Cardholder Data Handling, Retention, and Disposal Policy
Policy Owner: Assistant Treasurer, Customer Payments
Note: An owner must be a PCES-level manager.
This document describes the policies for cardholder data (CHD) at the US Postal Service. CHD is a subset of what is considered sensitive-enhanced information. This includes the handling, retention, and disposal of primary account numbers (PAN) and other CHD, as established by the USPS Corporate Treasury.
CHD is a type of sensitive record and is used to process payment card transactions. Sensitive Authentication Data includes additional data that may be transmitted or processed as part of a payment transaction, but may not be stored at any time.
CHD consists of the following data:
- The PAN, which is the 15- or 16-digit number on the front of credit and debit cards. All PAN are considered CHD.
- The cardholder name, expiration date, and/or service code are also considered CHD when they are stored with a PAN.
Sensitive Authentication Data includes:
- Personal Identification Numbers (PIN)
- Encrypted PIN blocks
- Full contents of any track from the magnetic stripe on the back of the card
- Card verification codes (three- or four-digit card-verification code or value printed on the front of the card or the signature panel) or equivalent data on a chip.
This policy applies to all Postal Service:
- Systems or processes that store, transmit, or process CHD
- Employees and contractors who handle CHD or who work with systems that store, transmit, or process CHD
- PAN data must be encrypted while in-transit across open, public networks (e.g., the Internet), and rendered unreadable when at rest. If encryption is used to render PAN unreadable while at rest, the encryption must meet the minimum encryption standard set forth in Handbook AS-805.
- Unencrypted PAN must not be sent via email, instant message, or chat applications.
- All in-scope CHD must be stored, processed, and transmitted exclusively within the Category 1 zone of the PCI environment.
CHD may be retained for no longer than 5 years from the date of the last transaction. This 5-year maximum applies to CHD linked to saved customer profiles and recurrent transactions as well as one-time transactions. This time period allows for the fulfillment of the legitimate business needs listed above. Any CHD that is stored must be reviewed quarterly to ensure that it is not retained longer than the maximum retention period.
- Storage of the following Sensitive Authentication Data is prohibited:
- PIN or the encrypted PIN block
- Sensitive authentication data
- Card-verification code or value
- Full contents of any track from the magnetic stripe located on the back of a card
- Cardholder name, PAN, expiration date, and/or service code may be stored only while a need for the retention of these data exists. Legitimate CHD data retention needs include processing payments, processing refunds, performing financial reconciliation and reporting, and investigating fraud.
CHD that has reached the end of its retention period must be destroyed securely in accordance with Disposal and Destruction of Information and Media rules in Handbook AS-805 in a manner that the data cannot be recovered for unauthorized use.
- Handbook AS-805 - Information Security
- Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management
- Payment Card Industry Data Security Standard (PCI DSS)
|1.0.1||06.26.2015||Annual Review: The annual review for functional accuracy and current PCI DSS requirements has been completed. CR 84436|
|1.0.2||10.16.2015||Non-substantive change: Updated to address organizational changes.|
Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 117383
|1.1||07.22.2016||In the Policy section, clarified the PCI in-scope environment.|
Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 195809
|1.1.1||07.12.2017||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 286566|