Frequently Asked Question
What is the maximum period of time that cardholder data can be stored?
PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention and disposal policies, procedures, and processes to ensure that account data is retained only for the period necessary to meet legal, regulatory, and/or business requirements.
The only account data that may be stored after authorization includes:
- Primary account number (PAN) — if rendered unreadable
- Expiration date
- Cardholder name
- Service code
Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, or PIN blocks — must never be stored after authorization, as per Requirement 3.3. When cardholder data is stored electronically, it must be protected in line with Requirements 3.4 to 3.6, which address rendering data unreadable, securing cryptographic keys, and managing the full key lifecycle.
Stored data must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months that data exceeding retention limits has been securely removed.
