clicking on the image below.