Overview
In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, UIT PCI Compliance Services has established a formal policy and supporting procedures for having a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. This policy is to be implemented immediately. It will be evaluated on an annual basis for ensuring its adequacy and relevancy regarding UIT-PCI Compliance Services’ needs and goals.
Policy
UIT-PCI Compliance Services will ensure that the Media Destruction policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (PCI DSS Requirements and Security Assessment Procedures):
- Once the maximum retention period has been allotted for cardholder data, it must be removed from all electronic media, and any hardcopy edition must be disposed of accordingly.
- All hardcopy materials are to be cross-shredded, incinerated or pulped, such that there is reasonable assurance the hardcopy materials cannot be reconstructed.
- Storage containers for shredding hardcopy materials are to be secured at all times, with appropriate physical controls such as locks on the storage bins.
- Storage of cardholder data on electronic media is not permissible per AS PCI Compliance policy.
Responsibility for Policy Maintenance
UIT’s PCI Compliance service is responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives.
