[PCI DSS 1.x] 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal polic

[READ-ONLY] Archives [RETIRED] PCI DSS v.1.x Questions and Answers Protect Cardholder Data
1

[PCI-DSS] 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

3.1 Obtain and examine the company policies and procedures for data retention and disposal, and perform the following

[ul]
[li] Verify that policies and procedures include legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons)[/li][li] Verify that policies and procedures include provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data[/li][li] Verify that policies and procedures include coverage for all storage of cardholder data[/li][li] Verify that policies and procedures include a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, requirements for a review, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements[/li][/ul]

2

I have a question about non-electronic card number storage.
Our organization does event-registration online, and we never store the card number, only the processing transaction id.
However, we also do onsite event registration as well. If we are doing (paid) registrations where we have no internet access, and so can’t process cards, is there a way to keep card data until we process it after the event?
One colleague suggested faxing the card numbers to our secure fax, but that would leave a card fax image on the sending fax machine hard drive, so that is a no-no.
Another colleague suggested physical (onto paper) swipe of the card, then placing the paper into a lock box until processed ‘back at the office’ where they would then be shredded. Another possibility is to swipe the card into local electronic storage then process the cards back at the office. Of course these would require a clear ‘chain of custody’ possession of the lock box or electronic device. If that can be guaranteed, is this type of temporary storage permitted? If not, is there another alternative to offline card handling?
Thanks, Fred

3

Hi,
Does anyone have a sample data retention and disposal policy document, with a data disposal process. I’m new to PCI and need to produce such a document.
Thanks in advance,
Shutdown