What is the maximum period of time that cardholder data can be stored?
PCI DSS does not define minimum or maximum times for which cardholder data may be stored. PCI DSS Requirement 3.1 specifies that a data retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes. It should be noted that any storage of sensitive authentication data (including full track data, card verification codes/values, and PIN block data) is prohibited after authorization per PCI DSS Requirement 3.2.
Whenever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.4 – 3.6 (electronic storage) and 9.5 – 9.8 (storage on physical media). Once cardholder data is no longer required, it must be securely deleted.
Article Number: 1318