New Records Retention Guidance for Sensitive Authentication Data

The Secretary of State’s Local Government Common Records Retention Schedule (CORE) has a brand new category concerning the destruction of “Sensitive Authentication Data” obtained during financial transactions. Think of when you sign up for a city recreation class or pay a utility bill over the telephone: the person taking your payment information will ask for your credit card number, the name on the card, the expiration date, and the three or four digits on the back or front of the card.

These three or four digits, typically called a Card Verification Code (CVC) or a Card Verification Value (CVV), are not to be stored by agencies according to the Data Security Standard (PCI DDS) established by the Payment Card Industry (PCI) Security Standards Council.  (The PCI Security Standards Council consists of credit card companies, including American Express, MasterCard and Visa; the PCI Council has developed security standards, such as the PCI DDS, and requires that vendors that process payments with credit cards comply with such standards.)  The CORE’s new Disposition Authority Number (DAN) GS2014-030 directs that these CVCs and CVVs be destroyed as “Sensitive Authentication Data” after the transaction is completed.

Sensitive Authentication Data may be held by an agency in various types of records, such as a database, an email, or a hard copy.  The Secretary of State has developed an advice sheet on how to destroy such sensitive information located within a record that otherwise must be retained:

• Database records: Delete the field that consist entirely of Sensitive Authentication Data.
• Paper records: Black out the Sensitive Authentication Data and photocopy or scan the record; retain the photocopy or the scan. 
• Scanned records: Redact the Sensitive Authentication Data from the image and the metadata.
• Emails or other electronic records: Redact the Sensitive Authentication Data and resave the record in electronic format, “retaining as much of the original metadata as possible.”
• Records created from this point forward: Retain the Sensitive Authentication Data separately or in a manner in which it can be easily separated from the rest of the transaction record (e.g., a separate data field or on a Post-It note attached to the transaction record).

What is unique about the direction from the Secretary of State is that this is the first time the Local Records Committee has approved destruction of a portion of a record.  Sensitive Authentication Data is stored with other information (such as the credit card number and the transaction amount) that must be retained for six years after the end of the fiscal year under DAN GS2011-184; therefore, given “the enormity of the potential security risk” the committee deemed it necessary and appropriate to direct destruction of a portion of a record.

Photo courtesy of Sean MacEntee.