Login

New user? Create an account
Forgot your password? Get it back!

Signup

Already a member? Login

2FA

2-Factor Authentication is enabled for this account
Login with a different user

Email Confirmation

Send confirmation email to the following
Login with a different user
Data Retention Policy
Last updated: 10 May 2023

Purpose
PCI-DSS requirement 3.1 requires that Lucus Labs, the parent company of Opta Pay, maintain and adhere to data retention and disposal procedures as described herein. The purpose of these procedures is to ensure records that are no longer needed are discarded appropriately and in a timely fashion. Each area that takes credit or debit cards as payment must periodically (annually) review these procedures to determine any circumstances that necessitate changes in the way they retain or dispose of cardholder data.

In the context of this Policy, the term "credit card" applies to credit or debit cards, and can be interchanged to refer to the same.

A repeating quarterly event has been scheduled for Lucus Labs to identify and securely delete all stored cardholder data that exceeds this Data Retention Policy. This repeating event will also be used to review this document and to update as/if necessary.

Applies To
These procedures apply to all Merchants, customers, and users in any PCI environment at Lucus Labs, including, but not limited to, Opta Pay.

PCI DSS applies whenever Account Data is stored, processed, or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data.

Guidelines
  1. The duration of cardholder data retention is as follows:
    1. Cardholder data will be stored for the duration of the term of the customer's account with Opta Pay but only when approved by the customer for its storage and necessary for the continuity of business between the merchant and customer.
    2. Cardholder data can be stored for a period no longer than thirty (30) days except for scheduled payments. In the event of scheduled payments, cardholder data will be deleted immediately upon the processing of the scheduled payment. If the payment is scheduled to repeat, cardholder data will be deleted immediately upon the final payment processed in the series.
    3. Card data may be stored for the following business reason(s):

      1. Scheduled payments (repeating or not).
      2. As required by law or court of competent jurisdiction.
      3. As required for any historical audit purposes, if applicable.

  2. Cardholder Data is secured as follows:
    1. Cardholder data is securely encrypted using AES-256 encryption.
    2. If applicable, physical cardholder data is stored securely in locations accessible by authorized employees only.
    3. Cardholder data is destroyed immediately after the defined retention period defined herein.
    4. Full Primary Account Numbers (PANs) are required to be stored in encrypted format and never displayed in full. Only the last four (4) digits are allowed to be displayed at any time. The remaining PAN must be masked at all times.
    5. The full contents of any track data from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere, are not to be stored at any time after authorization. This data is alternatively referred to as track, track 1, track 2, full track, and magnetic-stripe data. In the normal course of business, the following data elements from the track may be retained as needed:

      • Cardholder name
      • Primary Account Number (PAN)
      • Expiration date
      • Service code

    To minimize risk, these data elements should only be stored for approved business needs.

  3. Sensitive Authentication Data is secured as follows:
    1. Sensitive Authentication Data is securely encrypted using AES-256 encryption.
    2. Sensitive Authentication Data is destroyed after the defined retention period or at the time a customer's payment method has been deleted.
    3. PIN numbers are not allowed to be stored by Opta Pay or any other system provided by Lucus Labs or its Merchants.

  4. Disposal
    All sensitive and credit card data is destroyed when it is no longer required by legal, contractual, or business need. As an example, all cards stored on-file to fulfill scheduled payments will be deleted immediately upon the processing of the scheduled payment. If a payment is scheduled to repeat, the card data is deleted immediately upon the last payment in the schedule.

    Techniques for disposal of data on media are as follows:

    • Hard disks: Must be overwritten as prescribed by the Lucus Labs Electronic Data Disposal Policy, or physically destroyed
    • Floppy disks must be shredded
    • Optical media (CD's, DVD's, Blu Ray, etc) must be shredded
    • Other magnetic media (USB drives, storage cards, etc) must be overwritten by an approved method or as prescribed by the Lucus Labs Electronic Data Disposal Policy, or physically destroyed
    • Paper: Must be cross-cut shredded, pulped or incinerated as prescribed by the Lucus Labs Electronic Data Disposal Policy, or otherwise destroyed
    • Paper containing cardholder data awaiting destruction must be stored in secure containers secured with a lock to prevent access to its contents
    • Quarterly automatic or manual processes for identifying securely deleted or stored cardholder data that exceeds defined retention requirements must be in place

  5. Users with elevated privileges which allow access to cardholder data via computer must comply with the following:
    1. All users must have a unique user ID.
    2. In addition to a unique user ID, all users must have a second form of authentication, such as a password, passphrase, token, smart card, or biometric scanner.
    3. Passwords must be changed every 90 days.
    4. Passwords must conform to the Opta Pay password policy.
    5. Individuals must submit a new password that is different from the last four passwords.
    6. The user's account will be locked after three (3) failed attempts.
    7. The user's account will be locked for a minimum of 30 minutes or until reset by a Merchant or Lucus Labs administrator.
    8. A session that has been idle for 15 minutes will require users to reauthorize.
    9. All access to any database containing cardholder data must be pre-authorized by Lucus Labs management.

  6. Access to secure areas where cardholder data are stored are restricted to authorized personnel only.
    1. Only persons with a business need and approval will have access to areas where cardholder data are stored.
    2. Personnel need to be able to be physically distinguished from those who do not have access. (Uniforms, badges, etc).
    3. A log is kept of all access to secure areas where cardholder data is kept.

  7. An accurate record is kept regarding the possession of all cardholder data.
    1. The possession of cardholder data is logged and the responsible party must sign for the data.
    2. Placement of cardholder data in secure locations is logged and the responsible party must sign in the data.
    3. Removal of cardholder data from secure locations is logged and the responsible party must sign out the data.
    4. Secure transport of cardholder data is logged.
    5. Delivery of cardholder data is logged.
    6. Destruction of cardholder data is logged.