LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	PCI-DSS compliance records
From:	"King, Douglas" <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Thu, 8 Apr 2010 09:49:55 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (21 lines)

A couple questions to organizations -- public and private -- that accept payment cards for payments of goods, services, taxes, fees, etc. I bet that your organization currently working on achieving compliance with the Payment Card Industry Data Security Standard (PCI-DSS) which will obligate your organization contractually to implement and document a long list of data network infrastructure and practices, physical security, employee procedures and training. PCI-DSS is not a Fed or state reg -- it is a private, industry standard.

Here at Sedgwick County Government documenting progressive compliance with 35 distinct sections for 22 distinct agencies (and another 100+ sections at the enterprise IT level for each agency) is generating considerable stuff for us (in particular, my boss). Complicating the issue is that the PCI-DSS is still evolving.

Now the questions ... Has your organization created new records series for PCI-DSS compliance records? If so, what retention requirement have you determined? What was the basis or rationale for setting the retention requirement as you did?

My boss (the Information Technology Architect, who also wears the HIPAA Security hat) tilts toward retaining only the most recent signoffs, which should be sufficient for security audit or breach investigations. I tend to tilt toward a few to more years, similar to HIPAA compliance records. If Kansas had enacted a general law about privacy of personal information (i.e., requiring notifications in event of breach, etc.) these records might fit such a records series, but it has not.

Thanks in advance for input.

// Douglas K. King, Records Mgr / Freedom of Info Offcr, MA, ERM-M
|| Sedgwick Cnty Gov DIO/IT Arch & Compliance / Records Mgmt Srvcs
|| Sedgwick County Courthouse / 525 N. Main / Wichita KS 67203
|| 316.660.9846 FAX 316.660.3274 mailto:[log in to unmask]
\\ www.sedgwickcounty.org "Sedgwick County ... working for you"

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US