CSI Lifecycle Ltd

PCI DSS Requirements Testing Procedures Guidance – How CSI Can Help

CSI can provide a range of accredited solutions to help your organisation with the PCI DSS requirements. Data destruction is key to PCI compliance when disposing of any data bearing devices that hold sensitive data. It is critically important that the disposal of computer hardware is dealt with securely. At CSI we offer two fully auditable data destruction methods that can be performed onsite at your own premises, removing concerns relating to chain of custody of the data bearing hardware. CSI can supply HMG BPSS security cleared technicians to provide secure onsite data destruction using industry leading disk wiping software for either server or desktop equipment, this will permanently remove all data from the devices but still allow the devices to be reused. The alternative method of data destruction we can provide is onsite physical destruction, removing the data bearing devices from servers or desktop devices and shredding them using our purpose built hard disk shredders. Both methods provide secure destruction of any data and both generate detailed data destruction reports and certificates of destruction. Both methods are compliant with the PCI DSS guidelines detailed below.

With facilities in the UK, mainland Europe and throughout North America and approved partners across the globe we can provide data destruction solutions on a global scale.

PCI DSS Requirements Testing Procedures Guidance

9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
9.6.3 – Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals). Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

9.7 Maintain strict control over the storage and accessibility of media.
9.7 – Obtain and examine the policy for controlling storage and maintenance of all media and verify that the policy requires periodic media inventories. Without careful inventory methods and storage controls, stolen or missing media could go unnoticed for an indefinite amount of time. If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.

9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.
9.7.1 – Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually.

9.8 Destroy media when it is no longer needed for business or legal reasons as follows:
9.8 – Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following: · Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hardcopy materials cannot be reconstructed. · Storage containers used for materials that are to be destroyed must be secured. · Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media). If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack. Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. For example, “to-be-shredded” containers could have a lock preventing access to its contents or physic ally prevent access to the inside of the container. Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).

9.8.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
9.8.1.a Interview personnel and examine procedures to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed. 9.8.1.b Examine storage containers used for materials that contain information to be destroyed to verify that the containers are secured.

9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
9.8.2 Verify that cardholder data on electronic media is rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).

CSI can supply:
Data Containment Units (DCUs)
Disk Shredding Service
Enterprise Data Erasure
Desktop Date Erasure

CSI UK are ISO27001, ISO14001 & ISO9001 accredited. All CSI UK Staff are security checked to HMG BPSS standard.