A customer of mine has failed a PCI scan, mainly due to files stored on two bookkeeping computers, which contain sensitive data, like SSNs for employees, tax returns, and a small number of credit card numbers... Some of it is easy, old mailboxes, old emails, duplicate files, that can just be deleted.
Some of that data will need to be kept, though, possibly for long-term storage, but in a way that is PCI Compliant.
The credit card numbers are most likely internal, not customers - the business mainly transacts with their customers via checks, which are electronically deposited and then shredded when the accounts are reconciled.
What is the best/correct method to recommend to them for storing and accessing this data going forward that is both compliant and usable by not-very-technical bookkeeping staff?
They are a network of 10 total active users all running Windows 10 Pro, and joined to Active Directory via Windows Small Business Server 2011, and do have shared file access on the servers. For compliance, I'm thinking it would be best to have this data on the server, where it is assuredly backed up, and permissions are stricter, but does that create a more centralized potential point of failure?
Your advice and recommendations are appreciated!