SECURITY NEWS:

IT Asset Retirement Implications for the PCI DSS
(Payment Card Industry Data Security Standard)

The industry is slowly beginning to buzz about what the PCI DSS is and how this new certification will impact technology asset retirement services. PCI DSS stands for Payment Card Industry Data Security Standard. It was created in response to several high profile data breaches. These breaches resulted in the exposure of consumer credit card information by merchants and companies who process credit card transactions. The standard represents a self-regulation effort on the part of a consortium of credit card companies to establish minimum standards for merchants and companies who process transactions. Certified merchants and their vendors agree to comply with the standard or face fines and the potential loss of their ability to process credit card transactions.
The standard has developed 6 objectives:

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
  

Compliance Levels

Merchants and service providers are grouped into 4 different levels based on previous security history (previous breaches), number of transactions processed per year and processing methods. Audits must be performed based on what level a company falls into and can only be performed by Qualified Security Assessors with penetration testing done only by pre-qualified vendors. Schedules for the frequency of audits are based on the level. Additionally each level has a different deadline for compliance.

Unclear Definitions

It is not clear where companies who provide asset retirement services fit in this standard. The standard discusses “Merchants”, “Connected Entities” and “Service Providers”. While anyone who processes credit card transactions is considered a “Merchant” and is required to be PCI DSS compliant, It is much less clear what is meant by “Service Providers” and “Connected Entity.”

IT Asset Retirement Implications

The majority of the requirements address security measures that are beyond the scope of the typical services and projects an asset retirement company would perform or engage in. There are some requirements, however, which directly address the services performed by asset retirement providers:

• 9.10.1 - Cross-cut shred, incinerate, or pulp hardcopy materials.
• 9.10.2 - Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.
• Requirements 12.X – Almost all of the requirements in section 12 would apply because they deal with Information Security Policy in general and are not specific to connections, networks or technology.

Ultimately, since asset retirement implications are vague, companies seeking compliance with the PCI DSS should first determine the level of compliance they wish to achieve. Then they can work with their asset retirement partner to assess the best course of action towards achieving that level of compliance.

Resources:
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Navigating PCI DSS