There is a reason why PCI DSS Requirement 9.10 requires that merchants and service providers use a crosscut shredder to destroy paper records with confidential information. The reason is that simple ribbon-type shredders don't really destroy the information. Depending on how the paper goes into a ribbon shredder, whole lines of information can be readable.
If press reports are accurate, the organizers of the Macy's Thanksgiving Day Parade together with the Nassau County Police are living proof that ribbon shredders are not very valuable. Based on news reports, the police are investigating claims by attendees at the Thanksgiving Day Parade that the confetti that poured from the sky contained Social Security Numbers, bank account numbers, and police records that were clearly readable.
One important lesson for any organization with confidential financial, medical, or personal information is that shredding means crosscut shredding.
A second, possibly equally important lesson is that if you use a shredding service for your PCI documents (or HIPAA or whatever), you better know what they do with the chad after they shred the documents. Do they sell it for pulp? Do they recycle it? Do they sell it to parade organizers or party planners for confetti?
The reason this second lesson is important is that the shredding service is a PCI Service Provider, and 12.8.2 says you need to have an agreement that they acknowledge their responsibility for the cardholder data (the paper) they possess. That means you might want to know what happens to your confidential documents once they leave your premises.
Maybe we need to add this "Macy's Rule" to PCI?
I Get Questions – Can I Use SAQ A?
2 days ago
This is absolutely ridiculous. People need to start getting clued up on the importance of secure paper shredding. This isn't lax security, just downright stupidity.
ReplyDeletehas there been any evidence in this case? any convictions? in a way you can see why using recycled materials would be perfect for this but they should have ensured the materials used were not sensitive or private in any way. tut tut Macy's.
ReplyDelete