PCI DSS or Payment Card Industry Data Security Standard is a security standard for organizations that handle credit card information from some significant branded credit card companies. The bar was created by the joint effort of VISA, Mastercard, American Express, JCB International, and Discover Financial Services to ensure that merchants and companies that handle credit card information have a minimum level of information security. The standard is now developed and maintained by PCI Security Standards Council (SSC), but the five credit card brands enforce it.
What about PCI PA DSS?
PA DSS is the standard by which the Payment Application has been tested, assessed, and validated. If you are developing a payment application, you also need to be PA DSS compliant.
To whom does PCI DSS apply?
All organizations processing credit card information from the five before mentioned brands comply with PCI DSS or be fined/sanctioned by the credit card companies. There are four levels of compliance depending on how many credit cards you process each year:
Level 1 – Over 6 million transactions annually
Level 2 – Between 1 and 6 million transactions annually
Level 3 – Between 20,000 and 1 million transactions annually
Level 4 – Less than 20,000 transactions annually
What does PCI DSS say about data classification?
The only reference to classification is requirement 9.6.1, which states: Classify media so the data's sensitivity can be determined. By media is meant computers, removable electronic media, paper, etc. This means that it's not the documents themselves that must be classified but the media. This computer or that memory stick contains confidential information.
Where else could data classification be relevant?
Well, for one, credit card information should be stored and processed in a protected system (for which there are many requirements) and not laying around in word or excel documents. A scan of and data classification of documents can help you ensure that you are not processing credit card information in forms.
Requirement 2.4: Maintain an inventory of system components that are in scope for PCI DSS. This means that you need to have control over all features involved in the processing of credit card information.
Requirement 3.1: Keep cardholder storage to a minimum. When you no longer need the information, you should delete it. This means you need to know that you don't have cardholder information stored in a document beyond the necessary time of use.
Requirement 3.2: Do not store sensitive authentication data after authorization. Sensitive authentication data consists of full-track data, card validation code or value, and PIN data. Storage of sensitive authentication data after consent is prohibited! Identifying documents that contain this type of data can reduce the risk.
Requirement 4.2 Never send unprotected PANs by end-user messaging technologies (for example, email, instant messaging, SMS, chat, etc.)
Requirement 7.1 Limit access to system components and cardholder data to only those whose job requires such access. This means you must know if a document contains cardholder information, label it confidential and restricts access, or better delete the form if the information is no longer needed.
Summary: According to PCI DSS, cardholder information should not exist in documents.