Cardholder Data Handling, Retention, and Disposal Policy

PURPOSESCOPEPOLICYSUPPORTING DOCUMENTATIONREVISION HISTORY

Policy Owner: Assistant Treasurer, Customer Payments

Note: An owner must be a PCES-level manager.

PURPOSE

This document describes the policies for cardholder data (CHD) at the US Postal Service. CHD is a subset of what is considered sensitive-enhanced information. This includes the handling, retention, and disposal of primary account numbers (PAN) and other CHD, as established by the USPS Corporate Treasury.

CHD is a type of sensitive record and is used to process payment card transactions. Sensitive Authentication Data includes additional data that may be transmitted or processed as part of a payment transaction, but may not be stored at any time.

CHD consists of the following data:

Sensitive Authentication Data includes:

SCOPE

This policy applies to all Postal Service:

POLICY

Data Handling

Data Retention

CHD may be retained for no longer than 5 years from the date of the last transaction. This 5-year maximum applies to CHD linked to saved customer profiles and recurrent transactions as well as one-time transactions. This time period allows for the fulfillment of the legitimate business needs listed above. Any CHD that is stored must be reviewed quarterly to ensure that it is not retained longer than the maximum retention period.

Data Disposal

CHD that has reached the end of its retention period must be destroyed securely in accordance with Disposal and Destruction of Information and Media rules in Handbook AS-805 in a manner that the data cannot be recovered for unauthorized use.

SUPPORTING DOCUMENTATION

REVISION HISTORY

Version
Date
Description
1.0 11.25.2013 Initial release
1.0.1 06.26.2015 Annual Review: The annual review for functional accuracy and current PCI DSS requirements has been completed. CR 84436
1.0.2 10.16.2015 Non-substantive change: Updated to address organizational changes.

Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 117383
1.1 07.22.2016 In the Policy section, clarified the PCI in-scope environment.

Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809
1.1.1 07.12.2017 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 286566
Powered By OneLink