[PCI DSS 3.0] [PCI DSS 3.0] 9.8 Destroy media when it is no longer needed for business or legal reasons as follows:

pcinetwork

PCINetwork.org Admin
#1
9.8 Destroy media when it is no longer needed for business or legal reasons as follows:

9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:
• Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard- copy materials cannot be reconstructed.
• Storage containers used for materials that are to be destroyed must be secured.
• Cardholder data on electronic media must be rendered unrecoverable via a secure wipe program (in accordance with industry-accepted standards for secure deletion), or by physically destroying the media.

If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack.
Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. For example, “to-be-shredded” containers could have a lock preventing access to its contents or physic ally prevent access to the inside of the container.
Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).
 
Top