How NAID Certification relates to PCI compliance

October 30, 2012

By Bob Johnson, NAID CEO

In 2006, the five largest credit card companies formed the Payment Card Industry (PCI) Security Standards Council as a self-policing data security initiative designed to quell calls for government intervention prompted by the increasing number of large data breaches and identity theft.

To that end, PCI quickly produced its Data Security Standards (PCI-DSS) to protect cardholder information, which is now in its second iteration. Merchants, who accept credit cards from the founding members of PCI, are required to meet the PCI-DSS. Companies that process credit card transactions as intermediaries between the merchants and the credit card companies are also required to meet PCI-DSS. Processors are usually banks or credit card transaction clearinghouses. Although very large merchants and processors are required to undergo an audit to establish PCI-DSS compliance, the overwhelming majority are allowed to self-certify.

Although it is not a government agency or initiative, PCI derives its clout from the founding members’ ability to deny merchants and processors the ability to accept their credit cards. Both merchants and processors may allow access to cardholder information to subcontractors that work on their IT systems, act as billing agents, and do other similar activities. PCI holds merchants and processors responsible for the PCI-DSS compliance of these downstream organizations as well. Again, the program is far more dependent on self-certification in the vast majority of cases.

These subcontractors are not considered merchants or processors. They do not conduct credit card transactions in any way and often, as is the case with data destruction companies, the PCI-DSS requirements have extremely limited application. In fact, PCI-DSS only applies to data destruction companies it two areas:

  • The overall security issues that apply to all vendors, such as access control, including employee screening, training, policies and physical security. All of these areas are addressed and validated by NAID AAA Certification.
  • The media destruction specifications state the following:
  • 9.10.1.a: Verify that hard copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
  • 9.10.1.b: Examine storage containers used for information to be destroyed to verify that the containers are secured. For example, verify that a-to-be-shred container has a lock preventing access to its contents.
  • 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (e.g., degaussing).

NAID AAA Certification audits verify compliance with each of these points, and, in so doing, provide de facto validation that service providers who have achieved NAID Certification are compliant with the standard.

While it is true that NAID Certification does not require cross-cut shredding for hard copy records (where both the length and width are limited), many members have such capability. This point is rendered moot, however, because NAID Certification also validates the responsible disposal of all destroyed particles, meaning the particles are pulped in the recycling process and in accordance with PCI-DSS specifications.

With regard to NAID Certification of electronic media destruction, the NAID Certification specification and audits validate both the physical and sanitization process, including random forensic analysis of wiped drives on an unannounced basis.