You note this as non- compliant, why?

During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously.

You note this as non- compliant, why?

A. Employee information, including background checks, must be stored for at least seven years

B. Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)

C. The vendor must retain the background information for at least 18 months after termination of contract

D. The vendor must only retain background information for all current employees, not for those that

have been terminated

View Answer

Answer: B

Explanation:

According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities.

References:

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1