Procedure for Disposal of Media¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Document Type | Procedure |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Document #: SP-DM-028 | Version: V1.2 | Issue Date: 05/09/2025
Document Creation¶
| Field | Details |
|---|---|
| Document # | SP-DM-028 |
| Document Title | Procedure for Disposal of Media |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 05/09/2025 |
| Document Owner | Chief Information Security Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure that Procedure for Disposal of Media is implemented |
| Authorised By | Yassir Pasha |
Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs — Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 05/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1. Purpose¶
The purpose of this procedure is to ensure that all media containing sensitive or confidential information is disposed of securely when it is no longer required. This protects Simpaisa and its customers from the risk of data being recovered from discarded media and exploited.
2. Scope¶
This procedure applies to all media containing Simpaisa data, including but not limited to:
-
Hard disk drives (HDD) and solid-state drives (SSD)
-
USB drives and flash memory
-
Optical media (CD, DVD, Blu-ray)
-
Magnetic tapes and backup media
-
Mobile device storage
-
Printed documents and paper records
-
Any other media that may contain sensitive or confidential information
This procedure applies to all employees, contractors and third-party personnel who handle Simpaisa media.
3. Procedure¶
3.1 Disposal and Destruction¶
Step 1 — Identify Media for Disposal¶
When media is no longer required, the asset owner or system administrator shall:
-
Confirm that the data stored on the media is no longer needed and there are no legal, regulatory or business retention requirements.
-
Classify the sensitivity of the data stored on the media.
-
Raise a disposal request and record it in the asset management system.
Step 2 — Determine Disposal Method¶
The appropriate disposal method shall be selected based on the sensitivity of the data:
| Data Classification | Acceptable Disposal Methods |
|---|---|
| Confidential / Class 2 | Physical destruction (shredding, degaussing, incineration) or certified data wiping using NIST 800-88 or equivalent standards |
| Internal / Class 1 | Secure data wiping or physical destruction |
| Public / Class 0 | Standard deletion or formatting is acceptable |
Step 3 — Perform Disposal¶
-
Electronic media: Data shall be securely wiped using approved software that meets NIST SP 800-88 or equivalent standards, or physically destroyed by shredding, degaussing or incineration.
-
Paper records: Documents containing confidential information shall be cross-cut shredded or incinerated. Documents shall not be placed in general waste.
-
Third-party disposal: Where a third-party vendor is engaged for disposal, the vendor must provide a Certificate of Destruction confirming the media has been securely destroyed.
Step 4 — Record the Disposal¶
All disposals shall be recorded, including:
-
Description and identifier of the media
-
Date of disposal
-
Method of disposal used
-
Name of the person who performed the disposal
-
Certificate of Destruction reference (if applicable)
3.2 Secure Disposal or Reuse of Equipment¶
Where equipment is to be reused (e.g., reassigned to another user or returned to a leasing company), the following shall apply:
-
All data must be securely wiped from storage media before reuse, using approved methods.
-
The operating system and all applications shall be reinstalled from original media or authorised sources.
-
Reuse shall be recorded in the asset management system.
-
Where equipment cannot be securely wiped (e.g., due to hardware failure), it must be physically destroyed.
Particular attention shall be paid to:
-
Ensuring that customer data, cardholder data (CHD) and personally identifiable information (PII) are fully removed before any equipment is disposed of or reused.
-
Removing all cryptographic keys, certificates and passwords stored on the device.
-
Removing all Simpaisa-licensed software in accordance with licence agreements.
4. Penalties¶
Failure to comply with this procedure may result in:
-
Breach of regulatory obligations (including PCI DSS, GDPR and applicable data protection laws)
-
Disciplinary action up to and including termination of employment
-
Legal liability for the individual and/or Simpaisa
All employees and contractors are responsible for ensuring they follow this procedure. Any concerns or questions should be raised with the Chief Information Security Officer (CISO).