Records and information management FAQs – retention of credit card data March 22, 2016
We have recently received a number of enquiries from organisations about the retention of credit card data. Specifically, these organisations want to know how to keep this data in a way that meets the requirements of the Payment Card Industry – Data Security Standard (PCI-DSS), which was developed to encourage and enhance cardholder data security and applies to all organisations that store, process or transmit cardholder data.
This seems to be a common concern for organisations at the moment, not just in NSW – our colleagues at Queensland State Archives (QSA) just published some advice on this very issue for Queensland Government organisations, and there was a recent discussion on the topic on the RIMPA listserv.
NSW public offices that process electronic financial transactions must capture and manage their data in accordance with the PCI-DSS:
- This standard prohibits organisations from storing certain sensitive authentication data (e.g. card verification or personal identification number (PIN) data) after the authentication process has been completed.
- This standard requires organisations to keep retention of additional cardholder data (e.g. account number, card holder name, expiry date etc) to a minimum by implementing data retention and disposal policies, procedures and processes.
State Records’ general retention and disposal authorities for administrative records, local government records and national bodies include disposal coverage for credit card data:
- A minimum retention period of 3 months applies to cardholder data to allow time for reconciliation of monthly payments. After this period, destruction is permitted in accordance with an organisation’s assessment of its own specific legal, regulatory and business requirements for retaining the data.
- The destruction of sensitive authentication data is permitted upon completion of the transaction.
One of the participants in the discussion on the RIMPA listserv noted that:
Credit card details are only meant to be retained for very short periods of time – some would say the payment is more about the transaction between the business and the credit card company (the money comes from them, not the customer) than with the person. Essentially a payment system would record a payment is accepted when it has the details of the strip data, the CVV (when required) and the PIN.
In its advice to Queensland Government agencies, QSA identifies a number of things to consider when developing and implementing strategies for managing records of credit card transactions:
- Sensitive authentication data should never be kept.
- The PCI-DSS requires that primary account numbers (the card numbers) be rendered unreadable when they are stored. If the system in which your organisation keeps credit card data cannot meet this requirement, then your organisation must not capture this information in your system.
- Cardholder data (other than sensitive authentication data) should only be kept if there is a valid legal, business or regulatory need for that data. After the minimum retention period has expired, your organisation should destroy the data if there is no valid reason for retaining it.
- If records of card transactions include information other than cardholder data, and your organisation requires this information for a certain period of time after the transaction has occurred, then the cardholder data must be stored or redacted in a way that meets the requirements of the PCI-DSS. If your organisation’s systems and processes are unable to do this, or it will require complicated work arounds, you might want to consider introducing new processes to ensure that all new cardholder data received is not captured with other information. This will mean that you can easily dispose of the cardholder data when there are no valid reasons for retaining it, while still keeping the other information for as long as required.
- Establishing and documenting a process for the capture and management of records of credit card transactions is important. This will ensure that all employees understand what data needs to be captured and kept and what can be disposed of. Establishing this process will require consultation with those employees who receive, handle and use cardholder data.
We are a merchant who holds credit card details for processing customers orders. This information is on paper and held securely. After reading your article if we have permission from the customer to store their credit card details are we breaking any PCI security policies.