Hi, I am new here, and althought this topic has been silent for quite a while, I thought I could add some info.
Back in 2011 or 2012, we got the requirement to PCI-DSS certify the CMOD system of a customer.
They have stored each single receipt for each store worldwide, and they keep them for 11 years (by law).
The requirement that we said yes to was to:
*export each document
* "wash it" from cc number data - i.e. we masked the required numbered of digits by replacing them with asterisks (*) //or maybe it was hash signs (#) can't remember //
* reload it back into OnDemand
NOTE: This would be categorized as option two described by AWHS above - "take CMOD out of scope".
On top of that, all POS systems in all stores had their software upgraded to automatically mask CC number data as described above.
We also require that any new data that is to be archive is "certified free from credit card numbers" - and we of course verify that before we start archiving it.
It was a tedious semi-automatic procedure, but sure enough, we processed and "cleaned" millions of report pages and receipts.
The only downside (which was pretty small) were that some stores complained that they could no longer find customer receipts by searching for CC number. So if that is an important requirement, the "aliase" method described above is probably better.
